Sometime doing a ROP chain is a real pain, especially when you don’t have enough gadgets!
You could use a gadgets finder such as Ropper and most often you’ll find gadgets ending with a
call: this could be very frustrating ‘cause a
call will break the rop-chain. Just remember that a
call will push a return address on the stack, making your target jumping back from the call right after the gadget.
This situation could be avoided using what I call a
The concept is simple: prepare the register that will be used in the call, making it pointing to a simple
pop gadget: this will cause the address pushed by the call to be poped-out from the stack once the call is reach, leaving your rop-chain intact.
For example, let’s say that you want to use a gadget like this
0x08048700: pop ebx; add eax, ebx; call ecx;
This gadget will:
popthe last value on the top of the stack in
eaxand store the result in
callthe function pointed by
The last step will also push the address
0x08048712 (that point right after the gadget) on the stack, causing your program to jump to it once it finds the next
ret instruction in the called function.
That will break your ROP chain, and we don’t like it
So, let’s do this
ROP Re-call stuff.
Les’t say that you find this gadget:
0x0804853a: pop ecx; ret;
So now you could make a
Re-call hack like this:
rop += 0x0804853a # pop ecx; ret; -> This will be called first rop += 0x0804853a # pop ecx; ret; -> This will pop out the address pushed by the call rop += 0x08048700 # pop ebx; add eax, ebx; call ecx; -> The nasty one!
So, to make things clear, this do:
ecxthe next value found on the stack, …
ecxpointing to the same gadget
- Call the gadget that ends with the
callwill push its next address on the stack and call what is pointed by
ecxis pointing to a gadget that will pop in
ecxthat nasty address, causing the stack to remain unaltered
That’s all! Now your ROP chain can continue without any problems!