# Stack pivoting

**Stack pivoting** is a technique used when there is **lack of space after RIP** to conduct a full[ ROP chain](https://www.ctfrecipes.com/pwn/stack-exploitation/arbitrary-code-execution/code-reuse-attack/return-oriented-programming-rop).

## How it works

**Stack pivoting** consist to take the control of the **`RSP`** register and then *"fake"* the location of the [stack frame](https://www.ctfrecipes.com/pwn/general-knowledge/operation-of-the-stack).

The general target is to set **`RSP`** at the beginning of the vulnerable buffer.

There is some ways to do this.

### POP RSP gadget

The simplest but also the least likely to exist.

If there is one `pop rsp; ret` gadget then the attacker can use it to pop the bytes after overwriting RIP.

{% hint style="info" %}
This gadget requires 8 bytes after RIP.

```
ret       <-- overwrite RIP
pop rsp   <-- set RSP arbitrary value
```

{% endhint %}

### XCHG \<reg>, RSP

`xchg` gadget swap the values between the two registers.

{% hint style="info" %}
This gadget requires 16 bytes after RIP.

```
ret                 <-- overwrite RIP
pop <reg>           <-- set a register to an arbitrary value
xchg <reg>, rsp     <-- swap rsp and register values
```

{% endhint %}

### LEAVE; RET

This is the most likely to exist and interesting way to stack pivoting. **And it do not requires bytes space** after RIP

Every function, excepted `main`, end with a `leave; ret` gadget.

`leave` is equivalent to

```
mov rsp, rbp
pop rbp
```

A function ending therefore looks like

```
mov rsp, rbp
pop rbp
pop rip
```

That means, when RIP is overwrite, the 8 bytes before overwrite RBP. Then, using `leave` it's possible to overwrite `rbp` .

Note that before `pop rbp` there is a `mov rsp, rbp` instruction. This instruction set the `rsp` value at the `rbp` value. So, if RIP point to `leave; ret` again, the value of the overwrited `rbp` gets moved to `RSP`.

{% hint style="success" %}
This gadget do not requires byte space after RIP.
{% endhint %}