Stack pivoting

ROP with a small buffer

Stack pivoting is a technique used when there is lack of space after RIP to conduct a full ROP chain.

How it works

Stack pivoting consist to take the control of the RSP register and then "fake" the location of the stack frame.

The general target is to set RSP at the beginning of the vulnerable buffer.

There is some ways to do this.

POP RSP gadget

The simplest but also the least likely to exist.

If there is one pop rsp; ret gadget then the attacker can use it to pop the bytes after overwriting RIP.

This gadget requires 8 bytes after RIP.

ret       <-- overwrite RIP
pop rsp   <-- set RSP arbitrary value

XCHG <reg>, RSP

xchg gadget swap the values between the two registers.

This gadget requires 16 bytes after RIP.

ret                 <-- overwrite RIP
pop <reg>           <-- set a register to an arbitrary value
xchg <reg>, rsp     <-- swap rsp and register values


This is the most likely to exist and interesting way to stack pivoting. And it do not requires bytes space after RIP

Every function, excepted main, end with a leave; ret gadget.

leave is equivalent to

mov rsp, rbp
pop rbp

A function ending therefore looks like

mov rsp, rbp
pop rbp
pop rip

That means, when RIP is overwrite, the 8 bytes before overwrite RBP. Then, using leave it's possible to overwrite rbp .

Note that before pop rbp there is a mov rsp, rbp instruction. This instruction set the rsp value at the rbp value. So, if RIP point to leave; ret again, the value of the overwrited rbp gets moved to RSP.

This gadget do not requires byte space after RIP.

Last updated