I must say that I do everything exclusively for educational purposes.

I am trying to understand the methods of ROP programming. I found in the kernel something like this gadget:

mov esp, _addr_ ret

and handed over to him control.

In _addr_ , I have a stack frame prepared for some task (in fact, the addresses of the ROP gadgets are). And when I’ve done everything I’ve done, the question arises - what’s next? In general, as I understand it, you need to somehow restore the stack pointer, but I have been sitting for 2 days and could not think of anything.

  • Obviously, you need to write in esp the value saved before the line mov esp, _addr_ . - PinkTux
  • But I do not have the opportunity to save the old esp - Alexey Sarovsky
  • There is no court. Although - it does not happen. What does "no opportunity" mean? - PinkTux
  • How did you get into the "gadget"? Unconditional jump? Is it then possible to save esp to the data segment by the code from where you jumped into the “gadget”? - ߊߚߤߘ
  • That is, it is impossible to continue work in such conditions? There is no possibility - this means I can control 1 call command, that is, go once to a certain address. - Alexey Sarovsky

0