Exploit Development – What is a Stack Pivot?

When writing an exploit you might find a vulnerability that gives you control over registers other than EIP, for example you may be able to change the value of the stack pointer ESP. Alternatively you might find a stack based overflow which for one reason or another you can’t use to place a complete ROP chain, for example you may only get to execute a single gadget.


In both of these cases you might find yourself reaching for a stack pivot, this is where you create fake stack frames in another area of memory (for example in the heap) which form your ROP chain, then change ESP to point at this new, attacker controlled, “stack”.


 

The important register to control for this technique is ESP, you may need to find a ROP gadget to do a controlled write, for example a pop ESP; ret gadget may allow an attacker controlled value to be placed into the ESP register, allowing you to use a stack pivot in a wide range of situations.

Once you have control of the stack pointer, building your ROP chain should be functionally the same as building a ROP chain to bypass NX protections in a stack based buffer overflow.

This entry was posted in ROP. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s