I'm practicing exploit development and one of the scenario I am haing most difficulties with is stack pivoting besides the "ADD ESP, XXX" or something like that.
The question is, during the writing of a ROP chain, when you don't have any usable gadget that mess with ESP register (like ADD, MOV something in it) what can i try to move ESP back to my buffer and so start the ROP chain?
Im on a Intel IA-32 in a Windows environment (7+ with DEP enabled).
Assuming you're building a ROP chain that needs to manipulate the stack, you can always go for semantically equivalent gadgets, e.g. PUSH/POP, MOV ESP XXX, (SUB,ADD) ESP instructions to build the stack: https://www.corelan.be/index.php/2010/06/16/exploit-writing-tutorial-part-10-chaining-dep-with-rop-the-rubikstm-cube/#chainingbasics http://neilscomputerblog.blogspot.com/2012/06/stack-pivoting.html
Also, for XXX/actual constants (immediates) for SUB/ADD ESP XXX, you can always LEA a register then even MOV ESP, XXX/REG:
Last, depending on the DLL/EXE you're searching for gadgets in, if you can't easily ADD/SUB ESP you could do a slew of things (using volatile registers):
;ADD/INC ESP SEMANTICS EQUIVALENT
POP EBX ;semantically same as MOV EBX, ESP; ADD ESP 0x4
XOR EBX, EBX ;zeroes EBX if you wanna reuse the register
;SUB/DEC ESP SEMANTICS EQUIVALENT
PUSH EBX ;semantically same as MOV ESP, EBX; SUB ESP 0x4
You can even get fancy and mov values into a volatile register, SHL/SHR/ROL/ROR it and then use LEA/PUSH. It's all up to you to be creative!
