2

I'm trying to put together a ROP chain. I'm looking for a gadget to do the following: 

mov rdi, rdx ; mov rbp, rsp ; ret;

But instead, I have a gadget like this : 

mov rdi, rdx ; mov rbp, rsp ; jmp 0x8109b3f7

So, I thought maybe I can use this gadget, all I have to do is pointing this jmp address ( 0x8109b3f7) to the next gadget address. But this is not working. I use GDB to set the jmp address like the following: 

set *0x8109b3f7=0xgadget_address

It still points to the jmp address, not to the gadget address. Any help how can I do that?

N.B: I'm using x86-64 architecture.

perplex
  • 31
  • 1
  • 1
    I'm pretty sure that if the intended solution is an ROP then there's another way out. This would be an unprecedented exploit. How about explain what kind of ROPchain you are trying to build? – Arav Garg Apr 01 '20 at 17:53

1 Answers1

1

Using jmp may not result in a ROP friendly return of control to your stack. You're better off finding alternate gadgets to achieve your goal.

Also for your proposed solution if your exploit is able to modify the opcodes at 0x8109b3f7 you already have code execution and no need for further ROP.

wireghoul
  • 5,745
  • 2
  • 17
  • 26