I have a program with a heap overflow. It contains some code that is not randomized (is not using ASLR). I want to do a return-oriented programming exploit. Since this is a heap overflow, the first thing I need to do is find a stack pivot, so I can get RSP pointing to a known memory address where my ROP program lives.
What are the state-of-the-art ways to find a stack pivot? What instruction sequences should I look for? Is there a list/database of instruction sequences that can be used as stack pivots?
Also, are there any defenses/mitigations I need to watch out for, or that it would help to be aware of?
For instance, I think I remember that longjmp() calls are a good place to find a stack pivot (e.g., a POP RSP ... RET sequence), assuming I control some value on the stack. However, someone told me that some platforms now incorporate a mitigation to make exploiting longjmp() calls harder: they store setjmp buffers in encrypted form. Is that right, and are there any ways to work around this mitigation, or should I give up on longjmp()s?
Another mitigation is that Windows 8's VirtualProtect function checks that it's being called with RSP set to something reasonable. However, others have documented how to bypass that mitigation, so that's not a barrier -- and anyway, that's not focused on preventing the initial stack pivot. My focus/interest in this question is on the initial stack pivot, not what you do thereafter.
