0

I am writing a rop chain for a vulnerable program (stack overflow, with NX and ASLR turned on).

I follow the execution of my gadgets by watching the stack pointer on gdb peda. It works well except when it encounters a gadget mov[eax], edx; ret. This gadget gets executed, but after there is a push ebx that follows, even if I didn't put any gadget like that in my ROP chain. And in the end my exploit doesn't work.

I have tried with different registers this instruction and there is always the push ebx that follows and I don't know why.

Would someone have an idea ?

Jonathan Leffler
  • 730,956
  • 141
  • 904
  • 1,278
cc315
  • 5
  • 4

1 Answers1

0

Program is not always vulnerable under NX and ASLR enabled conditions.

In the most of time, you can't find enough gadget to produce your ROP exploit.

Maybe you could take a look of ROPgadget.

This tool could help you to find useful gadget to assemble ROP exploit.

Weibo Chen
  • 369
  • 1
  • 10