More JOP gadgets - Githubissues

JonathanSalwan / ROPgadget

This tool lets you search your gadgets on your binaries to facilitate your ROP exploitation. ROPgadget supports ELF, PE and Mach-O format on x86, x64, ARM, ARM64, PowerPC, SPARC, MIPS, RISC-V 64, and RISC-V Compressed architectures.

Other

3.96k stars 557 forks source link

More JOP gadgets #154

Closed SweetVishnya closed 4 years ago

SweetVishnya commented 4 years ago

Only ra and t9 jumps were supported on MIPS. I added jumps on other registers. Also supported MIPS j addr for this interesting gadget:

    j 0xdeadbeef
    lw $v0, 0($v1)  <- delay slot
0xdeadbeef:
    lw $ra, 16($sp)
    jr $ra
    addiu $sp, $sp, 28  <- delay slot

This gadgets loads value into v0 from stack and jumps to the second part that transfers control to the next gadget address taken from stack.