Free Online ROP Gadgets Search

ropshell> use 1aee20173ca5259f866644667ad046d8 (download)
name         : vuln (i386/ELF)
base address : 0x80490a0
total gadgets: 6653

ropshell> suggest "stack pivoting"
> 0x0804a960 : xchg eax, esp; ret
> 0x08049e25 : lea esp, [ecx - 4]; ret
> 0x080a0826 : mov esp, ecx; jmp edx
> 0x0804b4da : lea esp, [ebp - 0xc]; pop ebx; pop esi; pop edi; pop ebp; ret
> 0x0809c2b1 : xchg esp, eax; xor esi, edi; call [eax + 0x6a]
> 0x0809c7c4 : xchg esp, ebp; xor dh, bh; call [eax - 0x75]
> 0x08087869 : lea esp, [ebx + edi*8 - 1]; call [eax + 0x56]
> 0x08084a9b : lea esp, [edi + esi*8 - 1]; call [eax + 0x53]
> 0x0805c572 : xchg esp, edi; or ebp, edi; dec [ebp - 0x3067a69]; call [eax - 0x73]
> 0x08083889 : lea esp, [eax]; idiv edi; dec [ebx - 0x8af7b]; call [edx - 0x75]
> 0x0807f3b9 : xchg edi, esp; add [eax], al; add [ebx + 0x3600b3ac], cl; std ; inc [ecx]; fnstsw [esi]; jmp ebp
> 0x0808246c : xchg esp, esp; pop ds; add [eax], al; push ebx; add ebx, 0x34; call [eax + ecx*4]
> 0x0808246c : xchg esp, esp; pop ds; add [eax], al; push ebx; add ebx, 0x34; call [eax + ecx*4]
> 0x08049c95 : leave ; ret