[ndesaulniers]

> Using a locally compiled version of PHP we scanned for good candidates for stack pivoting gadgets

Surprised that worked. Guess they got lucky and either got the comiler+optization flags the same as the PHP binary used, or the release process can create higly similar builds.

[chatmasta]

They mention that PH had a custom compiled PHP and that's why they couldn't get the address of the function they wanted to call for evaluating code.

My understanding is that ROP gadgets are a separate issue. Basically you want to find a function that compiles to assembly instructions resembling the ones you need to move the stack pointer to your desired location. Testing this locally shouldn't be a problem, because functions across builds will compile to the same assembly instructions (even if their headers have different load addresses).

Again, that's my understanding - I have a very vague grasp of this stuff.