Rating: 0

We have two input chances every time.
The first one is to input a `string` and the second one to input `delimiters`. Then every byte in `string` will be replaced to `\x00` if the byte occurs in `delimiters`, which is done by `strsep()`

But notice that if we input a `string` of 0x400-byte length, out string is `input_strings + [rbp]` actually. And if the `lsb([rbp])` is in `delimiters`, we will set `lsb([rbp])` to `\x00`. This is the only bug. Because we will have three `leave; ret` continuously, we will pivot our stack. By manipulate our input, we are able to ROP.

Read my [exploit](https://github.com/bash-c/pwn_repo/blob/master/ISITDTU2019_tokenizer/solve.py) for more details and follow [me](https://github.com/bash-c/) if you like this Writeup :)