Tags: ret2libc rop
Rating: 4.0
TL; DR. Execute `write()` and `read()` syscalls by loading arguments via ROP. To set `rax = 0` to perform `read()`, return to the `init_proc()` function. Reconstruct the global offset table's procedure lookup table and complete the exploit with a classic ROP-ret2libc.