Tags: ropchain bufferoverflow rop
The executable provided prints out two strings, then reads a string with `gets` into a small local (on the stack) buffer. This exposes a well-known buffer overflow attack, where ROP can be used to execute arbitrary code (the goal currently being to get a shell).
The file is statically linked, and PIE is disabled, so any static ROPchain should work fine. One can be generated using `ROPgadget`:
ROPgadget --ropchain --binary easy-rop
which gives a huge payload (I guess it didn't find a good way to set `eax` to a higher value). Adjusting it via debugging (run with `gdb`, check what address ended up as the first return address), 72 bytes of padding are needed before the payload. The final payload generator is:
# execve generated by ROPgadget
from struct import pack
p += pack('