Tags: pwn 


1. Leak canary
2. Overwrite ret addr with ROP chain
3. In the ROP chain:
* Set global value stack_prot to 7
* Call dl_make_stack_exec with libc_stack_end as argument to make stack executable (ref: http://radare.today/posts/defeating-baby_rop-with-radare2/ )
* Call read again to read execve /bin/sh shellcode onto the stack
4. ret to the shellcode
5. Send 'exit\n' to cause ROP chain to be executed

Original writeup (https://github.com/InfoSecIITR/write-ups/tree/master/2017/hitcon-quals-2017/pwn/start).