Tags: pwn 

Rating: 0

1. Leak canary
2. Overwrite ret addr with ROP chain
3. In the ROP chain:
* Set global value stack_prot to 7
* Call dl_make_stack_exec with libc_stack_end as argument to make stack executable (ref: http://radare.today/posts/defeating-baby_rop-with-radare2/ )
* Call read again to read execve /bin/sh shellcode onto the stack
4. ret to the shellcode
5. Send 'exit\n' to cause ROP chain to be executed