====== Session 10 Solutions ======

===== ret-to-plt =====

Idea: The stack would need to look like:
  * address of puts (in place of the return address)
  * address of exit
  * argument to puts call (address of string)

===== ret-to-libc =====

Idea: The stack would need to look like:
  * address of system (in place of the return address)
  * address of exit
  * argument to system call (address of string)

To find the ''%%"/bin/sh"%%'' string use the ''searchmem'' command in GDB PEDA.

===== Brute Force =====

Idea: Used fixed addresses for ''system()'' and ''%%"/bin/sh"%%'' and run the exploit test command until the addresses match.

===== mprotect =====

Idea: The stack would need to look like:
  * address of ''mprotect()''
  * address of buffer start (where the shellcode is located)
  * first argument of ''mprotect()''
  * 2nd argument of ''mprotect()''
...