Idea: The stack would need to look like:

• address of puts (in place of the return address)
• address of exit
• argument to puts call (address of string)

Idea: The stack would need to look like:

• address of system (in place of the return address)
• address of exit
• argument to system call (address of string)

To find the "/bin/sh" string use the searchmem command in GDB PEDA.

Idea: Used fixed addresses for system() and "/bin/sh" and run the exploit test command until the addresses match.

Idea: The stack would need to look like:

• address of mprotect()
• address of buffer start (where the shellcode is located)
• first argument of mprotect()
• 2nd argument of mprotect()

…