nc 10.second.ninja 9090
This is an extremely short program.
0x8048080 6A 03 push 3
0x0804909F, it will invoke
sys_read with following parameters.
|eax||ebx (unsigned int fd)||ecx (char __user *buf)||edx (size_t count)|
This would let us enter arbitrary length of input to
0x0804808B. After the system call, the program will continue to execute the instruction at
0x0804808B - 0x08040A1 = 22, the program will execute from the 23rd byte of the user input. This is where we should put our shellcode.
from pwnlib.tubes.remote import remote