@LittleWho said:
hi,
I know it’s a late response but maybe it will help someone. I had the same problem, you need to substract 64 bytes from /bin/sh address. I don’t know why it needs this little padding, but I’ve found it after some debug.
If you take a look at libc binary, you will find the “%s%s%s%s%s%s” after “/bin/sh” at a few bytes distance.
THANKS… i got it working locally 16.04.10, but it seems the server uses 16.04.4.