- First we can overflow and control eip if out input is longer than 32 letters.
- Second we can only type printable letters(0x20~0x7f) and we have to make shellcode with these letters.
- Finally NX bit is enabled so we can run shellcode in buffer. It means we have to use rop programming to get shell
- It's 32 bit program so function call isn't fastcall but if we want to do rop program we have to use fastcall function.
execve function use fastcall method even if program is x86 bit. Now what we have to do is make sure edi, esi, edx has proper argument
for calling execve - #Not finished yet
- We have to bypass canary, NX and aslr(I couldn't find how to bypass aslr so I'll suppose aslr is turned off)
- ASLR is turned off so we don't have to know canary value.(I'll pass it with out overwrite with fsb)
- I'll put system function address in ret place and address of '/bin/sh' next place.