This challenge is pretty much a straight forward stack overflow where you are using the fact that when we call real_path:
path variable’s size is controlled by our initial read in
path variable is simply a pointer to a location in
buffer 4 bytes in. So looking up what
realpath does we find that it will copy the given
path string to our
resolved buffer expanding any relative paths that we might have.
realpath will also make sure that the file actually exists and if it doesn’t it will return
NULL. So for our sake we really don’t care if we can access the
realpath will do the same thing for us!
So now that we know what we are targeting, we need to make sure we pass the earlier checks to actually get to this point.
So from this we can deduce our payload is going to be something in the form of
GET <fill buffer><return address>; HTTP/1.1<nop sled><shellcode>;. You can stick your shellcode in the nop sled but it is up to you :D Since we want $eip to point to our shellcode located some number of bytes away from the start of our buffer, we can start with using the buffer address that get leaked to us by the program and add some offset to get to our nop sled (the nop sled is optional here since we can really just calculate the exact offset but I was too lazy lol). Wiht some playing around in the binary you can find number of bogus characters to fill the buffer to be 139, after the 139th character, you will begin to overwrite the return address :D. Thus we would want our return address would be: buffer address + 139 + a few more to make sure we go past the return address that we stuck in there and onto the nop sled. Putting it all together we get:
We then have a shell listening on port 1337 that we can nc into :D
(I used a collection of helper functions from Blankwall’s Template library. I encourage you to check it out: (Github)