This was part of a challenge which is now ended.
On that server, when the cgi application was called remotely, apache executed it with the permissions of the owner of that binary. So the goal was to abuse those rights with buffer overflow.
The application had all kinds of protections and in order to execute arbitrary code you had to definitely remove ASLR. The server was old btw so both "ulimit -s unlimited" and "setarch uname -m -R /path/app" would have effectively achieve the aslr removal. Now where i was stacked was to execute locally the application with the permissions of the owner.
I think the application didn't have the suid, so apache had to change the euid somehow right? Is it possible to get that behavior locally? I had btw shell access to the server with the apache user.
EDIT: I just thought that i could create a different directory and add a symlink to the target binary, create the .htaccess (with +ExecCGI) and set the "ulimit -s unlimited" on that session. I am not sure if it would have worked though
Thanks
