PWN 21

I need to bypass a canary by using an Out of band Array technique

I will force the program to read from memory outside the boundary of the array

This CTF is set up in a way where the struct is set up in the very beginning.

So basically if my array is of size 9, there is a possibility I can leak my canary if I extend to 10.

My cookie value will be 0x7fffffffedb8: 0x6d135cc8d9b3db00

When an array is close to the beginning of a function with a canary, there is a possibility for a canary leak

The above assembly shows how the below struct is pretty close to the canary

Take note of the 0xa0 dereference. This is moved into rax then rdi before a call which starts the CTF

The CTF is built upon an array

This continues on.

So I know this built an array. The deference rbp-0xa0 was called into this function and each element is 0x10 in size. Since my cookie was created at rbp-0x8 and this array was built at rbp-0xa0

To further go into detail, the above is a mapping of my “array” before any elements are initialized. My array begins at ed20 and my canary is at edb8(lower right corner)

Now after my array is initialized

Now the right colum of this screenshot is printed as values by the CTF, the left coloum is printed as the name of the array index. So I am 0x10 bytes away from reaching my canary

Notice in the above screenshot how each element is 0x10 bytes as well.

The below screenshot adds in the values per element

Continuing on

Here I see a call with 4 args. The last 3 are not too interesting for me. The first one which is rbp-0xa0 is though. This was the pointer to my array!

$rbp-0xac -> row

$rbp-0x08 -> col

$rbp-0xa4 -> possible stack canary leak

From here, I can see RDI which is the array index. Remember that my index starts at 0x7fffffffed20.

Since I have 9 elements and each index is size 0x10, which means my array ends at 0x7fffffffedb0. This is 8 bytes away

After that, I can leak my flag