We can leak a libc address by allocating a small buffer, then setting size to a larger value in process_flock. The loop XORs and compares — but we just need it to not crash before leaking. We can force the comparison to fail (wrong input) and then it prints the transformed buffer? No, it doesn’t print. But it does call puts on a global string — no direct leak.
Better: The loop continues reading memory past the heap chunk. By controlling the input to read, we can partially overwrite the heap metadata? Not here.
But in GDB, I found that the heap buffer is followed by a libc pointer (if unsorted bin).
By setting malloc size = 8, then process_flock loop index = 100, the XOR loop will output to stdout? Wait, it doesn't output. Hmm.
Actually, re-reading: process_flock returns 1 on match, else 0. No output. So leak must be via overflow into another structure. No.
Let's skip to the real vuln:
In read(0, buffer, size), size is user-controlled and unchecked relative to malloc’d size. That’s the bug. We can malloc 16 bytes but read 200 bytes → heap overflow.
There is a third, truly avant-garde interpretation: The hacking of actual birds. pwnhack birds
Biologists now use "bio-loggers" to track migration. These devices sit on a bird's back. In 2022, a white-hat researcher discovered that the firmware on a popular tracking tag had a buffer overflow vulnerability. In theory, a malicious actor could:
This is the literal definition of pwnhack birds: Gaining unauthorized access to a biological host's data stream.
On underground forums, operators sometimes use whimsical names to advertise illegal services.
Smart bird feeders with AI cameras (like Bird Buddy) identify species and tweet sightings. Attackers can print adversarial patterns on seed trays—subtle gradients invisible to humans but recognized by the AI as a "rare ivory-billed woodpecker." The result: thousands of false reports flood ornithology databases. That’s a pwnhack bird attack against the data layer.
When an object is freed in C++ using delete, the memory is returned to the heap (glibc malloc), but the pointer variable in the program is not set to nullptr. We can leak a libc address by allocating
Since the challenge involves a "Bird" theme, we typically want to manipulate the vtable to execute a "magic" function or a system call chain.
Step 1: Heap Layout
We allocate two objects. Let's call them bird_A and bird_B.
Step 2: Trigger UAF We free both objects.
Now the heap has two free chunks. Because of how glibc works (Fastbins or Tcache), a subsequent allocation of the same size will likely return the memory address of bird_A or bird_B.
Step 3: Overwriting the vptr
The program likely allows us to write data (perhaps via a rename function or simply by allocating a new buffer that lands on top of the freed object). This is the literal definition of pwnhack birds
If we allocate a string/character buffer with the same size as the freed Bird object, we can overwrite the first 8 bytes of the freed object. The first 8 bytes are the vtable pointer.
Step 4: Hijacking Control Flow
We overwrite the vtable pointer to point to a memory region we control (or a fake vtable).
When the program calls bird_A->sing():
If we overwrite the vptr, we can direct execution to:
Specifics for "Bird":
In many variations of this challenge, the binary contains a hidden give_shell function, or the goal is to call system.
Since Partial RELRO is on, the vtable pointers are usually stored in a writable section of the binary (.data or .bss).
We can overwrite the vtable pointer to point to a location we control, or modify the existing vtable entries if they are writable.