Skip to main content

Posts

Featured

Defeating Stack Canary, PIE and DEP on remote 64 bit server with byte wise bruteforce

Previously we saw how we can leak libc addresses from GOT to exploit unknown libc version. But we had stack canary and PIE (position independent executable) disabled. This time we will see how we can defeat all these protections too in a server. Checkout this server code. It's a very simple tcp server, which reads a message from client, may be process it and it can also serve many clients simultaneously by forking child processes, with each child serving each client. This one's not very efficient but many actual servers follow a similar multi processed and also multi-threaded approach just much more efficiently. Compile it without any flags. gcc version 9.3.0 $ gcc msg_server.c -o msg_server Notice how we have all the default protections on now. gdb-peda$ checksec CANARY : ENABLED FORTIFY : disabled NX : ENABLED PIE : ENABLED RELRO : Partial You can run it with $ ./msg_server 8888 [i] Listening on PORT 8888, sfd is 3 Try connecting it with netca...

Latest Posts

Leak libc addresses from GOT to exploit unknown Libc, bypassing ASLR Remotely 64 bit

Format Strings: GOT overwrite to change Control Flow Remotely on ASLR

Return to PLT, GOT to bypass ASLR remotely