Defeating Stack Canary, PIE and DEP on remote 64 bit server with byte wise bruteforce
Previously we saw how we can leak libc addresses from GOT to exploit unknown libc version. But we had stack canary and PIE (position independent executable) disabled. This time we will see how we can defeat all these protections too in a server. Checkout this server code. It's a very simple tcp server, which reads a message from client, may be process it and it can also serve many clients simultaneously by forking child processes, with each child serving each client. This one's not very efficient but many actual servers follow a similar multi processed and also multi-threaded approach just much more efficiently. Compile it without any flags. gcc version 9.3.0 $ gcc msg_server.c -o msg_server Notice how we have all the default protections on now. gdb-peda$ checksec CANARY : ENABLED FORTIFY : disabled NX : ENABLED PIE : ENABLED RELRO : Partial You can run it with $ ./msg_server 8888 [i] Listening on PORT 8888, sfd is 3 Try connecting it with netca