Bypass some basic binary protections
Bypass Stack Canary
Bypassing the canary is much easier for scanf() that only takes in integer, float, or double as we can just input dot/period. If scanf() takes in string, we will have to use format string attack to leak the canary value.
Below shows an example of a C program where if we input a dot/period, the input will be skipped and variable a will retain its original value.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
#include <stdio.h>
int main()
{
int a = 10;
printf("Input: ");
scanf("%d", &a);
printf("%d", a);
// result: 10
return 0;
}
In the provided C code, the program reads an integer from the user using the scanf function. If you input a period (.) when prompted, it will not be a valid integer input, and scanf will not be able to convert it into an integer. As a result, scanf will return a value of 0, indicating that it did not successfully read an integer.
Since the return value of scanf is being ignored in your code, you might not notice any immediate effects. However, the variable a will still retain its initial value of 10, and the output of the program will be:
1
2
3
4
Copy code
Input: 0
10
Here, 0 is the return value of scanf, and 10 is the value of the variable a printed by the second printf statement.
It’s important to note that when scanf fails to read the expected input format, it leaves the input in the buffer, potentially causing issues with subsequent scanf calls or other input operations. In a more complex program, you should handle such input errors and clear the input buffer appropriately.
ASLR
https://ir0nstone.gitbook.io/notes/types/stack/aslr/ret2plt-aslr-bypass
Stack alignement
Sometimes alignment may be required which means your ROP code must be within 16 bytes alignment. This only applies to newer versions of Ubuntu. This means that there must be an even number of addresses in the ROP chain. When you look at the dump() output, you can see that the relative address of the last ROP address is 0x0018 means it is well-aligned. Each 64-bits address takes up 8 bytes of space on the stack. Hence, at 0x0018, the address of main() will causes empty space after 0x0020, showing it is well aligned to 16-bytes (modulus 0x10 must result in 0. Thus 0x0020 % 0x10 = 0x0). To solve the alignment issue, we can add an address to a gadget that contains “RET” at the start of ROP which will not affect our ROP result since “RET” does nothing useful.