# Stack reading

Once the offset is obtain and cause a binary crash, it's possible to obtain the value of the next bytes on the stack that will not crash the binary by enumerate all the possible value.

**This technique is mostly used to leak the canary**

{% hint style="danger" %}
If the server is compiled with the [PIE](/pwn/protections/pie.md) flag or if there is a [stack canary](/pwn/protections/stack-canaries.md), the server must be a F**orking** daemon without stack re-randomization.
{% endhint %}

## How it work ?

The idea is to overflow a single byte of the targeted value, for example the canary, overwriting a single byte `x`

If `x` was correct, the binary will not crash.

The algorithm is repeated for all possible 256 byte values until it is found. The attack continues for the next byte until all bytes (8 on 64-bit) are leaked.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://www.ctfrecipes.com/pwn/stack-exploitation/stack-buffer-overflow/stack-reading.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.