Stack reading

Bruteforce as stack reader

Once the offset is obtain and cause a binary crash, it's possible to obtain the value of the next bytes on the stack that will not crash the binary by enumerate all the possible value.

This technique is mostly used to leak the canary

If the server is compiled with the PIE flag or if there is a stack canary, the server must be a Forking daemon without stack re-randomization.

How it work ?

The idea is to overflow a single byte of the targeted value, for example the canary, overwriting a single byte x

If x was correct, the binary will not crash.

The algorithm is repeated for all possible 256 byte values until it is found. The attack continues for the next byte until all bytes (8 on 64-bit) are leaked.

Last updated