rop_exit binary still has canaries

[itszn]

Apparently the rop_exit binary is still compiled with stack canaries. It was changed in f2aa1145ab0573f42382b563c4c8519bbbc6f0e2, but apparently it was not rebuilt before the 1.1 release.

[gaasedelen]

Can you confirm if this is the binary in the v1.1 VM or the one in the standalone binaries zip? I believe the standalone binaries zip might not be in sync with the binaries in the v1.1 VM, so that should probably be fixed.

[Grazfather]

The VM version has canaries

lecture@warzone:/levels/lecture/rop$ md5sum rop_exit
fa6bf6f0b133d6127a2f796a3f6873cb  rop_exit
lecture@warzone:/levels/lecture/rop$ gdb rop_exit
Reading symbols from rop_exit...(no debugging symbols found)...done.
gdb-peda$ disass main
Dump of assembler code for function main:
   0x080486dc <+95>:    call   0x8048550 <__stack_chk_fail@plt>
   0x080486e1 <+100>:   lea    esp,[ebp-0xc]
   0x080486e4 <+103>:   pop    ebx
   0x080486e5 <+104>:   pop    esi
   0x080486e6 <+105>:   pop    edi
   0x080486e7 <+106>:   pop    ebp
   0x080486e8 <+107>:   ret
End of assembler dump.
gdb-peda$ checksec
CANARY    : ENABLED
FORTIFY   : disabled
NX        : ENABLED
PIE       : disabled
RELRO     : Partial

[Grazfather]

$ md5 MBE_VM.vmdk
MD5 (MBE_VM.vmdk) = 9655bbe68e22d466885ebc17320d3a0e
$ ls -lh MBE_VM.vmdk.gz
-rw-r--r--  1 grazfather  staff  1153094387 Sep 28 00:02 MBE_VM.vmdk.gz

[SharonBrizinov]

also, shouldn't it be compiled statically? it's probably their first rop chain

[kuqadk3]

God...I have spent my afternoon trying to bypass the canaries...