AnsweredAssumed Answered

Regarding nginx_chunked_size exploit

Question asked by Blake Troksa on Jul 25, 2017

The exploit does not find the stack canary. It uses brute force to figure it out but always ends up with 0x00000000 which is not correct. Has anyone else had this problem? Also, is there a way to find the stack canary of nginx without brute forcing it?

 

This is what I am seeing:

[] 10.222.10.51:8806 - Searching for stack canary
[
] 10.222.10.51:8806 - Assuming byte 0 0x00
[] 10.222.10.51:8806 - Bruteforcing byte 1
[+] 10.222.10.51:8806 - Byte 1 found: 0x00
[
] 10.222.10.51:8806 - Bruteforcing byte 2
[+] 10.222.10.51:8806 - Byte 2 found: 0x00
[] 10.222.10.51:8806 - Bruteforcing byte 3
[+] 10.222.10.51:8806 - Byte 3 found: 0x00
[-] 10.222.10.51:8806 - Exploit aborted due to failure: unknown: - Unable to find stack canary
[
] Exploit completed, but no session was created.

It seems the brute forcing of the stack canary is not working for some reason.

Outcomes