Leaking Address

Leaking addresses can be helpful when trying to identify the canary, figuring out the base of pie

The ability to leak addresses comes from vulnerablities like overwriting null bytes at the end of strings, and mainly format string vulnerabilities

Overwriting null bytes example:

char buf1[0x20];
char flag[0x30];

read(0,buf1,0x20);

In this example, since read is taking in 0x20 bytes and the char it is being read to is also 0x20 bytes, then the null byte \x00 at the end of buf1 will be overwritten and print the contents of flag

This vulnerability could potentially lead to leaks of other important variables and memory addresses, leading to compromise of the entire binary or even system by spawning a shell

Format string example:

char inp[0x20];

read(0,inp,0x19);
printf(inp);

In this example, the input taken in can be printed out in any format specified by the user, which the user can use to leak memory address of important parts of memory, like the stack canary, other address.

Receiving the address nicely in pwntools

from pwn import *

pop_rdi_ret = unpack(p.recvline().strip().ljust(8, b'\0'))
info(f'pop_rdi_ret address %#x: {pop_rdi_ret}')

If the base of PIE was leaked then we can set the binary's base address so offsets to functions and variables in memory can be used instead of recalculating every time

from pwn import *

elf = context.binary = ELF('./vuln')

# receiving the leaked address
leaked_addr = unpack(p.recvline().strip().ljust(8, b'\0'))

# setting the base of the binary with the leaked base
elf.address = leaked_addr - 0x0440

# Now everything else can use offsets
bin_sh_addr = 0x0110