readme-200

原文https://github.com/ctfs/write-ups-2015/tree/master/32c3-ctf-2015/pwn/readme-200

canary被篡改后，

__fortify_fail  -> __libc_message,

__libc_message (2, "*** %s ***: %s terminated\n",

                    msg, __libc_argv[0] ?: "<unknown>");

，改掉__libc_argv[0]就能泄露相应内存数据。

原文通过设置LIBC_FATAL_STDERR_=1达到错误打到stderr上，测试了一把，不行，懒得看libc代码了，可能版本变更后，相应环境变量改了。

All that is left to do is somehow redirect the server output to our side, which can be done by setting the environment variable LIBC_FATAL_STDERR_ to 1: LIBC_FATAL_STDERR_=1.

To know why this works, we again read gibc source code, this time the source code for the __libc_message function. We see that the environment variable LIBC_FATAL_STDERR_ is read using __libc_secure_getenv. If it isn't set or empty and thus \0 or NULL, stderr is redirected to _PATH_TTY, which usually is /dev/tty - hence error messages will be not sent to stderr but to a device only visible on server side.