Tags: format-string
Rating:
Since there is no ASLR, it's possible for us to known the canary address(I use %18$p - 0xc0). Then we are able to fix canary.
As a result, the fixed canary will call \_\_stack_check_fail.
So my exp works as the following:
1. hijack \_\_stack_check_fail@got to noxFlag
2. fix canary
3. the fixed canary will call \_\_stack_check_fail, which is noxFlag indeed.
4. get flag
Here is my [exp](https://github.com/0x01f/pwn_repo/blob/master/noxCTF2018_believeMe/exp.py)