Rating:
In `StarCTF 2018 - babystack` challenge, there is a `stack overflow` vulnerability by which we can leak `atol@GOT` address to find `libc` base address, and jump to `one gadget` in order to execute `execve("/bin/sh")`. The interesting part is replacing the `stack canary` with the correct value in order to replace the `return address` without crashing the program.
Basically, when using `pthread`, the `Thread Local Storage (TLS)` will be located somewhere near the thread stack, so it can be overwritten in case of a `stack overflow` vulnerability. In this challenge, we can replace the `stack_guard` attribute in `TLS` (http://www.openwall.com/lists/oss-security/2018/02/27/5) with an arbitrary value in order to bypass `canary` protection. This is an interesting `ROP` challenge to learn bypassing protections like `NX`, `Canary`, `Full RELRO`, and `ASLR` in `x86_64` binaries.
