Stack canaries protection and ROP

A stack canary is still a problem, because you cannot control the EIP in a stack based buffer overflow without overwriting the return address (which is above the carny). Further more the function that contained the stack based buffer overflow must return before the corrupted return address becomes the new EIP.

This is not a problem for dangling pointers.

You need to spend more time with your debugger! There is no excuse for this. If you had stepped though exploitation process you would know this!

In some overflow cases you could overwrite EIP, but doesn't touch canary value. Here i the quote from the book "A Guide to Kernel Exploitation: Attacking the Core" by Enrico Perla:

A stack canary is a good protection scheme, but it suffers from a few problems: A particularly controlled overflow (e.g., an index-based overflow on an array saved on the stack) can write past the canary without touching it.