mirror of
https://github.com/carlospolop/hacktricks
synced 2024-11-25 06:00:40 +00:00
Added more canary bypasses
This commit is contained in:
parent
b556bc5d1e
commit
8b39e454a4
2 changed files with 17 additions and 1 deletions
|
@ -64,9 +64,21 @@ The stack vulnerable to a stack overflow might **contain addresses to strings or
|
|||
[pointer-redirecting.md](../../stack-overflow/pointer-redirecting.md)
|
||||
{% endcontent-ref %}
|
||||
|
||||
* **Modifying both master and thread canary**
|
||||
|
||||
A buffer overflow in a threaded function protected with canary can be used to modify the master canary of the thread. As a result, the mitigation is useless because the check is used with two canaries that are the same (although modified).
|
||||
|
||||
* **Modify the GOT entry of `__stack_chk_fail`**
|
||||
|
||||
If the binary has Partial RELRO, then you can use an arbitrary write to modify the GOT entry of `__stack_chk_fail` to be a dummy function that does not block the program if the canary gets modified.
|
||||
|
||||
## References
|
||||
|
||||
* [https://guyinatuxedo.github.io/7.1-mitigation\_canary/index.html](https://guyinatuxedo.github.io/7.1-mitigation\_canary/index.html)
|
||||
* [http://7rocky.github.io/en/ctf/htb-challenges/pwn/robot-factory/#canaries-and-threads](http://7rocky.github.io/en/ctf/htb-challenges/pwn/robot-factory/#canaries-and-threads)
|
||||
* 64 bits, no PIE, nx, modify thread and master canary.
|
||||
* [https://7rocky.github.io/en/ctf/other/securinets-ctf/scrambler/](https://7rocky.github.io/en/ctf/other/securinets-ctf/scrambler/)
|
||||
* 64 bits, no PIE, nx, write-what-where primitive. Modify GOT entry of `__stack_chk_fail`.
|
||||
|
||||
<details>
|
||||
|
||||
|
|
|
@ -120,9 +120,13 @@ log.info(f"The canary is: {canary}")
|
|||
|
||||
## Threads
|
||||
|
||||
Threads of the same process will also **share the same canary token**, therefore it'll be possible to **brute-forc**e a canary if the binary spawns a new thread every time an attack happens. 
|
||||
Threads of the same process will also **share the same canary token**, therefore it'll be possible to **brute-force** a canary if the binary spawns a new thread every time an attack happens. 
|
||||
|
||||
A buffer overflow in a threaded function protected with canary can be used to modify the master canary of the thread. As a result, the mitigation is useless because the check is used with two canaries that are the same (although modified).
|
||||
|
||||
## Other examples & references
|
||||
|
||||
* [https://guyinatuxedo.github.io/07-bof\_static/dcquals16\_feedme/index.html](https://guyinatuxedo.github.io/07-bof\_static/dcquals16\_feedme/index.html)
|
||||
* 64 bits, no PIE, nx, BF canary, write in some memory a ROP to call `execve` and jump there.
|
||||
* [http://7rocky.github.io/en/ctf/htb-challenges/pwn/robot-factory/#canaries-and-threads](http://7rocky.github.io/en/ctf/htb-challenges/pwn/robot-factory/#canaries-and-threads)
|
||||
* 64 bits, no PIE, nx, modify thread and master canary.
|
||||
|
|
Loading…
Reference in a new issue