4.7 KiB
Print Stack Canary
{% hint style="success" %}
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Support HackTricks
- Check the subscription plans!
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
- Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.
Enlarge printed stack
Imagine a situation where a program vulnerable to stack overflow can execute a puts function pointing to part of the stack overflow. The attacker knows that the first byte of the canary is a null byte (\x00
) and the rest of the canary are random bytes. Then, the attacker may create an overflow that overwrites the stack until just the first byte of the canary.
Then, the attacker calls the puts functionality on the middle of the payload which will print all the canary (except from the first null byte).
With this info the attacker can craft and send a new attack knowing the canary (in the same program session).
Obviously, this tactic is very restricted as the attacker needs to be able to print the content of his payload to exfiltrate the canary and then be able to create a new payload (in the same program session) and send the real buffer overflow.
CTF examples:
- https://guyinatuxedo.github.io/08-bof_dynamic/csawquals17_svc/index.html
- 64 bit, ASLR enabled but no PIE, the first step is to fill an overflow until the byte 0x00 of the canary to then call puts and leak it. With the canary a ROP gadget is created to call puts to leak the address of puts from the GOT and the a ROP gadget to call
system('/bin/sh')
- 64 bit, ASLR enabled but no PIE, the first step is to fill an overflow until the byte 0x00 of the canary to then call puts and leak it. With the canary a ROP gadget is created to call puts to leak the address of puts from the GOT and the a ROP gadget to call
- https://guyinatuxedo.github.io/14-ret_2_system/hxp18_poorCanary/index.html
- 32 bit, ARM, no relro, canary, nx, no pie. Overflow with a call to puts on it to leak the canary + ret2lib calling
system
with a ROP chain to pop r0 (arg/bin/sh
) and pc (address of system)
- 32 bit, ARM, no relro, canary, nx, no pie. Overflow with a call to puts on it to leak the canary + ret2lib calling
Arbitrary Read
With an arbitrary read like the one provided by format strings it might be possible to leak the canary. Check this example: https://ir0nstone.gitbook.io/notes/types/stack/canaries and you can read about abusing format strings to read arbitrary memory addresses in:
{% content-ref url="../../format-strings/" %} format-strings {% endcontent-ref %}
- https://guyinatuxedo.github.io/14-ret_2_system/asis17_marymorton/index.html
- This challenge abuses in a very simple way a format string to read the canary from the stack
{% hint style="success" %}
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Support HackTricks
- Check the subscription plans!
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
- Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.