Linux Stack Protection By Default
Modern gcc compiler (v9.2.0) protects the stack by default and you will notice it because instead of SIGSEGV on stack overflow you will get a SIGABRT, but it also generates coredumps.
In this case the compiler adds the variable local_10. This variable helds a canary value that is checked at the end of the function.
The memset overflows the four bytes stack variable and modifies the canary value.
The 64bits canary 0x5429851ebaf95800 can't be predicted, but in specific situations is not re-generated and can be bruteforced or in other situations can be leaked from memory for example using a format string vulnerability or an arbitrary read wihout overflowing the stack.
If the canary doesn't match, the libc function __stack_chck_fail is called and terminates the prorgam with a SIGABORT which generates a coredump, in the case of archlinux managed by systemd and are stored on "/var/lib/systemd/coredump/"
❯❯❯ ./test
*** stack smashing detected ***: terminated
fish: './test' terminated by signal SIGABRT (Abort)
❯❯❯ sudo lz4 -d core.test.1000.c611b7caa58a4fa3bcf403e6eac95bb0.1121.1574354610000000.lz4
[sudo] password for xxxx:
Decoding file core.test.1000.c611b7caa58a4fa3bcf403e6eac95bb0.1121.1574354610000000
core.test.1000.c611b : decoded 249856 bytes
❯❯❯ sudo gdb /home/xxxx/test core.test.1000.c611b7caa58a4fa3bcf403e6eac95bb0.1121.1574354610000000 -q
We specify the binary and the core file as a gdb parameters. We can see only one LWP (light weight process) or linux thread, so in this case is quicker to check. First of all lets see the back trace, because in this case the execution don't terminate in the segfaulted return.
We can see on frame 5 the address were it would had returned to main if it wouldn't aborted.
Happy Idea: we can use this stack canary aborts to detect stack overflows. In Debian with prevous versions it will be exploitable depending on the compilation flags used.
And note that the canary is located as the last variable in the stack so the previous variables can be overwritten without problems.
The memset overflows the four bytes stack variable and modifies the canary value.
The 64bits canary 0x5429851ebaf95800 can't be predicted, but in specific situations is not re-generated and can be bruteforced or in other situations can be leaked from memory for example using a format string vulnerability or an arbitrary read wihout overflowing the stack.
If the canary doesn't match, the libc function __stack_chck_fail is called and terminates the prorgam with a SIGABORT which generates a coredump, in the case of archlinux managed by systemd and are stored on "/var/lib/systemd/coredump/"
❯❯❯ ./test
*** stack smashing detected ***:
fish: './test' terminated by signal SIGABRT (Abort)
[sudo] password for xxxx:
Decoding file core.test.1000.c611b7caa58a4fa3bcf403e6eac95bb0.1121.1574354610000000
core.test.1000.c611b : decoded 249856 bytes
❯❯❯ sudo gdb /home/xxxx/test core.test.1000.c611b7caa58a4fa3bcf403e6eac95bb0.1121.1574354610000000 -q
We specify the binary and the core file as a gdb parameters. We can see only one LWP (light weight process) or linux thread, so in this case is quicker to check. First of all lets see the back trace, because in this case the execution don't terminate in the segfaulted return.
We can see on frame 5 the address were it would had returned to main if it wouldn't aborted.
Happy Idea: we can use this stack canary aborts to detect stack overflows. In Debian with prevous versions it will be exploitable depending on the compilation flags used.
And note that the canary is located as the last variable in the stack so the previous variables can be overwritten without problems.
More info
- Ethical Hacker Tools
- Hack Tools
- Hacking Tools For Windows 7
- Hacking Tools Windows
- Pentest Tools Open Source
- Ethical Hacker Tools
- Pentest Tools Linux
- Hacker Tools For Windows
- Hacker Tools
- Hack Tools
- Pentest Tools Online
- Growth Hacker Tools
- Hack Tools For Windows
- New Hacker Tools
- Pentest Tools Website
- Hacker Tools Linux
- Hacker Tools For Ios
- Pentest Tools Website
- Hacker Tools Free Download
- Hacker Tools For Windows
- Wifi Hacker Tools For Windows
- Nsa Hack Tools
- Pentest Tools For Android
- What Is Hacking Tools
- Hacker Tools Mac
- Hacker Tools Apk
- What Is Hacking Tools
- Hacking Tools For Kali Linux
- Pentest Tools Free
- Nsa Hacker Tools
- Pentest Box Tools Download
- Hackers Toolbox
- Hack Rom Tools
- Hackrf Tools
- Hack Tools 2019
- Hacker Tools Windows
- Tools 4 Hack
- Pentest Tools Windows
- Hacks And Tools
- Pentest Tools Github
- Hacking Tools For Pc
- Github Hacking Tools
- Hacker Tools Free Download
- Pentest Tools For Android
- Hacker Tools Windows
- Kik Hack Tools
- Pentest Tools Bluekeep
- Hack Tools 2019
- Pentest Tools List
- Hacker Tools For Windows
- Pentest Tools Alternative
- Github Hacking Tools
- How To Hack
- Hack Tools For Pc
- Hacker Tools 2020
- Hack Website Online Tool
- What Are Hacking Tools
- Hacking Tools For Windows Free Download
- Pentest Tools Framework
- Hack Tools
- Hack Apps
- Hacker Tools Free
- Hacker
- Hacking Tools For Windows 7
- Hack Tools 2019
- Pentest Reporting Tools
- Hacking Tools For Kali Linux
- Hacking Tools For Mac
- Underground Hacker Sites
- Hacking Tools Hardware
- Hackers Toolbox
- Hacking App
- Hacker
- Hacker Tools Software
- Hacker Tools Apk
- Github Hacking Tools
- Hacking Tools For Kali Linux
- Pentest Tools Website
- Hacking Tools For Windows Free Download
- Pentest Tools Url Fuzzer
- Hack Tool Apk No Root
- Hacking Tools For Beginners
- Hacking Tools For Windows
- Hack Tools Mac
- Easy Hack Tools
- Pentest Tools
- Pentest Tools Download
- Hack App
- Hacking Tools For Windows 7
- Blackhat Hacker Tools
- Pentest Tools Apk
- How To Install Pentest Tools In Ubuntu
- Hacking Tools For Beginners
- Hacker Tools For Pc
- Hacking Tools For Windows
- Tools 4 Hack
发贴者:龙牙草 时间
5/30/2023 02:34:00 上午
0 条评论:
发表评论
订阅 博文评论 [Atom]
<< 主页