| description |
|---|
09/19/2023 |
In this tutorial, we will be defeating stack canaries, a common mitigation technique for buffer overflows.
However, just like anything else, we can bypass them with the right effort and determination!
Stack canaries serve as warnings to the computer that a buffer overflow has occurred and will immediately crash the program.
Simply put, a stack canary is a randomly chosen number that sits between any buffers and the return address inside of a function.
[Buffer] Stack Canary [Return address] -> Buffer Overflow -> PC -> Canary = Different Number? -> Crash
{% embed url="https://www.youtube.com/watch?v=N7kGd76evsM" %}
These implementations are very lightweight and rather effective. However, they are fairly easy to bypass.
- When the function is ready to return, before we jump to the return address, we check the canary value to ensure it is the same, original value.
- If it is not the same value, a stack smashing error will be issued; crashing the program.
- The attacker has essentially overwritten the canary value and alerted the system.
- Stack Leak:
The attacker could obtain the value directly from the stack, write the value back in during a BOF, and successfully bypass the canary.
- Guessing the Value (Incremental Solving):
Guess one value at a time (256 possibilities/value). The program will not crash if we guess the first correct byte, meaning we can deduce one-by-one until we get all correct values (in a 32-bit scenario).
The worst case scenario would be we would need to guess 1,024 times.
256 (possibilities) x 4 (bytes) = 1,024 (Guesses)