Excuse the ads! We need some help to keep our site up.

List


Canaries

Types of canaries

Terminator canaries

Random canaries

Random XOR canaries

Example

Source code

#include <stdio.h>

void main(int argc, char **argv)
{
	char Overflow[32];
	
	printf("Hello world!\n");
	gets(Overflow);

}

Build command

gcc -fstack-protector –param ssp-buffer-size=N xx.c   ==> byte 변경
gcc -fstack-protector-all xx.c                                     ==> 모든 함수 보호

gcc -fstack-protector -o canary canary.c

Check to Canary

lazenca0x0@ubuntu:~/Documents/Definition/protection/Canary$ gdb -q ./Canary 
Reading symbols from ./Canary...(no debugging symbols found)...done.
gdb-peda$ disassemble main
Dump of assembler code for function main:
   0x00000000004005d6 <+0>:	push   rbp
   0x00000000004005d7 <+1>:	mov    rbp,rsp
   0x00000000004005da <+4>:	sub    rsp,0x40
   0x00000000004005de <+8>:	mov    DWORD PTR [rbp-0x34],edi
   0x00000000004005e1 <+11>:	mov    QWORD PTR [rbp-0x40],rsi
   0x00000000004005e5 <+15>:	mov    rax,QWORD PTR fs:0x28
   0x00000000004005ee <+24>:	mov    QWORD PTR [rbp-0x8],rax
   0x00000000004005f2 <+28>:	xor    eax,eax
   0x00000000004005f4 <+30>:	mov    edi,0x4006b4
   0x00000000004005f9 <+35>:	call   0x400490 <puts@plt>
   0x00000000004005fe <+40>:	lea    rax,[rbp-0x30]
   0x0000000000400602 <+44>:	mov    rdi,rax
   0x0000000000400605 <+47>:	mov    eax,0x0
   0x000000000040060a <+52>:	call   0x4004c0 <gets@plt>
   0x000000000040060f <+57>:	nop
   0x0000000000400610 <+58>:	mov    rax,QWORD PTR [rbp-0x8]
   0x0000000000400614 <+62>:	xor    rax,QWORD PTR fs:0x28
   0x000000000040061d <+71>:	je     0x400624 <main+78>
   0x000000000040061f <+73>:	call   0x4004a0 <__stack_chk_fail@plt>
   0x0000000000400624 <+78>:	leave  
   0x0000000000400625 <+79>:	ret    
End of assembler dump.
gdb-peda$ b *0x000000000040060a
Breakpoint 1 at 0x40060a
gdb-peda$ b *0x0000000000400610
Breakpoint 2 at 0x400610
gdb-peda$ r
Starting program: /home/lazenca0x0/Documents/Definition/protection/Canary/Canary 
Hello world!


Breakpoint 1, 0x000000000040060a in main ()
gdb-peda$ i r rdi 
rdi            0x7fffffffe180	0x7fffffffe180
gdb-peda$ ni
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
0x000000000040060f in main ()
gdb-peda$ x/10gx 0x7fffffffe180
0x7fffffffe180:	0x4141414141414141	0x4141414141414141
0x7fffffffe190:	0x4141414141414141	0x4141414141414141
0x7fffffffe1a0:	0x00007fffffffe200	0x3a3b864735c7b300
0x7fffffffe1b0:	0x0000000000400630	0x00007ffff7a2d830
0x7fffffffe1c0:	0x0000000000000000	0x00007fffffffe298
gdb-peda$ c
Continuing.


Breakpoint 2, 0x0000000000400610 in main ()
gdb-peda$ i r rbp 
rbp            0x7fffffffe1b0	0x7fffffffe1b0
gdb-peda$ x/gx 0x7fffffffe1b0 - 0x8
0x7fffffffe1a8:	0x3a3b864735c7b300
gdb-peda$ ni


0x0000000000400614 in main ()
gdb-peda$ i r rax
rax            0x3a3b864735c7b300	0x3a3b864735c7b300
gdb-peda$ ni
0x000000000040061d in main ()
gdb-peda$ i r rax
rax            0x0	0x0
gdb-peda$ ni

0x0000000000400624 in main ()
gdb-peda$ x/2i $rip
=> 0x400624 <main+78>:	leave  
   0x400625 <main+79>:	ret    
gdb-peda$ 
gdb-peda$ r
Starting program: /home/lazenca0x0/Documents/Definition/protection/Canary/Canary 
Hello world!
Breakpoint 1, 0x000000000040060a in main ()
gdb-peda$ i r rdi
rdi            0x7fffffffe180	0x7fffffffe180
gdb-peda$ ni
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBBBBB
0x000000000040060f in main ()
gdb-peda$ x/10gx 0x7fffffffe180
0x7fffffffe180:	0x4141414141414141	0x4141414141414141
0x7fffffffe190:	0x4141414141414141	0x4141414141414141
0x7fffffffe1a0:	0x4141414141414141	0x4242424242424242
0x7fffffffe1b0:	0x0000000000400600	0x00007ffff7a2d830
0x7fffffffe1c0:	0x0000000000000000	0x00007fffffffe298
gdb-peda$ c
Continuing.


Breakpoint 2, 0x0000000000400610 in main ()
gdb-peda$ i r rbp
rbp            0x7fffffffe1b0	0x7fffffffe1b0
gdb-peda$ x/gx 0x7fffffffe1b0 - 0x8
0x7fffffffe1a8:	0x4242424242424242
gdb-peda$ ni


0x0000000000400614 in main ()
gdb-peda$ i r rax
rax            0x4242424242424242	0x4242424242424242
gdb-peda$ ni
0x000000000040061d in main ()
gdb-peda$ i r rax
rax            0x61061c8ecf993242	0x61061c8ecf993242
gdb-peda$ ni

0x000000000040061f in main ()
gdb-peda$ x/3i $rip
=> 0x40061f <main+73>:	call   0x4004a0 <__stack_chk_fail@plt>
   0x400624 <main+78>:	leave  
   0x400625 <main+79>:	ret    
gdb-peda$ c
Continuing.
*** stack smashing detected ***: /home/lazenca0x0/Documents/Definition/protection/Canary/Canary terminated

Program received signal SIGABRT, Aborted.

Check the protection techniques of binary files.

checksec.sh

Not set Canary
lazenca0x0@ubuntu:~/Documents/Definition/protection/Canary$ checksec.sh --file ./Canary_Do-not-set 
RELRO           STACK CANARY      NX            PIE             RPATH      RUNPATH      FILE
Partial RELRO   No canary found   NX enabled    No PIE          No RPATH   No RUNPATH   ./Canary_Do-not-set
lazenca0x0@ubuntu:~/Documents/Definition/protection/Canary$
Set Canary
lazenca0x0@ubuntu:~/Documents/Definition/protection/Canary$ checksec.sh --file ./Canary
RELRO           STACK CANARY      NX            PIE             RPATH      RUNPATH      FILE
Partial RELRO   Canary found      NX enabled    No PIE          No RPATH   No RUNPATH   ./Canary
lazenca0x0@ubuntu:~/Documents/Definition/protection/Canary$

How to detect Canary in the "Checksec.sh" file

Binary

  # check for stack canary support
  if readelf -s $1 2>/dev/null | grep -q '__stack_chk_fail'; then
    echo -n -e '\033[32mCanary found   \033[m   '
  else
    echo -n -e '\033[31mNo canary found\033[m   '
  fi
lazenca0x0@ubuntu:~/Documents/Definition/protection/Canary$ readelf -s ./Canary_Do-not-set |grep __stack_chk_fail
lazenca0x0@ubuntu:~/Documents/Definition/protection/Canary$ 
lazenca0x0@ubuntu:~/Documents/Definition/protection/Canary$ readelf -s ./Canary |grep __stack_chk_fail
     2: 0000000000000000     0 FUNC    GLOBAL DEFAULT  UND __stack_chk_fail@GLIBC_2.4 (3)
    54: 0000000000000000     0 FUNC    GLOBAL DEFAULT  UND __stack_chk_fail@@GLIBC_2
lazenca0x0@ubuntu:~/Documents/Definition/protection/Canary$

Process

  # check for stack canary support
  if readelf -s $1/exe 2>/dev/null | grep -q 'Symbol table'; then
    if readelf -s $1/exe 2>/dev/null | grep -q '__stack_chk_fail'; then
      echo -n -e '\033[32mCanary found         \033[m  '
    else
      echo -n -e '\033[31mNo canary found      \033[m  '
    fi
  else
    if [ "$1" != "1" ] ; then
      echo -n -e '\033[33mPermission denied    \033[m  '
    else
      echo -n -e '\033[33mNo symbol table found\033[m  '
    fi
  fi
lazenca0x0@ubuntu:~/Documents/Definition/protection/Canary$ ./Canary
Hello world!
^Z
[1]+  Stopped                 ./Canary
lazenca0x0@ubuntu:~/Documents/Definition/protection/Canary$ ps -ef|grep Canary
lazenca+  12602  11197  0 01:21 pts/4    00:00:00 ./Canary
lazenca+  12604  11197  0 01:21 pts/4    00:00:00 grep --color=auto Canary
lazenca0x0@ubuntu:~/Documents/Definition/protection/Canary$ readelf -s /proc/12602/exe |grep 'Symbol table'
Symbol table '.dynsym' contains 6 entries:
Symbol table '.symtab' contains 70 entries:
lazenca0x0@ubuntu:~/Documents/Definition/protection/Canary$ readelf -s /proc/12602/exe |grep '__stack_chk_fail'
     2: 0000000000000000     0 FUNC    GLOBAL DEFAULT  UND __stack_chk_fail@GLIBC_2.4 (3)
    54: 0000000000000000     0 FUNC    GLOBAL DEFAULT  UND __stack_chk_fail@@GLIBC_2
lazenca0x0@ubuntu:~/Documents/Definition/protection/Canary$

Related information