> For the complete documentation index, see [llms.txt](https://www.ctfrecipes.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://www.ctfrecipes.com/pwn/protections/stack-canaries.md).

# Stack Canaries

Stack Canaries are very simple - at the beginning of the function, a random value is pushed on the stack. Before the program executes `ret`, the current value of that variable is compared to the initial: if they are the same, no buffer overflow has occurred.

If they are not, the attacker attempted a buffer overflow to control the return pointer and the program crashes, often with a `***stack smashing detected***` error message.

{% hint style="info" %}
On Linux, stack canaries end with`00`. This is so that they null-terminate any strings in case you make a mistake when using print functions, but it also makes them easier to spot.
{% endhint %}

```
   address     |   values
---------------+------------------------------------------------------------------
               |   +---------------- HelloWorld stack frame -----------------+
               |   | +------------ stack marge -------------+ +-- canary --+ |
   0xffffd264  |   | | 0x00000000   0x00000000   0x00000000 | | 0x54869500 | | 
               |   | +--------------------------------------+ +------------+ |
               |   +---------------------------------------------------------+
               |   +-------------------- main stack frame -------------------+
               |   | +-saved ebp -+ +-saved eip -+ +---- function params ---+|
   0xffffd274: |   | | 0xffffd298 | | 0x565561dd | | 0x00000001  0x00000002 ||
               |   | +------------+ +------------+ +------------------------+|
```

{% hint style="danger" %}
Add the parameter `-fno-stack-protector` using gcc in order to disable stack canary when compiling the binary
{% endhint %}

## Bypassing canaries

### Leak

The main aim is to read the value, which can differ from binary to binary. One simple option is to use a [format string](/pwn/stack-exploitation/format-string/data-leak.md) if it is present, as the canary, like other local variables, is on the stack and can be easily leaked off the stack through this method.

After the canary has been determined, the correct canary value can be rewritten when an overflow occurs.

### Bruteforce

The canary is generated randomly for each process at run-time.

For a 32-bits process, there is 4294967296 possibilities, then by injecting random 4 bytes there is a quasi-null but non null possibility to bypass it. On linux there is only 3 bytes to retrieve which is only 16777216 possibilities.

For a 64-bits process there is 1.844674407e+19 possibilities... So this is impossible.

There is still a situation where the canary can be bruteforce: when the process make a fork().

When the process make a `fork()`the entire process is exactly duplicate, canary included. Then it's possible to guess the canary one byte at a time.

```
             |   Canary
    Buffer   | 42 52 18 42
 ------------|-------------|
 4141...4141 | 00 52 18 42 | <-- Crash
 4141...4141 | 01 52 18 42 | <-- Crash
 ...         | ...         |
 4141...4141 | 42 52 18 42 | <-- No crash
```


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://www.ctfrecipes.com/pwn/protections/stack-canaries.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.