Stack Canaries
Buffer Overflow prevention
Stack Canaries are very simple - at the beginning of the function, a random value is pushed on the stack. Before the program executes ret
, the current value of that variable is compared to the initial: if they are the same, no buffer overflow has occurred.
If they are not, the attacker attempted a buffer overflow to control the return pointer and the program crashes, often with a ***stack smashing detected***
error message.
Add the parameter -fno-stack-protector
using gcc in order to disable stack canary when compiling the binary
Bypassing canaries
Leak
After the canary has been determined, the correct canary value can be rewritten when an overflow occurs.
Bruteforce
The canary is generated randomly for each process at run-time.
For a 32-bits process, there is 4294967296 possibilities, then by injecting random 4 bytes there is a quasi-null but non null possibility to bypass it. On linux there is only 3 bytes to retrieve which is only 16777216 possibilities.
For a 64-bits process there is 1.844674407e+19 possibilities... So this is impossible.
There is still a situation where the canary can be bruteforce: when the process make a fork().
When the process make a fork()
the entire process is exactly duplicate, canary included. Then it's possible to guess the canary one byte at a time.
Last updated