Exercise 1: debug and find the canary
Use gdb to find the canary position on the stack for a given executable file. Manually overwrite the canary and observe the stack smashing message.
Hint: the canary is read from gs:0x14 and changes at every execution. Register gs points to the process data area which contains the canary at a fixed offet.
Exercise 2: show the canary value
Write a program that prints its own canary value.
Hint: once you think you are printing the canary, make the program itself overwrite it so that you make the program self-abort. This will confirm you are really printing the canary.
Exercise 3: overwrite return address with the canary
Consider the following variant of the vulnerable program we discussed in previous class, which explicitly reveals the canary:
/*
Compile on testbed with
gcc exercise3.c -o exercise3
This programn explicitly leaks the canary.
Try to attack the program by overwriting the return address in presence
of the canary (with stack protector enabled!).
*/
#include
// Check password
int check() {
char pwd_buffer[16];
// Simulates the leakage of the canary:
printf("Canary: %08x\n",*(int *)&pwd_buffer[16]);
// makes abort, to double check
//pwd_buffer[16] = 'A';
printf("Insert password: ");
fflush(stdout);
scanf("%63s",pwd_buffer);
if (strcmp(pwd_buffer, "itisme") == 0 )
return 1;
else
return 0;
}
int main(int argc, char *argv[]) {
fflush(stdout);
if (check()){
printf("AUTHENTICATED!\n"); // this is your target!
} else
printf("ACCESS DENIED!\n");
fflush(stdout);
}
Leaking the canary simulates the presence of a vulnerability that gives read access to the stack.
Try to attack the program by overwriting the return address in presence of the canary (with stack protector enabled!).