Exercises on canary

Exercise 1: debug and find the canary

Use gdb to find the canary position on the stack for a given executable file. Manually overwrite the canary and observe the stack smashing message.

Hint: the canary is read from gs:0x14 and changes at every execution. Register gs points to the process data area which contains the canary at a fixed offet.

Exercise 2: show the canary value

Write a program that prints its own canary value.

Hint: once you think you are printing the canary, make the program itself overwrite it so that you make the program self-abort. This will confirm you are really printing the canary.

Exercise 3: overwrite return address with the canary

Modify the vulnerable program we discussed in previous class so that it explicitly reveals the canary. This simulates the presence of a vulnerability that gives read access to the stack. Then, try to attack the program by overwriting the return address in presence of the canary (with stack protector enabled!).