Exercises on stack protection

Exercise 1: debug and find the canary

Use gdb to find the canary position on the stack for a given executable file. Manually overwrite the canary and observe the stack smashing message.

Hint: the canary is read from gs:0x14 and changes at every execution. Register gs points to the process data area which contains the canary at a fixed offet.

Exercise 2: show the canary value

Write a program that prints its own canary value.

Hint: once you think you are printing the canary, make the program itself overwrite it so that you make the program self-abort. This will confirm you are really printing the canary.

Exercise 3: overwrite return address with the canary

Consider the following variant of the vulnerable program we discussed in previous class, which explicitly reveals the canary:

/*
	Compile on testbed with
	gcc exercise3.c -o exercise3

	This programn explicitly leaks the canary.

	Try to attack the program by overwriting the return address in presence 
	of the canary (with stack protector enabled!).
 */ 

#include 

// Check password
int check() {
	char pwd_buffer[16];
	
	// Simulates the leakage of the canary:
	printf("Canary: %08x\n",*(int *)&pwd_buffer[16]);
	// makes abort, to double check
	//pwd_buffer[16] = 'A';

	printf("Insert password: ");
	fflush(stdout);
	scanf("%63s",pwd_buffer);
 
	if (strcmp(pwd_buffer, "itisme") == 0 )
		return 1;
	else
		return 0;
}
 
int main(int argc, char *argv[]) {

	fflush(stdout);
	if (check()){
		printf("AUTHENTICATED!\n"); // this is your target!
	} else
		printf("ACCESS DENIED!\n");
	fflush(stdout);
}

Leaking the canary simulates the presence of a vulnerability that gives read access to the stack.

Try to attack the program by overwriting the return address in presence of the canary (with stack protector enabled!).