Exercises on stack protection

Exercise 1: debug and find the canary

Use gdb to find the canary position on the stack for a given executable file. Manually overwrite the canary and observe the stack smashing message.

Hint: the canary is read from gs:0x14 and changes at every execution. Register gs points to the process data area which contains the canary at a fixed offet.

Exercise 2: show the canary value

Write a program that prints its own canary value.

Hint: once you think you are printing the canary, make the program itself overwrite it so that you make the program self-abort. This will confirm you are really printing the canary.

Exercise 3: overwrite return address with the canary

Consider the following variant of the vulnerable program we discussed in previous class, which explicitly reveals the canary:

Leaking the canary simulates the presence of a vulnerability that gives read access to the stack.

Try to attack the program by overwriting the return address in presence of the canary (with stack protector enabled!).