In my previous blogs, I show you guys how to bypass some common protection usually used in Linux binary such as NX and ASLR but this time we are going to take it to the next level we are going to talk about protection employ in the modern Linux OS which is "The Canaries" and how to bypass it.
note: this post was not originally mined it was inspired by the following resources
https://ctf-wiki.github.io/ctf-wiki/pwn/linux/mitigation/canary/
(Credit goes to the author)
we are going to start this post about what is stack canaries and types of different implementation of it then move to the implementation about how to bypass this protection. We are going to focus on "leak canaries" technique
What is stack canary:
In layman terms, canaries are just another protection mechanism to prevent stack overflow implemented by appending 4/8 bytes value (depend on the architecture) into the stack when a function is entered. When the function is at the end of its execution, the appended 4/8 bytes is checked if it is changed or not. To make it more clear take a look at the two figures below the first figure show function without canaries whereas the other is a function with a canary.
without canary
with canary
in the First figure if there is an overflow occur it will rewrite the return address of the function but if the canary is put before the return address it will be overwritten by the overflow character thus make the checking faulty instead continue the execution that contains with overflow character the program will immediately exit and say "stack smashing detected"
consider this program:
#include <stdio.h> #include <unistd.h> #include <stdlib.h> #include <string.h> void getshell(void) { system("/bin/sh"); } void init() { setbuf(stdin, NULL); setbuf(stdout, NULL); setbuf(stderr, NULL); } void vuln() { char buf[100]; for(int i=0;i<2;i++){ read(0, buf, 0x200); printf(buf); } } int main(void) { init(); puts("Hello Hacker!"); vuln (); return 0; }
compiled by: gcc -m32 -no-pie bypass_canary.c -o bypass_canary
try to test it by inserting a large chunk of data
Not to mention canary has four types that can be used by the developer:
OF COURSE NOT!
Hackers always find a creative way to bypass any obstacle that they encounter in every turn, so pull your socks and tight your seatbelt because we are going to have a ride.
This is some common technique that I know to bypass stack canaries: information leakage, ret2write, the format string, and brute force but in the end, there is no general way to bypass canary you need to be creative to bypass this check.
as mentioned at the beginning of the post we are going to focus on information leakage and brute force.
Information Leakage:
We are going to use the previous code that shows stack smashing detected when we send a huge chunk of characters.as you guys know that the read function allocates memory in the wrong manner that can cause buffer overflow but sine we have stack canary on it protect itself from overflowing the memory.
Let's take a deeper look in the stack canary under the hood
go to the vuln function and pay attention at the end of the return function notice that there is a "__stack_chk_fail" call function this is actually an exception that will be triggered if an overflow occurs.
in 0x080486c0 the register eax that assigned from ebp-0xc is XORed with gs:0x14. "gs" is stands for segment register and we cannot obtainer directly from GDB.
If the value XORed operation is 0 this will continue the execution while on the other hand if the value is not 0 it will called the exception
wait ! how the program obtain this ebp-0xc value? you can check this memory allocation at the beginning of the function.
see the resemblance with the previous figure? the segment register is used again but this time it was assigned at ebp-0xc using register eax
so we can see that the program set up the canary in the following manner. First, they assigned the segment register before the return function and when it comes at the end of the function it will be check again whether not change or not
Next, let's find out how much offset we need to reach the canary. You need to put a breakpoint at 0x080486c0 so we can calculate the offset.
as usual, generate a chunk of random pattern and input it to the program
so we need 100 bytes of offset to reach the canaries. Input 100 characters to the program and check the stack like the below figure we can see it reach the canary but also it rewrites the first few bytes with "0xa". As you remember read() function always append the newline character in every input string we have.
But do you recognize something strange with the result?
there is some kinda an extra character that is spilled out but what is it?
Do you believe me that is that the stack canary?
how is it possible? let me explain when we input read function with 100 characters it is also appended with newline character that overwrites the canary which is, in this case, 0x4380d600 -> 4380d60a
note: stack canaries always end with null bytes "00"
By the end of the function, it uses printf function to show the variable but if we look at the details of it printf only stop printing if it hits "null bytes" since the null bytes in canaries is gone it will spill out the rest stack until it found the next null bytes which are, in this case, 0xffffcdb8 -> 0x0804a000
so from here, we abe to leak the information of the canaries and we can use this to craft our payload
create a python script like the following figure, this will automatically get the canary of the program:
cool so we can retrieve the canary in the runtime and we can see here in the below figure that the distance between the canary and the EIP is 12 bytes.
So update your script like the following figure:
cool! so we can bypass the canary protection
Comments
Post a Comment