Stack Overflow Protection and Integer Protection
say something
I used to think it was useless to learn the principle, it is better to practice it
The principles are many, complicated, and useless
When you actually do it, you find that the principle is that you can do it and you can't do it.
Fundamentally guide practice and reduce trial and error time by 100%
The unity of knowledge and action…
Canary principle
Canary is to insert a value at the end of the stack. When the function returns, check whether the canary changes and determine whether it overflows.
Compile with gcc:
gcc … -fstack-protector
If Canary checks it, the __stack_chk_failed function will be called
Bypass:
Bypass Method 1
Bypass method 1 can only be used by exploiting at least two stack overflows
After V3, the canary is turned on, so v3 is the canary byte
The first print canary, the second use
buf distance ebp, 10C bytes, v3 distance ebp, C bytes, so buf is 100 bytes
gdb:
play
disas vuln
These commands represent canary,
gdb can create random characters
stack overflow detected
Debugging with gdb
As you can see, the end value of canary is 00
[External link image transfer failed, the source site may have anti-leech mechanism, it is recommended to save the image and upload it directly (img-4NuXm0BJ-1647349943625) (C:\Users\admin\AppData\Roaming\Typora\typora-user-images\ image-20220314195932905.png)]
As you can see, ebp-0xC is the canary value,
0xffc66a68 is the value of ebp,
0x08048695 is the return address, so there must be 3 bytes after the canary to be the return address
The sendline function will add a carriage return before sending, so it is 0x101 characters
The received 4 characters are canary, minus the carriage return 0xa is canary.
Note: carriage return will cause one more character to be entered
Canary will change randomly, but canary can be blasted in the fork function
Bypass Method 2
The canary value that is called multiple times is exactly the same as the parent process, so it can be blasted
First fill in 0x100 bytes, connect the cannary value, and canary 4 bytes, so the last byte is 0x00, the first three bytes are blasted, and if it is tampered with, the output information
Bypass Method 3
Modify the got table of the function
It can overflow to canary at most, and cannot cover the ebp and ret addresses. Therefore, it is necessary to use the format string vulnerability to convert the getshell function to the got table of the chk_fail function, so that the stack overflow triggers the getshell function.
There are three points in the format string: the address to be rewritten, the value to be written, and the format string is the first parameter
The chk_fail function has not been called before, so it is the second instruction of plt
The high byte of get_shel is the same as chk_fail, so only the low byte needs to be changed
%%%dc realizes the output of addr-4 characters, addr-4 is because stack_chk_fail is output first, which is 4 bytes
Finally, write the number corresponding to the previous parameter to the address corresponding to the seventh parameter (the number corresponding to buf)
Bypass Method 4
v4: buf size is 0x100
IO_gets is gets, input with unlimited length, truncate with 0 characters, and overwrite the flag address
Note: The local flag content is not the same as the remote flag!
Find the offset between the argv[0] of the chk_fail function and the flag address before it can be overwritten
64 bit so parameter passing is through registers, rdi, rsi, rdx, rcx, r8, r9
If the ELF file is small, there will be multiple mappings
So use the find command to find strings and addresses
Find the initial address, 0x400d20, which is the address to be modified
0x218 is the address offset. When stack_chk_fail is executed, the value of new_flag_addr will be output
Bypass Method 5
The initial value of canary is stack_guard in the TLS structure,
Modify stack_guard to bypass canary
The input is much larger than an array of char s and can overflow
If there is no symbol table (striped) in gdb, debugging is inconvenient, but it can be debugged by combining IDA and gdb
If the stack is closer to TLS, it can overflow
So fill (TLScanary address - buf start address) with useless value
Note that there will also be a canary when overflowing, and this canary should also be modified to the same
There is no ready-made getshell for this question, so you need to get the system address for the first time, and execute /bin/sh for the second time.
Use the read function to read the system function, generate a stack offset to the data segment and directly execute the system function, and then construct the read chain,
The read function takes 3 arguments, so fill
pop_rdi_ret can pass parameters
The leave instruction moves rbp to rsp, so the stack is offset