6

I was testing a simple C program with stack canary protection. I attempted to bypass the protection by overwriting past the function's return address and overwriting main's address. I am overwriting it with the address of a function within the target program. I get the following result which leads me to believe an attack is possible: enter image description here

It detected the smash, but it looks like it attempted to jump into the target function, which is "yo". I attempted to manipulate whatever address it was attempting to access, but no luck.

My question is, is further exploitation possible? Is it terminating as a result of SIGSEGV (i.e. accessing 0x1010...) or the canary detection?

The idea came from this article

The program:

enter image description here

dylan7
  • 747
  • 1
  • 9
  • 18
  • out of curiosity, what is the simple C program you are testing? – mcgyver5 Mar 07 '16 at 00:28
  • 1
    Why are you messing around with the return address? You need to override the Exception handler to defeat canaries, you don't need ROP here. – whatever489 Mar 07 '16 at 01:18
  • @whatever489 I was reading about that, but all the examples I found were for Windows. Any advice on how to overwrite the exception handler? I assume it's called _stack_check_failed , which is what it says in the output I posted – dylan7 Mar 07 '16 at 06:08
  • Also what's the reasoning ROP isn't necessary ? – dylan7 Mar 07 '16 at 06:55
  • 1
    @dylan7 ROP isn't necessary because when the canary check fails, it goes through an Exception. If you can override that Exception in the stack, you can already do everything you want. Sorry I can't help you with examples, I was just taught the theory behind buffer overflow protections. – whatever489 Mar 07 '16 at 13:40

1 Answers1

3

It's terminating as a result of the canary detection. Just because GDB shows the stack frames including your other return address does not mean code execution would have ever gotten there -- GDB is just reading the addresses up the stack ("unwinding the stack") to display the information to you. You would only have gotten to yo if you had successfully returned from all of those functions, but since __stack_chk_fail results in the program dying without returning, that would not happen.

To bypass stack canaries, you pretty much need to leak, guess, or brute force the canary value, find an arbitrary write (e.g., write over EIP without overwriting the canary), or find an exploitable bug in the stack canary handler.

David
  • 16,074
  • 3
  • 51
  • 74