Linux Stack Protection By Default

By love Posted On 4:25 AM // Leave a Comment
Modern gcc compiler (v9.2.0) protects the stack by default and you will notice it because instead of SIGSEGV on stack overflow you will get a SIGABRT, but it also generates coredumps.




In this case the compiler adds the variable local_10. This variable helds a canary value that is checked at the end of the function.
The memset overflows the four bytes stack variable and modifies the canary value.



The 64bits canary 0x5429851ebaf95800 can't be predicted, but in specific situations is not re-generated and can be bruteforced or in other situations can be leaked from memory for example using a format string vulnerability or an arbitrary read wihout overflowing the stack.

If the canary doesn't match, the libc function __stack_chck_fail is called and terminates the prorgam with a SIGABORT which generates a coredump, in the case of archlinux managed by systemd and are stored on "/var/lib/systemd/coredump/"


❯❯❯ ./test 
*** stack smashing detected ***: terminated
fish: './test' terminated by signal SIGABRT (Abort)

❯❯❯ sudo lz4 -d core.test.1000.c611b7caa58a4fa3bcf403e6eac95bb0.1121.1574354610000000.lz4
[sudo] password for xxxx: 
Decoding file core.test.1000.c611b7caa58a4fa3bcf403e6eac95bb0.1121.1574354610000000 
core.test.1000.c611b : decoded 249856 bytes 

 ❯❯❯ sudo gdb /home/xxxx/test core.test.1000.c611b7caa58a4fa3bcf403e6eac95bb0.1121.1574354610000000 -q 


We specify the binary and the core file as a gdb parameters. We can see only one LWP (light weight process) or linux thread, so in this case is quicker to check. First of all lets see the back trace, because in this case the execution don't terminate in the segfaulted return.




We can see on frame 5 the address were it would had returned to main if it wouldn't aborted.



Happy Idea: we can use this stack canary aborts to detect stack overflows. In Debian with prevous versions it will be exploitable depending on the compilation flags used.
And note that the canary is located as the last variable in the stack so the previous variables can be overwritten without problems.




More articles
  1. Hackers Toolbox
  2. Hacking Tools For Windows
  3. Hack Tools
  4. Pentest Tools Framework
  5. Tools For Hacker
  6. Pentest Tools List
  7. Hacker Tools List
  8. Hacking Tools For Windows 7
  9. Hacking Tools Mac
  10. Hacker Tools List
  11. Hackers Toolbox
  12. Hacker Tools Apk Download
  13. Pentest Tools Online
  14. Hack Tools For Windows
  15. Hacking Tools For Windows
  16. Hacker Tools Apk
  17. Best Hacking Tools 2019
  18. Hack Tools For Games
  19. What Is Hacking Tools
  20. Pentest Recon Tools
  21. Pentest Tools
  22. Hacking Tools Kit
  23. Hack App
  24. Pentest Tools Github
  25. Hacker Tools Free
  26. New Hacker Tools
  27. Hacking Tools Mac
  28. Hack Tools Online
  29. Usb Pentest Tools
  30. Hacker Tools Github
  31. Hacker Tools
  32. New Hacker Tools
  33. Hack Tools Online
  34. Hack Tools For Pc
  35. Pentest Tools For Android
  36. Pentest Tools
  37. Pentest Tools Alternative
  38. Black Hat Hacker Tools
  39. Best Pentesting Tools 2018
  40. Hacking Tools Software
  41. Kik Hack Tools
  42. Hacking Tools 2019
  43. Growth Hacker Tools
  44. Hacker Tools For Pc
  45. Hacking Tools For Beginners
  46. How To Hack
  47. Usb Pentest Tools
  48. Tools 4 Hack
  49. Pentest Tools Review
  50. Hacking Tools For Beginners
  51. Hacking Tools 2019
  52. Hacking Tools Software
  53. Ethical Hacker Tools
  54. Hacking Tools Online
  55. Pentest Tools For Windows
  56. Hacker Tools Apk Download
  57. New Hacker Tools
  58. Hacker Tools List
  59. New Hack Tools
  60. Computer Hacker
  61. Bluetooth Hacking Tools Kali
  62. Hacking Tools Windows
  63. Hacking Tools For Windows 7
  64. Pentest Recon Tools
  65. Hacker Tool Kit
  66. Hacking Tools Hardware
  67. Beginner Hacker Tools
  68. Pentest Tools Website
  69. Hacking Tools For Kali Linux
  70. Hacker Tool Kit
  71. Pentest Recon Tools
  72. Pentest Tools Port Scanner
  73. What Is Hacking Tools
  74. Pentest Tools Nmap
  75. Hack Tools
  76. Install Pentest Tools Ubuntu
  77. Black Hat Hacker Tools
  78. Hacker Techniques Tools And Incident Handling
  79. Pentest Tools Alternative
  80. Game Hacking
  81. Pentest Tools Windows
  82. Pentest Tools Download
  83. New Hacker Tools
  84. Hacking Tools For Mac
  85. Top Pentest Tools
  86. Best Hacking Tools 2019
  87. Physical Pentest Tools
  88. Beginner Hacker Tools
  89. Tools For Hacker
  90. New Hacker Tools
  91. Nsa Hack Tools
  92. Pentest Tools Url Fuzzer
  93. Pentest Tools Free
  94. Android Hack Tools Github
  95. Hacks And Tools
  96. Nsa Hack Tools
  97. Termux Hacking Tools 2019
  98. Ethical Hacker Tools
  99. Hacker Search Tools
  100. Free Pentest Tools For Windows
  101. Hacking Tools
  102. Game Hacking
  103. Hacking Tools Windows
  104. Termux Hacking Tools 2019
  105. Nsa Hack Tools Download
  106. Best Hacking Tools 2019
  107. Hacker Tools Mac
  108. Pentest Tools Linux
  109. Nsa Hack Tools
  110. Hacker Hardware Tools
  111. Hacker Tools Linux
  112. Hack Tools For Windows
  113. Pentest Tools Tcp Port Scanner

Labels:

0 comments:

Post a Comment