Use Fstack Protector All (stack Canaries For Mac

Posted on |



Fstack-protector: Check for stack smashing in functions with vulnerable objects. This includes functions with buffers larger than 8 bytes or calls to alloca.fstack-protector-strong: Like -fstack-protector, but also includes functions with local arrays or references to local frame addresses.

In this tutorial, we will explore a defense mechanism against stack overflows, namely the stack canary. It is indeed the most primitive form of defense, yet powerful and performant, so very popular in most, if not all, binariesyou can find in modern distributions. The lab challenges showcasea variety of designs of stack canaries, and highlight their subtle pros and cons in various target applications.

Step 0. Revisiting 'crackme0x00'

This is the original source code of the crackme0x00 challengethat we are quite familiar with:

We are going to compile this source code into four different binarieswith following options:

There are a few interesting compilation options that we used:

  • Stackchkfail do not show up on swift projects, but they do show up when using otool on an obj-c project. I understand that stack protection is enabled by default on swift projects, however I still want to be able to see proof of it similar to an obj-c project.-When I add obj-c bridging header and some obj-c method call in swift, then.
  • For reference, the stack protector options available in gcc are: -fstack-protector-all: Adds the stack-canary saving prefix and stack-canary checking suffix to all function entry and exit. Results in substantial use of stack space for saving the canary for deep stack users (e.g. Historically xfs), and measurable (though shockingly still low.
  • For example, I have this scenario - compiled C program, like 'gcc -g example.c -o example -fstack-protector-all', so with random canaries. Let's say, I'm able to get address of canary, after every execution. So expect, I have: Canary = 0x1ae3f900. From a different papers, I get some info, that canary is located in.bss segment. So I get address.
  1. -fno-stack-protector: do not use a stack protector
  2. -z execstack: make its stack 'executable'

So we name each binary with a following convention:

Use Stack Protector All (stack Canaries For Macs

Step 1. Let's crash the 'crackme0x00' binary

crackme0x00-nossp-exec behaves exactly same as crackme0x00. Notsurprisingly, it crashes with a long input:

Pro

What about crackme0x00-ssp-exec compiled with a stack protector?

The 'stack smashing' is detected so the binary simply prevents itselffrom exploitation; resulting in a crash instead of being hijacked.

You might want to run gdb to figure out what's going on this binary:

Step 2. Let's analyze!

Use Stack Protector All (stack Canaries For Macular Degeneration

Use stack protector all (stack canaries for macs

To figure out, how two binaries are different. We (so kind!) provide youa script, ./diff.sh that can easily compare two binaries.

Two notable differences are at the function prologue andepilogue. There is an extra value (%gs:0x14) placed right after theframe pointer on the stack:

And it validates if the inserted value is same right before returningto its caller:

Use Stack Protector All (stack Canaries For Macbook Pro

__stack_chk_fail_local() is the function you observed in the gdb's backtrace.

Step 3. Stack Canary

All

This extra value is called, 'canary' (a bird, umm why?). Moreprecisely, what are these values?

Did you notice the canary value keeps changing? This is greatbecause attackers should truly guess (i.e., bypass) the canary valuebefore exploitation.

Use Stack Protector All (stack Canaries For Mac Os

Step 4. Bypassing Stack Canary

However, what if the stack canary implementation is not 'perfect',meaning that an attacker might be able to guess (i.e., %gs:0x14)?

Let's check out this binary:

Instead of this:

What about this? This implementation uses a known value (i.e., 0xdeadbeef)as a stack canary.

So the stack should be like:

[Task] How could we exploit this program? like last week's tutorial?and get the flag?

Reference