maride/hacktricks
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks.git synced 2025-10-10 18:36:50 +00:00
Code Issues Packages Projects Releases Wiki Activity
hacktricks/src/binary-exploitation/common-binary-protections-and-bypasses/stack-canaries/print-stack-canary.md

34 lines
2.5 KiB
Markdown
Raw Blame History

# Print Stack Canary
{{#include ../../../banners/hacktricks-training.md}}
## Enlarge printed stack
Fikiria hali ambapo **programu iliyo hatarini** kwa stack overflow inaweza kutekeleza **puts** function **ikiashiria** **sehemu** ya **stack overflow**. Mshambuliaji anajua kwamba **byte ya kwanza ya canary ni byte ya null** (`\x00`) na sehemu nyingine za canary ni **bytes** za **kijakazuri**. Kisha, mshambuliaji anaweza kuunda overflow ambayo **inaandika tena stack hadi byte ya kwanza ya canary**.
Kisha, mshambuliaji **anaita functionality ya puts** katikati ya payload ambayo it **achapisha canary yote** (isipokuwa byte ya kwanza ya null).
Kwa habari hii mshambuliaji anaweza **kuunda na kutuma shambulio jipya** akijua canary (katika **sehemu hiyo hiyo ya programu**).
Kwa wazi, mbinu hii ni **kikomo** kwani mshambuliaji anahitaji kuwa na uwezo wa **kuchapisha** **maudhui** ya **payload** yake ili **kuondoa** **canary** na kisha aweze kuunda payload mpya (katika **sehemu hiyo hiyo ya programu**) na **kutuma** **overflow halisi ya buffer**.
**CTF examples:**
- [**https://guyinatuxedo.github.io/08-bof_dynamic/csawquals17_svc/index.html**](https://guyinatuxedo.github.io/08-bof_dynamic/csawquals17_svc/index.html)
- 64 bit, ASLR imewezeshwa lakini hakuna PIE, hatua ya kwanza ni kujaza overflow hadi byte 0x00 ya canary ili kisha kuita puts na kuvuja. Kwa canary, gadget ya ROP inaundwa kuita puts ili kuvuja anwani ya puts kutoka GOT na gadget ya ROP kuita `system('/bin/sh')`
- [**https://guyinatuxedo.github.io/14-ret_2_system/hxp18_poorCanary/index.html**](https://guyinatuxedo.github.io/14-ret_2_system/hxp18_poorCanary/index.html)
- 32 bit, ARM, hakuna relro, canary, nx, hakuna pie. Overflow na wito kwa puts juu yake ili kuvuja canary + ret2lib ikitoa `system` na mnyororo wa ROP kuondoa r0 (arg `/bin/sh`) na pc (anwani ya system)
## Arbitrary Read
Kwa **kusoma bila mpangilio** kama ile inayotolewa na **format strings** inaweza kuwa inawezekana kuvuja canary. Angalia mfano huu: [**https://ir0nstone.gitbook.io/notes/types/stack/canaries**](https://ir0nstone.gitbook.io/notes/types/stack/canaries) na unaweza kusoma kuhusu kutumia format strings kusoma anwani za kumbukumbu bila mpangilio katika:
{{#ref}}
../../format-strings/
{{#endref}}
- [https://guyinatuxedo.github.io/14-ret_2_system/asis17_marymorton/index.html](https://guyinatuxedo.github.io/14-ret_2_system/asis17_marymorton/index.html)
- Changamoto hii inatumia kwa njia rahisi sana format string kusoma canary kutoka stack
{{#include ../../../banners/hacktricks-training.md}}
Reference in New Issue View Git Blame Copy Permalink