Linux Stack Protection By Default

Modern gcc compiler (v9.2.0) protects the stack by default and you will notice it because instead of SIGSEGV on stack overflow you will get a SIGABRT, but it also generates coredumps.

In this case the compiler adds the variable local_10. This variable helds a canary value that is checked at the end of the function.
The memset overflows the four bytes stack variable and modifies the canary value.

The 64bits canary 0x5429851ebaf95800 can't be predicted, but in specific situations is not re-generated and can be bruteforced or in other situations can be leaked from memory for example using a format string vulnerability or an arbitrary read wihout overflowing the stack.

If the canary doesn't match, the libc function __stack_chck_fail is called and terminates the prorgam with a SIGABORT which generates a coredump, in the case of archlinux managed by systemd and are stored on "/var/lib/systemd/coredump/"


❯❯❯ ./test 
*** stack smashing detected ***: terminated
fish: './test' terminated by signal SIGABRT (Abort)

❯❯❯ sudo lz4 -d core.test.1000.c611b7caa58a4fa3bcf403e6eac95bb0.1121.1574354610000000.lz4
[sudo] password for xxxx: 
Decoding file core.test.1000.c611b7caa58a4fa3bcf403e6eac95bb0.1121.1574354610000000 
core.test.1000.c611b : decoded 249856 bytes 

 ❯❯❯ sudo gdb /home/xxxx/test core.test.1000.c611b7caa58a4fa3bcf403e6eac95bb0.1121.1574354610000000 -q 

We specify the binary and the core file as a gdb parameters. We can see only one LWP (light weight process) or linux thread, so in this case is quicker to check. First of all lets see the back trace, because in this case the execution don't terminate in the segfaulted return.

We can see on frame 5 the address were it would had returned to main if it wouldn't aborted.

Happy Idea: we can use this stack canary aborts to detect stack overflows. In Debian with prevous versions it will be exploitable depending on the compilation flags used.
And note that the canary is located as the last variable in the stack so the previous variables can be overwritten without problems.

More information

1. Game Hacking
2. Hacker Techniques Tools And Incident Handling
3. Hack And Tools
4. Pentest Tools Port Scanner
5. Github Hacking Tools
6. Hacking Tools For Windows
7. Hacking App
8. Hacker Tools Apk
9. Hackers Toolbox
10. Hacker Techniques Tools And Incident Handling
11. Hack And Tools
12. Pentest Tools Bluekeep
13. Hack App
14. Pentest Tools Nmap
15. Hacker Tools Linux
16. Pentest Tools Kali Linux
17. Physical Pentest Tools
18. Hacking Tools
19. Hacker
20. Hacking Tools Download
21. Hacker Tools For Ios
22. Pentest Tools Windows
23. Hacking Tools Windows
24. Hacker Tools Online
25. Hacking Tools Software
26. Blackhat Hacker Tools
27. Ethical Hacker Tools
28. Hacking Tools For Beginners
29. Tools 4 Hack
30. Hacking Apps
31. Pentest Tools Framework
32. Pentest Reporting Tools
33. Hacking Tools For Pc
34. Pentest Tools Apk
35. Pentest Tools Android
36. Hacking Tools And Software
37. Hacking Tools For Games
38. Hacker
39. Pentest Tools Open Source
40. Hacker Tools Mac
41. Pentest Tools Website Vulnerability
42. Hack Tools For Games
43. Hacker
44. How To Hack
45. Hack Apps
46. Hack Tools Github
47. Ethical Hacker Tools
48. Hacker Tools For Mac
49. Pentest Tools Download
50. Hacker Tools Github
51. Tools For Hacker
52. Pentest Tools Download
53. Pentest Tools Alternative
54. Pentest Tools Find Subdomains
55. Hack Tools For Pc
56. Hack Tools Download
57. Pentest Tools Online
58. Hacker Tools Online
59. Hacking Tools For Windows 7
60. How To Hack
61. Hacker Tool Kit
62. Hack Tools Github
63. Hacker Tools Free
64. Hacker Tools For Mac
65. Best Hacking Tools 2020
66. Github Hacking Tools