Skip to content

Cookie

Stack Cookies

This is a random value on the stack that is used to check to see if the stack has been overwritten.
- Is on by default in compilation
- This value is the last value just before the saved Base Pointer and the saved return address.

Compile without Stack Cookies:

gcc overflow.c -o overflow -fno-stack-protector

You need to leak the pointer on the stack for example through a string format vulnerability.

Leak with a read from stack

Bypass with Bruteforce

If the process forks and the stack cookie is the same for the parent and child then it is possible to brute force the stack cookie.

To do this smart write one byte at a time and check if it works. This is very simular to a padding oracle attack

Bypass with invalid indexing

You can use negative indexing to bypass the stack cannary and read/write data before the buffer. Using this you can overwrite the previous stack frame and return address

Bypass with GOT overwrite

https://greyshell.github.io/posts/stack_canary_bypass/