Link to this headingStack Cookies
This is a random value on the stack that is used to check to see if the stack has been overwritten.
- Is on by default in compilation
- This value is the last value just before the saved Base Pointer and the saved return address.
Compile without Stack Cookies:
You need to leak the pointer on the stack for example through a string format vulnerability.
Link to this headingLeak with a read from stack
Link to this headingBypass with Bruteforce
If the process forks and the stack cookie is the same for the parent and child then it is possible to brute force the stack cookie.
To do this smart write one byte at a time and check if it works. This is very simular to a padding oracle attack
Link to this headingBypass with invalid indexing
You can use negative indexing to bypass the stack cannary and read/write data before the buffer. Using this you can overwrite the previous stack frame and return address