'return orient programming and stack canaries

Is it possible to utilize ROP when Stack canaries are in place without any other "helpers" to bypass the canary values? If so could you please provide some resources/material that further explains how it'd be done when one is just using ROP without any other techniques?

securitystackexploit


Solution 1:[1]

It depends. Computers have two memory access types:

  • Sequential access: From the start of the buffer you have to completely overwrite all the following bytes up to buf+len(payload)
  • Direct access: It's an arbitrary write. You can overwrite the value at the exact address you want

Probably you were considering only the first case and I'm pretty sure that, without any "helper", you can't bypass the canary. The only way would be to bruteforce its value.

In case of an arbitrary write, which can happen with a format string (an old type of vulnerability) or heap vulnerability, you just have to overwrite the stack avoiding the canary address.

N.B.: Arbitrary write is still way harder to achieve

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1 Marco Balo

Related Questions

Secure cookies flag always getting lost in first session after resetting IIS

How to show or hide contents of an aspx page based on current user's roles

protect images on webpage from being copied/saved?

Getting error "403 - Forbidden: Access is denied" on browser when user is NOT administrator

Disable SSLHandshakeException for a single connection

SSL certificate error for IE users only

How to access HttpContext and Request in RequireAssersion?

Send Public key(generated as seckeyref in iPhone) to server(in Java)

The EXECUTE permission is denied on the user-defined table types?

cannot commit or push using egit (guess: issues with secure storage area)

Authorisation in microservices - how to approach domain object or entity level access control using ACL?

Adding nonce value to @Scripts.Render ASP.Net MVC razor pages with NWebSec

SSL Java java.io.IOException: Invalid keystore format

preventing abuse of API service usage

Protecting or Licensing a Django Application