Skip to content

0x05. Analyze binary protection flags

Jump to bottom
liyansong2018 edited this page Jan 5, 2025 · 1 revision

Canary

Stack protection: Not enabled by default, can be enabled by the following gcc compilation option

  • stack-protector: Protects caches allocated by alloca() in the function and caches larger than 8 bytes. The disadvantage is limited protection capability.
  • stack-protector-all: Protects the stack of all functions. The disadvantage is that it adds a lot of extra stack space and increases the program size.
  • stack-protector-strong: Based on stack-protector, adds local array and stack address space protection pointing to local frames.
  • stack-protector-explicit: Based on stack-protectorr, adds explicit attribute stack_protect space in the program.

How to determine the corresponding flag through binary: Use the assembly statement __stack_chk_fail@plt to determine whether the binary has Stack Canary enabled.

stack_chk

NX

Stack is Not Executable(NX): Enabled by default, enabled by compile option -z execstack. How to determine the corresponding flag from the binary: Determine whether the binary has stack not executable enabled by PT_GNU_STACK segment.

nx

Use elfspirit directly to turn off NX

┌──(kali㉿kali)-[~/Tools/elfspirit/examples/05_checksec]
└─$ elfspirit edit -P -i11 -j6 -m7 main
6->7

shutup_nx

At this point, we can directly execute the shellcode stored on the stack without the previous segmentation fault.

┌──(kali㉿kali)-[~/Tools/elfspirit/examples/05_checksec]
└─$ ./main
/bin/cat: //////etc/shadow: Permission denied

PIE

PIE(position-independent executable) is enabled by default and can be enabled by compiling with the option -pie. How to determine the corresponding flag through binary: directly check the load address of the executable segment to determine whether the binary has address randomization enabled.

pie

RelRO

RelRO is equivalent to enabling lazy binding. On Ubuntu, now binding is enabled by default, and on Kali, delayed binding is enabled by default. Enable the corresponding binding type by compiling with -z now and -z lazy. As for whether the binary has enabled now binding (RelRO), there are two ways

  • Is there a .got.plt section? If yes, it means lazy binding is enabled.
  • Is the dynamic section DT_FLAGS value set to DF_BIND_NOW? If yes, it means now binding is enabled.

relro

🏠 Home

📖 Practical

🏳️‍🌈 中文

Clone this wiki locally