> For the complete documentation index, see [llms.txt](https://hacktricks.xsx.tw/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://hacktricks.xsx.tw/binary-exploitation/common-binary-protections-and-bypasses/stack-canaries/print-stack-canary.md).

# Print Stack Canary

<details>

<summary><strong>从零开始学习AWS黑客技术，成为专家</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE（HackTricks AWS红队专家）</strong></a><strong>！</strong></summary>

支持HackTricks的其他方式：

* 如果您想看到您的**公司在HackTricks中做广告**或**下载PDF格式的HackTricks**，请查看[**订阅计划**](https://github.com/sponsors/carlospolop)!
* 获取[**官方PEASS & HackTricks周边产品**](https://peass.creator-spring.com)
* 探索[**PEASS家族**](https://opensea.io/collection/the-peass-family)，我们的独家[**NFTs**](https://opensea.io/collection/the-peass-family)
* **加入** 💬 [**Discord群**](https://discord.gg/hRep4RUj7f) 或 [**电报群**](https://t.me/peass) 或在**Twitter**上**关注**我们 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**。**
* 通过向[**HackTricks**](https://github.com/carlospolop/hacktricks)和[**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github仓库提交PR来分享您的黑客技巧。

</details>

## 放大打印的栈

想象一种情况，一个**容易受到栈溢出攻击**的程序可以执行一个**指向栈溢出部分**的**puts**函数。攻击者知道**canary的第一个字节是空字节**（`\x00`），其余的canary是**随机**字节。然后，攻击者可以创建一个溢出，**覆盖栈直到canary的第一个字节**。

然后，攻击者在有效负载的中间**调用puts功能**，这将**打印所有canary**（除了第一个空字节）。

有了这些信息，攻击者可以**构造并发送一个新的攻击**，知道canary（在**同一个程序会话**中）。

显然，这种策略非常**受限**，因为攻击者需要能够**打印**他的**有效负载**的**内容**，以**外泄canary**，然后能够创建一个新的有效负载（在**同一个程序会话**中）并**发送\*\*\*\*真正的缓冲区溢出**。

**CTF示例：**

* [**https://guyinatuxedo.github.io/08-bof\_dynamic/csawquals17\_svc/index.html**](https://guyinatuxedo.github.io/08-bof_dynamic/csawquals17_svc/index.html)
* 64位，启用ASLR但没有PIE，第一步是填充溢出直到canary的字节0x00，然后调用puts泄漏它。使用canary创建ROP小工具来调用puts以泄漏GOT中puts的地址，然后使用ROP小工具调用`system('/bin/sh')`
* [**https://guyinatuxedo.github.io/14-ret\_2\_system/hxp18\_poorCanary/index.html**](https://guyinatuxedo.github.io/14-ret_2_system/hxp18_poorCanary/index.html)
* 32位，ARM，无relro，canary，nx，无pie。溢出并调用puts以泄漏canary + ret2lib调用`system`，使用ROP链来弹出r0（参数`/bin/sh`）和pc（system的地址）

## 任意读取

通过类似格式**字符串**提供的**任意读取**，可能可以泄漏canary。查看此示例：[**https://ir0nstone.gitbook.io/notes/types/stack/canaries**](https://ir0nstone.gitbook.io/notes/types/stack/canaries)，您可以阅读有关滥用格式字符串以读取任意内存地址的内容：

{% content-ref url="/pages/fUhYVeVSbW2DmpvMZwxx" %}
[Format Strings](/binary-exploitation/format-strings.md)
{% endcontent-ref %}

* <https://guyinatuxedo.github.io/14-ret_2_system/asis17_marymorton/index.html>
* 这个挑战以一种非常简单的方式滥用格式字符串来从栈中读取canary。

<details>

<summary><strong>从零开始学习AWS黑客技术，成为专家</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE（HackTricks AWS红队专家）</strong></a><strong>！</strong></summary>

支持HackTricks的其他方式：

* 如果您想看到您的**公司在HackTricks中做广告**或**下载PDF格式的HackTricks**，请查看[**订阅计划**](https://github.com/sponsors/carlospolop)!
* 获取[**官方PEASS & HackTricks周边产品**](https://peass.creator-spring.com)
* 探索[**PEASS家族**](https://opensea.io/collection/the-peass-family)，我们的独家[**NFTs**](https://opensea.io/collection/the-peass-family)
* **加入** 💬 [**Discord群**](https://discord.gg/hRep4RUj7f) 或 [**电报群**](https://t.me/peass) 或在**Twitter**上**关注**我们 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**。**
* 通过向[**HackTricks**](https://github.com/carlospolop/hacktricks)和[**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github仓库提交PR来分享您的黑客技巧。

</details>


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://hacktricks.xsx.tw/binary-exploitation/common-binary-protections-and-bypasses/stack-canaries/print-stack-canary.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.