After some research i haven't found any paper describing method to do this (no even an unreliable one). It seems that SSP (StackSmashing Protection)/Propolice
Canary's are a very good security measure for protecting against some buffer overflows. Over the years various Canary implementations have been broken and then made more secure. What is important is that even despite advanced memory protection buffer overflows are still being exploited on Vista, Windows 7 and Fedora 11...
One very important thing to mention is that Canary's only protect the function's call frame (which includes the mighty EIP!). A buffer overflow can happen in another segment of memory such as the Heap, and a canary would have no affect. Further more an application can be hacked using a buffer overflow without ever having to overwrite an EIP. Controlling the EIP is a very straight forward and easy method to turn a buffer overflow into a killer exploit and that is why it is the most common method of exploitation.
These exploitation methods, as well as others are gone over in great detail in Exploiting Software: How to break code.
I am more familar with Microsoft's GS stack protection but the two approaches seem similar.
The following blog post from Microsoft shows one example where an attacker can still take control even when stack cookies are in use (the first example should be applicable to non-Windows systems):
This blog post talks about some of the upcoming improvements to stack protection:
If an application has an array/buffer on the stack, and uses caller-controlled index values without bounds checking, then a caller will be able to access arbitrary memory locations, and stack protection won't be able to prevent or detect it.
来源:https://stackoverflow.com/questions/855394/is-there-any-way-to-bypass-ssp-stacksmashing-protection-propolice