Smashing the stack for fun and profit (opens in new tab)

(phrack.org)

71 pointsjdeseno16y ago45 comments

45 comments

26 comments · 12 top-level

tptacek16y ago· 3 in thread

It's interesting to compare exploit tech from today to how simple things were back in '97. In '97, a complex exploit meant you couldn't have lowercase ASCII equivalents in your shellcode. Now, you scan the target for info leaks that will disclose stack cookies, and spray the heap to increase the odds that you'll hit your exploit in randomized memory, and forge stack frames that will return to mprotect or VirtualProtect, and and and.

So much of "security research" over the last 10 years has basically danced around a fundamental fact: if you lose control of the runtime memory of your program, you lose control of the whole program.

_cbsz16y ago

If you get lucky, your target won't bother with all these new-fangled protections and run on WinXP (no ASLR) and the only thing you'll have to contend with is non-executable stack. Our original exploit for Green Dam used a heap spray only to make writing it easier, and the underground exploit uses a really awful behavior of IE w.r.t. running .NET DLLs -- http://www.milw0rm.com/exploits/8938 . Other than that, there are no defenses to speak of.

tptacek16y ago

Even that really awful behavior of IE, that's a Black Hat '09 talk, isn't it?

1 more reply

Zarathu16y ago

Well, that's sort of true. You don't necessarily have to keep track of the runtime memory as long as the buffer is large enough.

You could find the address of a JMP %ESP instruction in the victim OS (0x7C8369D8 in XP SP 2) and place it before a NOPsled.

A typical buffer overflow, for example:

[AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA][0x7C8369D8][NOP][shellcode]

You do, of course, need to make sure you don't have any \0 bytes in your shellcode, but that's always been the case.

scythe16y ago· 3 in thread

In one of my freshman CS courses, one of our last assignments was to read this paper (as well as a more approachable tutorial written by our TAs) and carry this out on a toy architecture (LC3) that we had been working with for the whole course. It was probably the most interesting assignment we had that semester.

Oompa16y ago

I had a similar class. CS2110 at Georgia Tech. I will never forget it :)

alexgartrell16y ago

At CMU:

http://csapp.cs.cmu.edu/public/buflab.pdf

Edit: Changes since 2002

    -- Assignment is now individual
    -- "For Fun" stage is now mandatory

And here are the other labs: http://csapp.cs.cmu.edu/public/labs.html

Architecture lab has fallen by the wayside, and Performance Lab is done sometimes (depending upon the taste of the instructors)

scythe16y ago

Funny, I was referring to the same class!

When did you take it?

1 more reply

sown16y ago· 3 in thread

For a lot of these tutorials to work, you also have to turn off SELinux or any other stack protection.

petsos16y ago

This paper was written 7 years before SELinux was merged.

sown16y ago

Yes. And the examples won't always work on modern linux distros depending on configuration

2 more replies

leif16y ago

I got scut's format string attacks working on a bunch of sort of modern unices (and all the old ones where I had access), but nothing within a year.

lg16y ago· 2 in thread

Ah, fond memories of my computer security class, where this was assigned reading. We also studied format string vulnerabilities: http://julianor.tripod.com/bc/formatstring-1.2.pdf

alecco16y ago

If we are going down memory lane, check out JP's "Advanced Doug lea's malloc exploits" http://www.phrack.org/issues.html?issue=61&id=6#article

shykes16y ago

And you might as well read Doug Leas's paper, too http://g.oswego.edu/dl/html/malloc.html

ecq16y ago· 2 in thread

wow I still remember this. a classic by Aleph One.

Another tutorial pre-dates this by ~1 year. It was written by mudge.

http://biblio.l0t3k.net/b0f/en/howto_write_buffer.txt

tptacek16y ago

The first published x86 shellcode-style overflow was splitvt, which was announced "officially" just weeks after this tutorial was dated:

http://seclists.org/bugtraq/1995/Dec/2

(My business partner co-authored it).

The first shellcode-style buffer overflow (besides the rtm worm) was Thomas Lopatic's HPUX HTTPd vulnerability from a few months earlier:

http://seclists.org/bugtraq/1995/Feb/109

There was a frantic race to get the first overflow out after 8lgm capped off their run of zero-days with an announcement of a Sendmail 8.6.12 remote that relied on a syslog() overflow (yes, in 1995, syslog(3) had an overflow). I was sitting next to Pieter when he wrote part of the tutorial you linked to. I was pretty young (maybe 19?) but even so, it was a pretty electric time to be involved in security.

sp33216y ago

(OT) Did you know there's a petition to get mudge to be US Cyberczar? http://www.ipetitions.com/petition/mudge4cyberczar/

omouse16y ago· 1 in thread

And the lesson is, try to avoid using C :)

tptacek16y ago

And C++.

mahmud16y ago

A classic. The most referenced underground paper, ever!

112,605 documents found

http://citeseerx.ist.psu.edu/search?q=Smashing+The+Stack+For...

jacquesm16y ago

Funny how the first example contains a subtle bug, the string termination is never done, if the stack wasn't zeroed prior to running that program, you may not only overflow 'buffer' on purpose, you may overflow it a lot further than you'd think by just reading the code.

large_string[255] = 0;

Would solve that.

wclax0416y ago

I remember reading this paper as an undergrad at Rutgers. We had to do a stack smashing project based on this with different stack protection methods (canaries/ASLR)

This was probably one of the most important things I learned in school.

haupt16y ago

I remember reading this and finding an error in one of the examples. In addition to learning about the stack, I also realized that superheroes are human, too. <3

MtL16y ago

Funny, I just re-read that paper yesterday =) Aleph One is a hero in my eyes, he made my childhood much more interesting.

c00p3r16y ago

Oh, that romantic feeling from the boyhood... =)

j / k navigate · click thread line to collapse

45 comments

26 comments · 12 top-level

tptacek16y ago· 3 in thread

So much of "security research" over the last 10 years has basically danced around a fundamental fact: if you lose control of the runtime memory of your program, you lose control of the whole program.

_cbsz16y ago

tptacek16y ago

Even that really awful behavior of IE, that's a Black Hat '09 talk, isn't it?

1 more reply

Zarathu16y ago

Well, that's sort of true. You don't necessarily have to keep track of the runtime memory as long as the buffer is large enough.

You could find the address of a JMP %ESP instruction in the victim OS (0x7C8369D8 in XP SP 2) and place it before a NOPsled.

A typical buffer overflow, for example:

[AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA][0x7C8369D8][NOP][shellcode]

You do, of course, need to make sure you don't have any \0 bytes in your shellcode, but that's always been the case.

scythe16y ago· 3 in thread

Oompa16y ago

I had a similar class. CS2110 at Georgia Tech. I will never forget it :)

alexgartrell16y ago

At CMU:

http://csapp.cs.cmu.edu/public/buflab.pdf

Edit: Changes since 2002

    -- Assignment is now individual
    -- "For Fun" stage is now mandatory

And here are the other labs: http://csapp.cs.cmu.edu/public/labs.html

Architecture lab has fallen by the wayside, and Performance Lab is done sometimes (depending upon the taste of the instructors)

scythe16y ago

Funny, I was referring to the same class!

When did you take it?

1 more reply

sown16y ago· 3 in thread

For a lot of these tutorials to work, you also have to turn off SELinux or any other stack protection.

petsos16y ago

This paper was written 7 years before SELinux was merged.

sown16y ago

Yes. And the examples won't always work on modern linux distros depending on configuration

2 more replies

leif16y ago

I got scut's format string attacks working on a bunch of sort of modern unices (and all the old ones where I had access), but nothing within a year.

lg16y ago· 2 in thread

Ah, fond memories of my computer security class, where this was assigned reading. We also studied format string vulnerabilities: http://julianor.tripod.com/bc/formatstring-1.2.pdf

alecco16y ago

If we are going down memory lane, check out JP's "Advanced Doug lea's malloc exploits" http://www.phrack.org/issues.html?issue=61&id=6#article

shykes16y ago

And you might as well read Doug Leas's paper, too http://g.oswego.edu/dl/html/malloc.html

ecq16y ago· 2 in thread

wow I still remember this. a classic by Aleph One.

Another tutorial pre-dates this by ~1 year. It was written by mudge.

http://biblio.l0t3k.net/b0f/en/howto_write_buffer.txt

tptacek16y ago

The first published x86 shellcode-style overflow was splitvt, which was announced "officially" just weeks after this tutorial was dated:

http://seclists.org/bugtraq/1995/Dec/2

(My business partner co-authored it).

The first shellcode-style buffer overflow (besides the rtm worm) was Thomas Lopatic's HPUX HTTPd vulnerability from a few months earlier:

http://seclists.org/bugtraq/1995/Feb/109

sp33216y ago

(OT) Did you know there's a petition to get mudge to be US Cyberczar? http://www.ipetitions.com/petition/mudge4cyberczar/

omouse16y ago· 1 in thread

And the lesson is, try to avoid using C :)

tptacek16y ago

And C++.

mahmud16y ago

A classic. The most referenced underground paper, ever!

112,605 documents found

http://citeseerx.ist.psu.edu/search?q=Smashing+The+Stack+For...

jacquesm16y ago

large_string[255] = 0;

Would solve that.

wclax0416y ago

I remember reading this paper as an undergrad at Rutgers. We had to do a stack smashing project based on this with different stack protection methods (canaries/ASLR)

This was probably one of the most important things I learned in school.

haupt16y ago

I remember reading this and finding an error in one of the examples. In addition to learning about the stack, I also realized that superheroes are human, too. <3

MtL16y ago

Funny, I just re-read that paper yesterday =) Aleph One is a hero in my eyes, he made my childhood much more interesting.

c00p3r16y ago

Oh, that romantic feeling from the boyhood... =)

j / k navigate · click thread line to collapse