from Hacker News

Smashing the Stack for Fun and Profit (1996)

by keskadale on 1/24/21, 5:35 AM with 62 comments

  • by hyper_reality on 1/25/21, 6:18 PM

    What a classic! Phrack stopped publishing some time ago but the world of security ploughs on, who can recommend similar modern resources to Phrack?

    Here's a few I'm aware of:

    https://www.alchemistowl.org/pocorgtfo/

    https://secret.club/

  • by tekstar on 1/25/21, 6:30 PM

    This article, and then working through the book "Hacking and the Art of Exploitation" taught me the true fundamentals of the C programming language, and Linux. The other key ingredient was working through the classic "digital evolution" wargames where you'd SSH into a box as level1 and work your way up from there.

  • by __jf__ on 1/25/21, 5:41 PM

    In 2017 I got a second hand Cisco ASA just to play with the shadowbrokers tools. EXTRABACON was the codename for the SNMP exploit using a buffer overflow.

    This was an interesting excercise because there were NO logs of this happening on the Cisco ASA, not even when ramping every loglevel to debug. Well only on the console port. Exception in readline() or something like it. Doing stuff for security monitoring in daily life this ehm was alarming, but not unexpected. Fixing “No logs” is often a challenge for blue teams.

    Anyway it was alarming enough to find and read through the Common Criteria EAL4+ certification docs for the Cisco ASA only to find that SNMP was excluded from certification scope. I still have the idea in the back of my head to explore scope exclusions in other certification docs for other unfortunate exclusions.

    Also the lack of mitigations like stack canaries, ASLR or others was quite surprising for a certified black box security device on the network perimeter.

  • by dang on 1/25/21, 10:21 PM

  • by f00zz on 1/25/21, 5:51 PM

    A classic, but these days if you want to reproduce those bugs you need to build your code with -fno-stack-protector, enable executable stack, disable ASLR in the kernel, etc.

  • by maerF0x0 on 1/25/21, 5:23 PM

    I think the main thing to discuss here is how, 25 yrs later, we're still getting overflow bugs.

  • by hushhush on 1/25/21, 10:22 PM

    This paper also inspired the recent academic paper "Attacking Zcash Protocol For Fun And Profit" available at https://attackingzcash.com and on IACR: https://eprint.iacr.org/2020/627

    It describes new kinds of metadata leakage attacks that can be launched against privacy coins, by adversaries with large budgets, such as professional criminal organizations, blockchain analysis companies and nation states. The privacy coin HUSH has developed this defensive technology and was first to implement it in September 2019.

    There is a YouTube video where the author explains why he named the paper this way, this link has the timestamp where it's talked about: https://youtu.be/berM7Dnnoz4?t=405

    "This is a whole new research field I am creating, that is why I called it Attacking Zcash Protocol For Fun And Profit, just like Smashing The Stack for Fun And Profit, it created a whole new field"

    Also, for the hardcore HN nerds: The paper focuses on Zcash Protocol, but the ideas apply to any cryptocoin with a transaction graph, so Monero is definitely vulnerable. Much more vulnerable that Zcash Protocol.

  • by no-dr-onboard on 1/25/21, 6:02 PM

    This has been required reading for all the pentesters at my org for the past 20 years.

  • by jdblair on 1/25/21, 6:45 PM

    Reading this article back in the day is how I learned how stack smashing works! I also remember when the EFF stopped hosting Phrack because most of their bandwidth was people downloading every issue off the EFF’s web server.

  • by NOGDP on 1/25/21, 7:09 PM

    http://smashthestack.org/wargames.html

    > The Smash the Stack Wargaming Network hosts several Wargames. A Wargame in our context can be described as an ethical hacking environment that supports the simulation of real world software vulnerability theories or concepts and allows for the legal execution of exploitation techniques. Software can be an Operating System, network protocol, or any userland application.

  • by alecco on 1/25/21, 8:45 PM

    Gera's Insecure Programming tutorial on advanced Buffer Overflows was quite seminal. The site is gone but there's a GitHub repo now.

    https://github.com/gerasdf/InsecureProgramming

  • by hegzploit on 1/25/21, 7:26 PM

    I sometimes wish time would rewind so I can experience the hacking scene in it's full glory.

  • by rel2thr on 1/26/21, 12:44 AM

    Does someone know why weren't stack overflow exploits more common in the early 90s?

    If the Morris worm used them in 88, how did the technique get lost until this phrack article come out?

    Makes me wonder if there are still entire classes of exploits that are undiscovered out there.

  • by somesortofsystm on 1/25/21, 5:42 PM

    A true classic that is just as relevant today as ever.

    Know thy stack!

    Yes, you still have a .text section!

  • by jeffrom on 1/25/21, 10:34 PM

    I learned so much from this article about how memory works when I was starting out, thanks phrack!

  • by ctocoder on 1/25/21, 5:36 PM

    how I loved trying this in the computer science lab when this 1st hit gopher.

  • by __abc on 1/25/21, 10:37 PM

    Being totally immature here, but "Smashing the stack for fun and profit" would make a great book title for the Chaturbate memoir.

  • by eb0la on 1/25/21, 6:57 PM

    This and the SYNflood attack are IMHO the best hacking papers I ever seen.

    This one ages extremely well.

  • by mokha on 1/26/21, 1:44 AM

    Elias is my hero.