by tptacek on 11/15/09, 7:40 PM
It's interesting to compare exploit tech from today to how simple things were back in '97. In '97, a complex exploit meant you couldn't have lowercase ASCII equivalents in your shellcode. Now, you scan the target for info leaks that will disclose stack cookies, and spray the heap to increase the odds that you'll hit your exploit in randomized memory, and forge stack frames that will return to mprotect or VirtualProtect, and and and.
So much of "security research" over the last 10 years has basically danced around a fundamental fact: if you lose control of the runtime memory of your program, you lose control of the whole program.
by mahmud on 11/15/09, 7:04 PM
by lg on 11/15/09, 7:05 PM
by scythe on 11/15/09, 7:06 PM
In one of my freshman CS courses, one of our last assignments was to read this paper (as well as a more approachable tutorial written by our TAs) and carry this out on a toy architecture (LC3) that we had been working with for the whole course. It was probably the most interesting assignment we had that semester.
by jacquesm on 11/15/09, 10:11 PM
Funny how the first example contains a subtle bug, the string termination is never done, if the stack wasn't zeroed prior to running that program, you may not only overflow 'buffer' on purpose, you may overflow it a lot further than you'd think by just reading the code.
large_string[255] = 0;
Would solve that.
by wclax04 on 11/15/09, 9:47 PM
I remember reading this paper as an undergrad at Rutgers. We had to do a stack smashing project based on this with different stack protection methods (canaries/ASLR)
This was probably one of the most important things I learned in school.
by haupt on 11/16/09, 7:31 AM
I remember reading this and finding an error in one of the examples.
In addition to learning about the stack, I also realized that superheroes are human, too. <3
by MtL on 11/16/09, 2:05 AM
Funny, I just re-read that paper yesterday =) Aleph One is a hero in my eyes, he made my childhood much more interesting.
by sown on 11/15/09, 7:07 PM
For a lot of these tutorials to work, you also have to turn off SELinux or any other stack protection.
by omouse on 11/16/09, 1:23 AM
And the lesson is, try to avoid using C :)
by ecq on 11/15/09, 9:14 PM
by c00p3r on 11/16/09, 4:35 AM
Oh, that romantic feeling from the boyhood... =)