Smashing the Stack for Fun and Profit (1996)

181 点作者 keskadale超过 4 年前

19 条评论

What a classic! Phrack stopped publishing some time ago but the world of security ploughs on, who can recommend similar modern resources to Phrack?Here's a few I'm aware of:<a href="https://www.alchemistowl.org/pocorgtfo/" rel="nofollow">https://www.alchemistowl.org/pocorgtfo/</a><a href="https://secret.club/" rel="nofollow">https://secret.club/</a>

评论 #25910034 未加载

评论 #25907047 未加载

评论 #25907165 未加载

评论 #25911175 未加载

评论 #25913118 未加载

评论 #25910065 未加载

tekstar超过 4 年前

This article, and then working through the book "Hacking and the Art of Exploitation" taught me the true fundamentals of the C programming language, and Linux. The other key ingredient was working through the classic "digital evolution" wargames where you'd SSH into a box as level1 and work your way up from there.

评论 #25908031 未加载

评论 #25907361 未加载

评论 #25907100 未加载

评论 #25906861 未加载

__jf__超过 4 年前

In 2017 I got a second hand Cisco ASA just to play with the shadowbrokers tools. EXTRABACON was the codename for the SNMP exploit using a buffer overflow.This was an interesting excercise because there were NO logs of this happening on the Cisco ASA, not even when ramping every loglevel to debug. Well only on the console port. Exception in readline() or something like it. Doing stuff for security monitoring in daily life this ehm was alarming, but not unexpected. Fixing “No logs” is often a challenge for blue teams.Anyway it was alarming enough to find and read through the Common Criteria EAL4+ certification docs for the Cisco ASA only to find that SNMP was excluded from certification scope. I still have the idea in the back of my head to explore scope exclusions in other certification docs for other unfortunate exclusions.Also the lack of mitigations like stack canaries, ASLR or others was quite surprising for a certified black box security device on the network perimeter.

评论 #25910640 未加载

评论 #25906586 未加载

dang超过 4 年前

2009 had the main discussion: <a href="https://news.ycombinator.com/item?id=943185" rel="nofollow">https://news.ycombinator.com/item?id=943185</a>I thought there were others but maybe not? Single-comment threads from 2016, 2014, 2012, 2011:<a href="https://news.ycombinator.com/item?id=11007757" rel="nofollow">https://news.ycombinator.com/item?id=11007757</a><a href="https://news.ycombinator.com/item?id=10821934" rel="nofollow">https://news.ycombinator.com/item?id=10821934</a><a href="https://news.ycombinator.com/item?id=8773298" rel="nofollow">https://news.ycombinator.com/item?id=8773298</a><a href="https://news.ycombinator.com/item?id=4903622" rel="nofollow">https://news.ycombinator.com/item?id=4903622</a><a href="https://news.ycombinator.com/item?id=3061955" rel="nofollow">https://news.ycombinator.com/item?id=3061955</a>

f00zz超过 4 年前

A classic, but these days if you want to reproduce those bugs you need to build your code with -fno-stack-protector, enable executable stack, disable ASLR in the kernel, etc.

评论 #25906728 未加载

评论 #25906711 未加载

评论 #25907444 未加载

评论 #25909659 未加载

maerF0x0超过 4 年前

I think the main thing to discuss here is how, 25 yrs later, we're still getting overflow bugs.

评论 #25908201 未加载

评论 #25910845 未加载

hushhush超过 4 年前

This paper also inspired the recent academic paper "Attacking Zcash Protocol For Fun And Profit" available at <a href="https://attackingzcash.com" rel="nofollow">https://attackingzcash.com</a> and on IACR: <a href="https://eprint.iacr.org/2020/627" rel="nofollow">https://eprint.iacr.org/2020/627</a>It describes new kinds of metadata leakage attacks that can be launched against privacy coins, by adversaries with large budgets, such as professional criminal organizations, blockchain analysis companies and nation states. The privacy coin HUSH has developed this defensive technology and was first to implement it in September 2019.There is a YouTube video where the author explains why he named the paper this way, this link has the timestamp where it's talked about: <a href="https://youtu.be/berM7Dnnoz4?t=405" rel="nofollow">https://youtu.be/berM7Dnnoz4?t=405</a>"This is a whole new research field I am creating, that is why I called it Attacking Zcash Protocol For Fun And Profit, just like Smashing The Stack for Fun And Profit, it created a whole new field"Also, for the hardcore HN nerds: The paper focuses on Zcash Protocol, but the ideas apply to any cryptocoin with a transaction graph, so Monero is definitely vulnerable. Much more vulnerable that Zcash Protocol.

评论 #25909801 未加载

no-dr-onboard超过 4 年前

This has been required reading for all the pentesters at my org for the past 20 years.

评论 #25906607 未加载

评论 #25910649 未加载

评论 #25908269 未加载

jdblair超过 4 年前

Reading this article back in the day is how I learned how stack smashing works! I also remember when the EFF stopped hosting Phrack because most of their bandwidth was people downloading every issue off the EFF’s web server.

评论 #25909720 未加载

评论 #25909680 未加载

NOGDP超过 4 年前

<a href="http://smashthestack.org/wargames.html" rel="nofollow">http://smashthestack.org/wargames.html</a>> The Smash the Stack Wargaming Network hosts several Wargames. A Wargame in our context can be described as an ethical hacking environment that supports the simulation of real world software vulnerability theories or concepts and allows for the legal execution of exploitation techniques. Software can be an Operating System, network protocol, or any userland application.

alecco超过 4 年前

Gera's Insecure Programming tutorial on advanced Buffer Overflows was quite seminal. The site is gone but there's a GitHub repo now.<a href="https://github.com/gerasdf/InsecureProgramming" rel="nofollow">https://github.com/gerasdf/InsecureProgramming</a>

hegzploit超过 4 年前

I sometimes wish time would rewind so I can experience the hacking scene in it's full glory.

评论 #25907926 未加载

rel2thr超过 4 年前

Does someone know why weren't stack overflow exploits more common in the early 90s?If the Morris worm used them in 88, how did the technique get lost until this phrack article come out?Makes me wonder if there are still entire classes of exploits that are undiscovered out there.

评论 #25911535 未加载

somesortofsystm超过 4 年前

A true classic that is just as relevant today as ever.Know thy stack!Yes, you still have a .text section!

jeffrom超过 4 年前

I learned so much from this article about how memory works when I was starting out, thanks phrack!

ctocoder超过 4 年前

how I loved trying this in the computer science lab when this 1st hit gopher.

__abc超过 4 年前

Being totally immature here, but "Smashing the stack for fun and profit" would make a great book title for the Chaturbate memoir.

eb0la超过 4 年前

This and the SYNflood attack are IMHO the best hacking papers I ever seen.This one ages extremely well.

mokha超过 4 年前

Elias is my hero.