
Interactive guide to Buffer Overflow exploitation - bordplate
https://nagarrosecurity.com/blog/interactive-buffer-overflow-exploitation
======
antirez
I hope somebody else remembers "Smashing the stack for fun and profit" by
Aleph1.

~~~
fit2rule
I was there when he wrote it, on an Indy I'd given him for work purposes.
Crazy to think, all these years later, we're still discussing it .. in between
setting things up for the Huntington Beach US Open Women's Volleyball
competition, he'd be crashing things running eggshell.

Crazy times. I'll never forget going to a Surfrider Foundation party with
Aleph1, only to be bored out of our minds and go find a barely open video
arcade to throw quarters at ..

~~~
tptacek
[https://twitter.com/aleph_one/status/1247639362147254272](https://twitter.com/aleph_one/status/1247639362147254272)

:)

~~~
fit2rule
Figures you'd pull that string, of all people. Well, I remember him hacking on
it - and he had an Indy. Still, long time ago .. neither of us have the
braincells we used to. ;)

~~~
tptacek
Well, you have the window from 12/95 to 11/96 to work with. Before that, and
you're predating splitvt, which was the work that mostly set us up to write
the 1990s-form stack overflow exploit.

~~~
fit2rule
I distinctly remember him hacking on stack-smashing techniques while at
Cyberworks, during our down-times... he crashed mine and his Indy a couple
times, lol .. but maybe it was more of the exploratory work. I didn't pay as
much attention as I should have, there were many other things going on at that
company at the time, and I didn't really have patience for the people that
were being brought in by the money-guy to shore things up, so I lost interest
.. But for the brief period Aleph1 and I shared an office, it was definitely
an interesting time watching him work. Probably I remember it more fondly than
him, though. ;)

~~~
tptacek
Part of the issue here is that we're running into a topic I am extremely,
unreasonably nerdy about, since the first post-RTM working overflows are the
K-T boundary of computer security. Having a working stack overflow on SGI
MIPS, a delay-slot architecture with a split I&D cache, would have been a very
big deal, and would force me to revise a mental history I've been grooming for
a very long time. I believe Aleph One. :)

(We go back too, him and I; I met my wife at a party at his apartment).

~~~
fit2rule
Oh, his version of the history of his seminal paper is definitely canonical,
no doubt about that - but I definitely remember seeing him hacking on stack
exploits in the period leading up to when he released the paper, whether he
had things working or was otherwise probing, and maybe there was a
draft/discussion or two that we're both not remembering quite right. I
remember him snarfing my DEC Alpha for a few quick checks, too .. Halcyon days
indeed.

~~~
tptacek
No byte stores, required alignment, also annoying to write shellcode for!

~~~
saagarjha
Doesn’t MIPS have sb? Was that not part of MIPS I? (Or are you talking about
DEC Alpha?)

~~~
tptacek
Alpha, sorry!

~~~
saagarjha
It’s hard to tell some of the RISCs apart ;)

------
s5ma6n
I love the latest commit messages at the emulator repo :)

"Fuck you JavaScript, an array with 1 int in it is not a fucking number. Why
are you like this you piece of rotten garbage"

I share your hatred :)

A very nice guide and introduction both to x86 asm and buffer overflow. Thanks
for this.

------
saagarjha
The cute little emulator, which was linked in the article:
[https://github.com/bordplate/js86](https://github.com/bordplate/js86). I am
curious how they came up with the ABI for variadics, though…

~~~
bordplate
I've been aiming for x86-64 calling conventions, but must admit I've had a
tendency to mix them up. It doesn't matter much in this case though. There are
no variadic functions used in this post. I'm cheating a lot with the printf-
function. You can see the implementation here:
[https://github.com/bordplate/js86/blob/master/Emulator/Proce...](https://github.com/bordplate/js86/blob/master/Emulator/Processor/CPU.js#L639)

------
mettamage
Someone should contact [https://explorabl.es/](https://explorabl.es/) because
this seems like an explorable exploration!

------
pelliphant
There is one thing here that I don't really understand:

In the first 2 examples, it says:

"If you pop (fetch) a value from the stack, RSP decreases by 8"

But when I step through it, it seems to add 8 on a pop, not subtract (and vice
versa for push), or am I missing something?

~~~
bordplate
Woops, you're right. Thanks for pointing it out, I'll fix it, they should be
the other way around.

You're decreasing the stack, but increasing RSP. Because the stack "grows
down".

