Mctrain's Blog

What I learned in IT, as well as thought about life

Blind Return Oriented Programming (BROP) Attack (2)

| Comments

This topic consists of 3 sessions:

Blind Return Oriented Programming (BROP) Website

Hacking Blind: paper and slide

Following the 1st session, which talked about the principle of BROP attack, this page will discuss about how to conduct the real exploit in a Linux system.

This session is more like a kind of tutorial about how I conduct one of the 3 attacks conducted by the authors (specifically, attack nginx 1.4.0 with a buffer overflow bug - CVE-2013-2028, and finally can execute the shell) in my PC.

Setting Up Nginx-1.4.0

At first, we need to setup the server environment: nginx 1.4.0.

Download the nginx 1.4.0 source code:

$ wget
$ tar zxvf nginx-1.4.0.tar.gz
$ cd nginx-1.4.0
$ ./configure --sbin-path=/usr/local/nginx/nginx --conf-path=/usr/local/nginx/nginx.conf --pid-path=/usr/local/nginx/ --with-http_ssl_module

Before compiling, modify the makefile with stack canary protection:

$ vi obj/Makefile
CFLAGS = -pipe -O -W -Wall -Wpointer-arith -Wno-unused-parameter -Werror -g -fstack-protector

Then compile it:

$ make -j4
$ sudo make install

At this point, it is installed in the /usr/local/nginx folder. If you use to check it:

$ wget
$ chmod +x ./
$ ./ --file /usr/local/nginx/nginx

You will get following result: result

Which means it already has NX and Stack canary protection.

Before running nginx, we need to modify its configuration to make it run with 4 worker processes:

$ vi /usr/local/nginx/nginx.conf
#user  nobody
worker_processes 4;

Then we just run it with:

$ sudo /usr/local/nginx/nginx

Exploit BROP Attack

Now let’s see how to do the BROP attack. It is quite simple, since the authors have already write a nginx specific attack script using ruby.

Download the exploit script:

$ wget
$ tar zxvf nginx-1.4.0-exp.tgz
$ cd nginx-1.4.0-exp

And run it by simply executing:

$ ./brop.rb

If everything is ok, then it will exploit the nginx-1.4.0 using the approach I talked about here, and finally print the id of the exploited shell’s owner:

If there’s any problem, and you want to rerun the script, you should first remove the state.bin file, or even restart nginx, and run brop.rb again:

$ rm -f ./state.bin
$ ./brop.rb

That’s done!

In the following session, I will try to analyse the ruby script, and show how they do the attack in code aspect.