1
The author demonstrate how to build remote stack buffer overflow attacks against services that resume after a crash without having a copy of the target binaries or source code. This enables the hacking of proprietary closed-binary services as well as open-source servers that have been manually built and installed from source and whose binary is unknown to the attacker. Traditional methods are typically used in conjunction with a certain binary and distribution where the hacker is aware of the location of relevant Return Oriented Programming gadgets (ROP). Instead, our Blind ROP (BROP) attack identifies enough ROP gadgets across the network to execute a write system call and transmit the vulnerable binary, after which an exploit may be carried out using existing methods. This is done by leaking a single piece of data depending on whether or not a process failed when given a certain input string. Stack vulnerability and a service that restarts after a crash are required for BROP to work. We used Braille, a fully automated exploit that yielded a shell in under 4,000 requests (20 minutes) against a current nginx vulnerability, yaSSL + MySQL, and a toy proprietary server written by a colleague, against a contemporary nginx vulnerability, yaSSL + MySQL, and a toy proprietary server written by a colleague. The attack uses address space layout randomization (ASLR), no-execute page protection (NX), and stack canaries to operate against current 64-bit Linux.
ASLR, Attack, Blind, Hacking, ROP
