Blind Return Oriented Programming (BROP)

Open-source (e.g., Apache) Open-binary (e.g., Internet Explorer) Closed-binary and source (e.g., some proprietary network service)

The BROP attack makes it possible to write exploits without possessing the target's binary. It requires a stack overflow and a service that restarts after a crash. Based on whether a service crashes or not (i.e., connection closes or stays open), the BROP attack is able to construct a full remote exploit that leads to a shell. The BROP attack remotely leaks enough gadgets to perform the write system call, after which the binary is transferred from memory to the attacker's socket. Following that, a standard ROP attack can be carried out. Apart from attacking proprietary services, BROP is very useful in targeting open-source software for which the particular binary used is not public (e.g., installed from source setups, Gentoo boxes, etc.).

The attack completes within 4,000 requests (within minutes) when tested against a toy proprietary service, and real vulnerabilities in nginx and MySQL.

The fundamental problem sometimes seen in servers is that they fork a new worker process after a crash, without any rerandomization (e.g., no execve follows the fork). nginx for example does this.

The paper describing the work is:

A. Bittau, A. Belay, A. Mashtizadeh, D. Mazières, D. Boneh: Hacking Blind. In Oakland 2014. [slides]

Attack outline

Break ASLR by "stack reading" a return address (and canaries). Find a "stop gadget" which halts ROP chains so that other gadgets can be found. Find the BROP gadget which lets you control the first two arguments of calls. Find a call to strcmp, which as a side effect sets the third argument to calls (e.g., write length) to a value greater than zero. Find a call to write. Write the binary from memory to the socket. Dump the symbol table from the downloaded binary to find calls to dup2, execve, and build shellcode.

Downloads