Abstract—We show that it is possible to write remote stack
buffer overflow exploits without possessing a copy of the target
binary or source code, against services that restart after a crash.
This makes it possible to hack proprietary closed-binary services,
or open-source servers manually compiled and installed from
source where the binary remains unknown to the attacker
traditional techniques are usually paired against a particular binary
and distribution where the hacker knows the location of useful
gadgets for Return Oriented Programming (ROP). Our Blind
ROP (BROP) attack instead remotely finds enough ROP gadgets
to perform a write system call and transfers the vulnerable
binary over the network, after which an exploit can be completed
using known techniques. This is accomplished by leaking a
single bit of information based on whether a process crashed
or not when given a particular input string. BROP requires a
stack vulnerability and a service that restarts after a crash. We
implemented Braille, a fully automated exploit that yielded a shell
in under 4,000 requests (20 minutes) against a contemporary
nginx vulnerability, yaSSL + MySQL, and a toy proprietary
server written by a colleague. The attack works against modern
64-bit Linux with address space layout randomization (ASLR),
no-execute page protection (NX) and stack canaries.
more here..........http://www.scs.stanford.edu/~sorbo/brop/bittau-brop.pdf
buffer overflow exploits without possessing a copy of the target
binary or source code, against services that restart after a crash.
This makes it possible to hack proprietary closed-binary services,
or open-source servers manually compiled and installed from
source where the binary remains unknown to the attacker
traditional techniques are usually paired against a particular binary
and distribution where the hacker knows the location of useful
gadgets for Return Oriented Programming (ROP). Our Blind
ROP (BROP) attack instead remotely finds enough ROP gadgets
to perform a write system call and transfers the vulnerable
binary over the network, after which an exploit can be completed
using known techniques. This is accomplished by leaking a
single bit of information based on whether a process crashed
or not when given a particular input string. BROP requires a
stack vulnerability and a service that restarts after a crash. We
implemented Braille, a fully automated exploit that yielded a shell
in under 4,000 requests (20 minutes) against a contemporary
nginx vulnerability, yaSSL + MySQL, and a toy proprietary
server written by a colleague. The attack works against modern
64-bit Linux with address space layout randomization (ASLR),
no-execute page protection (NX) and stack canaries.
more here..........http://www.scs.stanford.edu/~sorbo/brop/bittau-brop.pdf