Introduction

This paper was published in Oakland 2014. In this paper, the author presents a generic way to exploit proprietary server even if the source code and the binary code is not available but a crash is found through remote fuzzing test.

Background

ROP is an important code reuse attacking technique. However, most current ROP attacks require the knowledge of the target source code or binary code to successfully craft the ROP chain. However, for some close-source server projects, the binary code is actually not available out there. Thus it would be very difficult for the attacker to achieve a successful attack on the target application. In this paper, author provides a way to leak the binary information of the target and mount a successful ROP attack under the assumption that there is one buffer overflow in the target application and the target application restarts after a crash.
The following picture displays different situations that could be applied with BROP.

Attacking model

In BROP, it makes the following two assumptions:
(1) A stack vulnerability and knowledge of how to trigger it.
(2) A server application that restarts after a crash.

BROP attack

The BROP attack has three phases:
(1) Stack Reading: read the stack to leak canaries and a return address to defeat ASLR.
(2) Blind ROP: find enough gadgets to invoke write (function call) and control its arguments.
(3) Build the ROP: dump enough of the binary to find enough gadgets to build a shellcode, and launch the final exploit.

Stack Reading

Canary Bypass: In order to defeat canaries, the paper generalized an attack (stack reading) to leak words from the stack. The basic idea in leaking canaries is to overflow a single byte on the stack each round. If the value was correct, the server does not crash. The attack continued on the 8 canary bytes on the stack.
ASLR: With stack reading, the attacker could also modify the saved frame pointer and instruction pointer. Different from canary reading, it can detect all valid return addresses without the exact knowledge of those gadgets. However, this problem will be solved in the next section.

BROP attacks

In order to dump the binary code of the target application, syscall write is necessary with the following gadgets:

pop rdi; ret (socket)
pop rsi; ret (buffer)
pop rdx; ret (length)
pop rax; ret (write syscall number)
syscall

Several optimizations are applied in the construction of BROP attack.
One optimization is to find write in PLT to replace pop rax; ret and syscall.
Another optimization is about pop rdx; ret. According to the paper, it is hard to find pop rdx; ret gadget in practice, the paper provides an alternative way to achieve the goal with help of strcmp syscall.
Thus the exploit contain the following two parts:
(1)Find BROP gadgets.
(2)Find the entry for write and strcmp in PLT.

Find BROP gadgets

To find and identify the BROP gadgets, different gadgets are needed:
Stop gadget: gadget that may cause an infinite loop or keeps the connection open
Probe gadget: gadget being scanned
Trap gadget: non-executable address
The following picture shows how the stop gadget works:

Use combination of stop gadget, trap gadget and probe gadget to identify the gadget function.

However, at this point the attacker only obtains a list of pop x; ret gadgets, it needs further identification to find what x is.
(1) Find all pop x; ret gadgets.
(2) Find a syscall gadget. The way to find syscall gadget will be introduced next.
(3) Identify the pop gadgets previous found.

To identify what x is, different syscalls are used for identification as below:

pop rax; ret gadget : pause()
pop rdi; ret gadget : first argument nanosleep(len, rem)
pop rsi; ret gadget : second argument kill(pid, sig)
pop rdx; ret gadget : third argument clock_nano_sleep(clock, flags,len, rem)

Find the PLT, strcmp and write

The structure of PLT has very unique feature shown as following. More details about PLT can be found in my previous POST: ELF file format

And the address of the PLT could be found by repeating searching the memory.

To identify the entry of strcmp in PLT, the attack could repeat the following attemps to identify whether the scanned entry is strcmp or not.

To identify the entry of write in PLT, the attack could try to write some data in the socket by brute force and see the response.

Conclusion

Thanks for the author of the paper, it gives a summarized BROP attack in his paper:
(1) Find where the executable is loaded. Either 0x400000 for non-PIE executables (default) or stack read a saved return address.
(2) Find a stop gadget. This is typically a blocking system call (like sleep or read) in the PLT. The attacker finds the PLT in this step too.
(3) Find the BROP gadget. The attacker can now control the first two arguments to calls.
(4) Find strcmp in the PLT. The attacker can now control the first three arguments to calls.
(5) Find write in the PLT. The attacker can now dump the entire binary to find more gadgets.
(6) Build a shellcode and exploit the server