BROP Attack of the Nginx remote code execution vulnerabilities analysis and use-vulnerability and early warning-the black bar safety net

Blind ROP is a very interesting attack, in fact, many foreign chapters, as well as the original dark cloud in the Knowledge Base article has a description, I put these reference articles are placed in the end position, interested friends can study together the Exchange. As Flappy pig clan wars, I will always concerned about the CTF of a dynamic, heard the Blind ROP also appeared in this year, the HCTF’s pwn title, below the post I will attach the z God of github, which has HCTF of this BROP pwn title.
Recently also followed the joker master and muhe master together looked on the Blind ROP stuff, this is a very interesting use of the way, though complicated, but at the same time also very admire this use of the brain-hole, the offensive and defensive confrontation is constantly on the this wonderful of use and ease of lifting.
For CTF I don’t know, but in the process of learning, by a Nginx the old cave, finally“know”the Blind ROP, benefit, but also thanks to joker master, muhe master, swing Master, in the learning process of discussion and guidance.
Below I will Nginx vulnerability principle, and this Nginx vulnerability / Exploit to the full range analysis of BROP this use manner, on the vulnerabilities of the principles, the Internet has a detailed description, here I will combine the Exploit utilized to explain the entire process. Below are mistakes place also please master have a lot of includes, a lot of criticism（after all read through 2000+lines of ruby too painful T. T in.
Nginx vulnerability analysis CVE-2013-2028）
This is a Nginx stack overflow vulnerability, my analysis environment is in x86, and the use is in x86_64, I originally is don’t want to like this, but before on x86 with msf reproduce the Nginx this vulnerability, take the opportunity to carry out the analysis, and then get to Exploit the time and in the x86_64 under a BROP of the use of research, but this system version does not affect our vulnerability is understood, the use of the analysis.
On the vulnerability of the environment and Nginx installed build here I will not say more, the text after the reference article, I will provide a build environment, according to the ride that’s right, here vulnerability analysis my environment is Ubuntu 13.04 x86, the use of the analysis environment is Kali, 2.0 in.
To build a good environment after use“#/usr/local/nginx/nginx”run the nginx service, and some environments are“#/usr/local/nginx/sbin/nginx”, running services, use the gdb attach method to attach, after passing through the msf method of transmitting the Virus, here I come across a situation, that is, the msf sends the Virus, it will prompt ERRCONNECT, this time by the set target 0 The method of setting the target object, without auto target, it should be on it. Send the Exploit, first we look at the transmission of the data packet.
! [](/Article/UploadPic/2017-1/20171173314741. png? www. myhack58. com)
A total of sent two GET the package in the back of the malformation string before, contains an Encoding field, the value is chunked, and the first data packet also contains a value of chunked, but without the deformity data, the latter will explain why you want to send two, then Nginx captured the crash.
! [](/Article/UploadPic/2017-1/20171173315247. png? www. myhack58. com)
Crash situation, by the bt method retrospective look at the stack call.
gdb-peda$ bt
#0 0xb77d5424 in __kernel_vsyscall ()
#1 0xb7596b1f in raise () from /lib/i386-linux-gnu/libc. so. 6
#2 0xb759a0b3 in abort () from /lib/i386-linux-gnu/libc. so. 6
#3 0xb75d3ab5 in ?? () from /lib/i386-linux-gnu/libc. so. 6
#4 0xb766ebc3 in __fortify_fail () from /lib/i386-linux-gnu/libc. so. 6
#5 0xb766eb5a in __stack_chk_fail () from /lib/i386-linux-gnu/libc. so. 6
#6 0x0807b4c3 in ngx_http_read_discarded_request_body (r=r@entry=0x83f7838)
at src/http/ngx_http_request_body. c:676
#7 0x0807bdf7 in ngx_http_discard_request_body (r=r@entry=0x83f7838)
at src/http/ngx_http_request_body. c:526
#8 0x08087a98 in ngx_http_static_handler (r=0x83f7838)
at src/http/modules/ngx_http_static_module. c:211
#9 0x0806fb2b in ngx_http_core_content_phase (r=0x83f7838, ph=0x84022b8)
at src/http/ngx_http_core_module. c:1415
Here is the problem in stack_chk_fail, which is the canary the check fails, resulting in a program abort, the bt back the content is very long, here I will not tell about the backtracking process, we directly to the forward movement of the combined analysis of the entire vulnerability causes. First we sent data packet contains a chunked field. This will be a if statement comparison, and then to an r in the structure of the body headers_in. chunked member variable assignment. src/http/ngx_http_request. c:1707 to:
ngx_int_t
ngx_http_process_request_header(ngx_http_request_t *r)
{
if (r->headers_in. transfer_encoding) {
if (r->headers_in. transfer_encoding->value. len == 7
&& ngx_strncasecmp(r->headers_in. transfer_encoding->value. data,
(u_char *) “chunked”, 7) == 0)
{
r->headers_in. content_length = NULL;
r->headers_in. content_length_n = -1;
r->headers_in. chunked = 1;
}
If you look at the Before of the bt backtrack you can see that this r structure of the body often as a parameter to be a reference to the r structure of the body is a Nginx HTTP request structure, which is defined as follows:

typedef struct ngx_http_request_s ngx_http_request_t;
By this definition, we can directly use the p command to print the entire structure of the body of the content.

[1] [2] [3] [4] [5] [6] [7] next