Coder Social home page Coder Social logo

bropper's Introduction

BROPPER

An automatic Blind ROP exploitation python tool

Abstract

BROP (Blind ROP) was a technique found by Andrew Bittau from Stanford in 2014.

Most servers like nginx, Apache, MySQL, forks then communicates with the client. This means canary and addresses stay the same even if there is ASLR and PIE. So we can use some educated brute force to leak information and subsequently craft a working exploit.

Flow of exploitation

  1. Find buffer overflow offset
  2. Find canary
  3. Find saved registers (RBP / RIP)
  4. Find stop gadgets
  5. Find brop gadgets
  6. Find a Write function (write / dprintf / puts / ...)
  7. Leak the binary

Examples of Results

There is 3 customs vulnerable examples provided in this repository. You can run it directly or build the Dockerfile

BROPPER will then dump the binary :

It's then possible to extract all ROP gadgets from the dumped binary using ROPgadget for example :

$ ROPgadget --binary dump
Gadgets information
============================================================
0x0000000000001177 : adc al, 0 ; add byte ptr [rax], al ; jmp 0x1020
0x0000000000001157 : adc al, byte ptr [rax] ; add byte ptr [rax], al ; jmp 0x1020
0x0000000000001137 : adc byte ptr [rax], al ; add byte ptr [rax], al ; jmp 0x1020
...
...
...
0x0000000000001192 : xor ch, byte ptr [rdi] ; add byte ptr [rax], al ; push 0x16 ; jmp 0x1020
0x000000000000182e : xor eax, 0x891 ; mov rdi, rax ; call rcx
0x0000000000001861 : xor eax, 0xffffff22 ; mov rdi, rax ; call rcx

Unique gadgets found: 235

Script usage

To use this script:

python3 -m pip install -r requirements.txt
python3 bropper.py -t 127.0.0.1 -p 1337 --wait "Password :" --expected Bad --expected-stop Welcome -o dump
$ python3 bropper.py -h
usage: bropper.py [-h] -t TARGET -p PORT --expected-stop EXPECTED_STOP --expected EXPECTED --wait WAIT -o OUTPUT [--offset OFFSET] [--canary CANARY] [--no-canary] [--rbp RBP] [--rip RIP] [--stop STOP]
                  [--brop BROP] [--plt PLT] [--strcmp STRCMP] [--elf ELF]

Description message

options:
  -h, --help            show this help message and exit
  -t TARGET, --target TARGET
                        target url
  -p PORT, --port PORT  target port
  --expected-stop EXPECTED_STOP
                        Expected response for the stop gadget
  --expected EXPECTED   Expected normal response
  --wait WAIT           String to wait before sending payload
  -o OUTPUT, --output OUTPUT
                        File to write dumped remote binary
  --offset OFFSET       set a offset value
  --canary CANARY       set a canary value
  --no-canary           Use this argument if there is no stack canary protection
  --rbp RBP             set rbp address
  --rip RIP             set rip address
  --stop STOP           set stop gadget address
  --brop BROP           set brop gadget address
  --plt PLT             set plt address
  --strcmp STRCMP       set strcmp entry value
  --elf ELF             set elf address

Contributing

Pull requests are welcome. Feel free to open an issue if you want to add other features.

bropper's People

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar

Forkers

gavz orguetta y0d4a simran-sankhala ssghost ca0x0 short dawnadvent tobey123 denji 5l1v3r1 lcsouzamenezes killvxk fengjixuchui c0axial farrimwildaxe fhoenix42s yijiyouyu

bropper's Issues

Unable to leak stack byte

add in your argument parser a boolean parameter for byte order.
ubuntu using little, debian is using big.

but this doesn't seems to fixed it, i'm still unable to leak a stack byte.

big endian byte order
to_bytes('big')

little endian byte order
to_bytes('little')

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.