- Joined
- Jan 8, 2019
- Messages
- 56,602
- Solutions
- 2
- Reputation
- 32
- Reaction score
- 100,445
- Points
- 2,313
- Credits
- 32,540
6 Years of Service
76%
An automatic Blind ROP exploitation python tool
Abstract
BROP (Blind ROP) was a technique found by Andrew Bittau from Stanford in 2014.
Original paper
Slides
Most servers like nginx, Apache, MySQL, and forks then communicate with the client. This means canary and addresses stay the same even if there is ASLR and PIE. So we can use some educated brute force to leak information and subsequently craft a working exploit.
Flow of exploitation
Find buffer overflow offset
Find canary
Find saved registers (RBP / RIP)
Find stop gadgets
Find brop gadgets
Find a Write function (write / dprintf / puts / …)
Leak the binary
