Braille A fully automated tool that conducts a Blind Return Oriented Programming(BROP) attack.

Braille is A fully automated tool that conducts a BROP attack (from crash to remote shell) when supplied with an input string that crashes a server due to a stack overflow.

The BROP attack makes it possible to write exploits without possessing the target’s binary. It requires a stack overflow and a service that restarts after a crash. Based on whether a service crashes or not (i.e., connection closes or stays open), the BROP attack is able to construct a full remote exploit that leads to a shell. The BROP attack remotely leaks enough gadgets to perform the write system call, after which the binary is transferred from memory to the attacker’s socket. Following that, a standard ROP attack can be carried out. Apart from attacking proprietary services, BROP is very useful in targeting open-source software for which the particular binary used is not public (e.g., installed from source setups, Gentoo boxes, etc.)
Attack outline :
– Break ASLR by “stack reading” a return address (and canaries).
– Find a “stop gadget” which halts ROP chains so that other gadgets can be found.
– Find the BROP gadget which lets you control the first two arguments of calls.
– Find a call to strcmp, which as a side effect sets the third argument to calls (e.g., write length) to a value greater than zero.
– Find a call to write.
– Write the binary from memory to the socket.
– Dump the symbol table from the downloaded binary to find calls to dup2, execve, and build shellcode.

there are three exploit scenarios:
– Open-source (e.g., Apache)
– Open-binary (e.g., Internet Explorer)
– Closed-binary and source (e.g., some proprietary network service)

Ruby Code(fix check_alive) :

c.c(client Socket) :


Usage :

Source : |