Jump to content
Nytro

nginx 1.3.9/1.4.0 x86 Brute Force Remote Exploit

By Nytro, in Reverse engineering & exploit development

Recommended Posts

Nytro Mentor

Nytro

Posted
Posted

nginx 1.3.9/1.4.0 x86 Brute Force Remote Exploit

about a generic way to exploit Linux targets

written by Kingcope

Introduction

In May 2013 a security advisory was announced at the nginx-announce mailing list [1] and a CVE

identifier was assigned to the vulnerability.

The vulnerability was discovered by Greg MacManus, of iSIGHT Partners Labs.

CVE-2013-2028 is described as [2] follows.

„The ngx_http_parse_chunked function in http/ngx_http_parse.c in nginx 1.3.9 through 1.4.0

allows remote attackers to cause a denial of service (crash) and execute arbitrary code via a

chunked Transfer-Encoding request with a large chunk size, which triggers an integer signedness

error and a stack-based buffer overflow.“

Recent versions of nginx http server use a HTTP 1.1 standard called chunked transfer encoding.

Older versions of nginx do not support chunked transfers in HTTP requests. A third party module or

source patch had to be installed to use chunked transfers. This quite new code in nginx contains

the mentioned integer signedness error that results in a stack-based buffer overflow.

This text will show how to exploit this bug on Linux platforms in a generic and brute force way.

The exploit [3] relies on the fact that all memory addresses are randomized in process address

space on the Linux platform today, only the process images address is not randomized and is found

at a fixed address.

This fact can be used to build exploits by only referencing the addresses of the process image. The

first step to write an exploit for the current Linux platform is to find all addresses that are needed

to build a ROP chain and execute shellcode. Interesting is that normally all addresses are

hardcoded in exploit code. There are ways to minimize the amount of hardcoded addresses. By

using less hardcoded addresses it is possible to target many Linux platforms at once with the same

exploit code without the need to add offsets for each target platform. Nearly all offsets can be

retrieved using brute force methods. The disadvantage is that brute forcing addresses can be noisy

throughout the process.

Download:

www.exploit-db.com/download_pdf/27074

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...