To conduct a successful BROP attack, the attacker needs to find two properties that exist within the target system:
a vulnerability that impacts the pipeline of the server, and
the vulnerability must exist in a service set to automatically restart if it crashes.
In summary, the attacker will be looking to determine the following:
the buffer overflow size
the stack canary and stop gadget location
the address location of the procedure linking table (PLT)
assembly gadgets accessible within the target system
After sending enough requests, they can increment through all potential values to determine the value of the stack canary.
When the attacker sends an overrun condition, they append the stack canary value to the end of their payload.
Since the stack canary is the same, it doesn’t cause the program to crash.
The attacker uses this information to determine a 'stop ROP gadget' address location, which can be called upon when searching for other gadgets and allows the attacker to halt ROP chains so that more gadgets can be discovered.
Once the address of the stop ROP gadget is known, the attacker uses this information to find the procedure linking table (PLT), which links process calls to lower-level gadgets.
Armed with address locations of the PLT and stop gadgets, the attacker begins locating the address locations for ROP gadgets.
After the address locations of these gadgets have been discovered, the attacker can begin their main attack.
The attacker will send a malicious payload, which includes the buffer overflow, stack canary, and PLT table locations.
This payload will have a few calls to ROP gadgets within the system, complete with their precise address locations.
The script will overflow an input, discover the gadgets, and use those to inject a remote shell command into a third argument, giving the attacker control over your system.