Difficulty: Beginner
Estimated Time: 5 Minutes

Exploit an Nginx buffer overflow vulnerability to open a remote shell.

This tutorial is described in detail and step by step in this Blind ROP Whitepaper, with useful diagrams of memory maps. You are encouraged to read it or have it open as the attack progresses.

The whitepaper is based on the seminal paper on Blind Return-Oriented Programming attacks from Stanford University, and uses the (now-patched) vulnerability CVE-2013-2028 vulnerability.

This is an excellent way to study and learn how a real buffer overflow exploit works.

Let's proceed...

Exploiting Buffer Overflows is far simpler than widely assumed. Detecting ROP attacks on the network is difficult, if not impossible, because they're just regular valid packets.

They do, however, leave loud noisy side-effects on the victim if one knows where to look. If you'd like to detect attacks on your own hosts, we recommend the Open Source Zerotect agent.

If you'd like to defend against these attacks proactively on the zeroth day, i.e. to gain complete immunity against this class of attacks, consider Polymorphing for Linux.

Detecting a real exploit

Step 1 of 3

Start vulnerable Nginx

Let's start a vulnerable Nginx 1.4.0 server:

docker run -it --rm --name target -p 80:80 polyverse/vulnerable-nginx-1.4.0:poly-dev

In a few moments, nginx will service a public-facing webpage here:

Nginx public HTTP(S) endpoint

NOTE: Source code for this nginx docker image is available here: https://github.com/polyverse/vuln-nginx-1.4.0. You can study what does or does not go into this, and be sure it is not synthetic. For the adventurous, you may build that image, and run that instead of the image we've used here.

Terminal
Victim
Attacker
Zerotect
Detection
Nginx