In previous post, we analyzed and exploited stack based buffer overflow vulnerability in chunked encoding parsing of nginx-1.3.9 – 1.4.0. We mentioned that there was another attack vector which was more practical, more reliable. I talked about this attack vector at SECUINSIDE 2013 in July (btw, a great conference and CTF). Details can be found in slides.

In summary:

  • Same bug with different code paths that serve dynamic contents via fastcgi, proxy backend, etc. These configurations are more practical in real world environments.
  • Heap based overflow instead of stack based overflow as described in the original advisory. Nothing to worry about stack cookie (so no bruteforcing).
  • The trick to make heap overflow exploit more reliable is via connection spraying.
  • Some small tips and tricks for ROP and shellcode.

Enjoy hacking!