ROP Emporium Full Solutions

edited January 2018 in Exploits

Hi, I have included full solutions for ROP Emporium challenges written with pwntools. https://github.com/devopsghost/emporium_complete_solutions
More than one method is included for each challenge. Hope this will be a helpful reference for everyone.
However, the shell.py in pivot32 challenge is not working as intended(it supposed to give you a shell). Please message me or send a git request if you could figure out the reason for that. The original link for the shell.py is https://offensivepentest.com/2017/09/09/ropemporium-pivot-writeup/ (Last Section)

HYP3V1S0R

Comments

  • Hey, I had the same problem in pivot32 and solved it jumping to execve() instead of system().

    ompamo

  • Thank you. Do you mind posting your code? execve() is not inside libpivot32.

    HYP3V1S0R

  • I know execve() is not there, if you want to spawn a shell you have to ret2libc (as far as I know), libpivot contains the functions required to print the flag... In that exercise you have to call a function in that linked library to populate the .plt entry for that function and then locate the offset with that function and ret2win and write the address somewhere in the memory and jump there, but since the ROP chain don't fit the buffer you have to pivot, spawning the shell wasn't the original challenge.

    This is my solution to spawn a shell for pivot32: https://pastebin.com/KKkFxTeh
    I don't implement the solution to print the flag with the 32bit binary...

    Note: I suppose it works, since some days ago it does. But since right now I detected that when I'm trying to execute a BOF in my Kali it shows a " *** stack smashing detected ***: terminated" message. I suppose it's some security feature now enabled without notice...

    ompamo

  • The solution is now working thanks to @ompamo! It is based on ret2libc.

    HYP3V1S0R

  • The old link will not work anymore. Updated link is now https://github.com/Yas3r/emporium_complete_solutions

    HYP3V1S0R

  • Thank you

Sign In to comment.