Ropstar

Exploits simple linux bof challenges involving alsr, nx and to some extend format strings. You can let it get you a shell or specify a win function that is called.

Install

mkvirtualenv sploit
pip install -r requirements.txt

• Requires python3
• Expects local installation of libcdatabase in /home/user/tools/libcdatabase. To run local exploits make sure you add your local libc to libcdatabase (32-bit & 64-bit versions). Also in ~/tools you need a clone of ROPgadget (used for static binary exploitation).

Examples

Exploit local binary:

python ropstar.py <name>

Run remote:

python ropstar.py <name> -rhost <address> -rport <port>

Limitations

• a lot, this a just a PoC, expect it to crash on most targets
• we assume we can write enough bytes to put our payload after the return pointer overwrite - when this is not then case ropstar fails

Tested on

• Bof (https://github.com/TechSecCTF/pwn_challs)
• Rop (https://github.com/TechSecCTF/pwn_challs)
• gimme-your-shell 32-bit & 64-bit (https://github.com/InsecurityAsso/inshack-2019)
• pwn1, pwn2, pwn3 (https://github.com/mishrasunny174/encrypt-ctf)
• speedrun-002 (defcon quals 2019, oooverflow.io)
• ropeasy_updated (https://hackable.ca/)
• buffer-overflow-1, buffer-overflow-2, gets (https://tcode2k16.github.io/blog/posts/picoctf-2018-writeup/binary-exploitation/#authenticate)
• Ropemporium: ret2win32
• various others

Help on this project is welcome! Contact me on twitter: @xct_de.