ROP Emporium - split

In the previous post I tried to explain what ROP is and how I solved the ROP Emporium ret2win. This write-up will be about the second challenge: split. We’ll look at finding our first gadget and how to go about using it in a chain. Exploring the binary First explore the binary to see what we’re up against: $ rabin2 -I split | grep nx nx true $ rabin2 -z split [Strings] Num Paddr Vaddr Len Size Section Type String 000 0x000008a8 0x004008a8 21 22 (.

ROP Emporium - ret2win

Over the past couple of week I’ve set myself the goal of learning how Return Oriented Programming (ROP) really works. Coincidentally, over at Hack the Box there have recently been multiple instances where one needed to exploit a binary using ROP. Whilst doing some research on the topic I ran into ROP Emporium and this has proven to be very valuable resource. This site hosts eight challenges with an increasing level of difficulty and along the way it touches upon various concepts related to ROP and binary exploitation.

WireGuard on OpenBSD

Earlier this week I imported a port for WireGuard into the OpenBSD ports tree. At the moment we have the userland daemon and the tools available. The in-kernel implementation is only available for Linux. At the time of writing there are packages available for -current.As of June 2020 support for WireGuard has been committed to the kernel as wg(4) along with support in ifconfig(8). Please see these two posts on the WireGuard mailinglist on how to set it up or how migrate from a setup as described below: setup and migrate from Linux.

SLAE64 - Crypter

The seventh and final assignment of the SLAE64 exam states: Create a custom crypto like the one shown in the “crypters” video Free to use any existing encryption schema Can use any programming language Initially I wanted to use the Tiny Encryption Algorithm but decided against it and instead chose the ChaCha20 stream cipher. The reason is that while TEA is an interesting exercise is simplicity, ChaCha20 is much more relevant today.

SLAE64 - Polymorphic shellcode

The sixth assignment of the SLAE64 exam states: Take up to 3 shellcodes from Shell-Storm and create polymorphic version of them to beat pattern matching The polymorphic versions cannot be larger than 150% of the original shellcode Bonus points for making it shorter in length than original When researching polymorphism one is certain to encounter the Polymorphic Shellcode Engine Using Spectrum Analysis article from Phrack Magazine. Our polymorphic versions are a lot simpler than what is described in this seminal article.