
ROP Emporium: Learn return-oriented programming through a series of challenges - entelechy
https://ropemporium.com/
======
dustfinger
This is interesting (these are solutions for the challenges on the site):

[https://github.com/abatchy17/ROP-Emporium](https://github.com/abatchy17/ROP-
Emporium)

~~~
cantrip
There are a bunch of solutions on Github but I'm not sure how to judge these
ones.

Which solution here was the most interesting to you? Were there any bugs or
solutions that were clearly sub optimal?

~~~
dustfinger
A tag search returned two repos with solutions for ropemporium:

[https://github.com/topics/ropemporium](https://github.com/topics/ropemporium)

Thank you for challenging me on my choice of wording. I shouldn't have
suggested that the repo was interesting without properly exploring the
contents myself. I only discovered that git repo after reading the article
this morning and since I am at work I have not been able to explore the code
myself. I posted the link just to share it with anyone else that might be
interested.

~~~
cantrip
A regular Github search turns up half a dozen more. It feels like you've
intentionally limited yourself to the less commonly used tag search in order
to attempt to prove a point that isn't there.

------
kvakil
This looks like a nice variety of challenges! I've always found constructing
ROP chains extremely satisfying, even more than regular exploit development.

As a plug, I wrote a blog post solving a similar exercise using a ROP chain:
[http://www.kvakil.me/posts/ropchain/](http://www.kvakil.me/posts/ropchain/) .
It looks pretty similar to the pivot challenge here.

------
redsec
This is why Internet is great ! Thanks for sharing such advanced concept
tutorial for free.

------
ghughes
Who made this?

~~~
dustfinger
I think the author wants to remain anonymous. A whois query shows that the
author / owner's contact info is being kept private.

[https://www.whois.com/whois/ropemporium.com](https://www.whois.com/whois/ropemporium.com)

~~~
gruez
it's pretty standard to have private whois registration nowadays, even for
sites attributable to you.

------
krisives
Are there leaderboards or profiles?

~~~
donkey-hotei
There's really no need for a leaderboard on a site like this. It's just a site
to teach ROP in isolation. If you want to pwn with a leaderboard I recommend
pwnable.tw where you can test the ROP skills you learned in the ROP emporium
while also learning about auditing binaries for memory corruption bugs of
various kinds.

------
ilaksh
I am pretty sure this is quite an unpopular opinion, but I think that the
biggest issue we have in computer security is culture.

Information security breaches are not victimless crimes. The ubiquity of
massive security failures shows that they are not rare occurrences. I believe
that this symptomizes a failure of our culture, related to an inability to
integrate information technology into the proper context within our society.

Sure, we need to be aware of exploit patterns so that we can make structural
improvements, but we don't need to become jolly experts in them. We should
stop glorifying cyber-criminals.

~~~
jaegerpicker
Not trying to be rude at all but that's a bit of a dream world. In all of
human history the very second someone invents a lock, someone else starts
figuring out how to break it. This is extremely unlikely to change, mostly
because it's fun and rewarding.

I'd agree the biggest issue in Computer Security is culture but it's not that
too many people learn what security is, it's the complete and utter disregard
that the majority of developers show for the basics. Combine that with a
general attitude of Security experts looking down at non-experts (I think this
is getting MUCH better thankfully) and it's no wonder most systems are like
Swiss cheese and full of wholes.

~~~
stronglikedan
> it's the complete and utter disregard that the majority of developers show
> for the basics

I'm not sure that can be pinned squarely on the developers. IME, it's often
their management that wants to cut corners. Since proper security takes many
steps, it makes it an easy target for management to _negotiate_ some of those
steps out of the project. I'm sure there are a few developers that don't do it
correctly out of sheer laziness, and many that don't do it correctly out of
ignorance, but for large projects with many developers (e.g., banking
websites, etc.) I would think that most of the developers _want_ to do it
correctly, but management thinks it costs too much. Besides, there's no real
ramifications for management to consider anyway (which is, IMO, the crux of
the problem, but also another problem unto itself).

