Earlier this month, ROP Emporium
updated all eight 32bit and 64bit x86_64 challenges, along with adding challenges for ARM and MIPS.
Given that most folks are going to be working from an x86_64-based host, I thought I might go over some options for approaching the MIPS binaries. While I stick strictly to MIPS here, the ARM setup is very similar.
One option is to simply utilize MIPS hardware, avoiding your x86 host all together. While the ARM folks have it easy with a myriad of boards to choose from like the Raspberry Pi line, it's more limited for MIPS. I've utilized the Creator CI20
and while it's a bit over-priced and has been EOL for a while now, it gets the job done. Alternatively, you might have a little-endian MIPS device, such as a wireless router, that you could use too.
The ROPE Beginner's Guide
discusses ways to approach the MIPS challenges utilizing qemu in user-mode. Following those instructions will certainly get you into a position to tackle the MIPS binaries, but do present a few issues that can be a bother, such as qemu-user not supporting ASLR and tools like pwndbg not working too well in this configuration.
Foregoing available hardware and, in my view, the awkward exploit development workflow that comes with running user-mode qemu, I have found more success with emulating the MIPS machine entirely with qemu-system. My configuration went something like this...
on your system via your package manager (eg., brew
mipsel 32-bit image
You can build this part yourself by following the great instructions here
but I have found it easier to just download a precompiled kernel and disk images:
start the emulated machine
qemu-system is all-powerful so there are a bunch of different settings and flags you can take advantage of. My startup command is shown below. When the machine finishes booting, you'll be presented with a login prompt. The default credential is root with no password.
-append 'root=/dev/vda console=ttyS0 mem=2048m net.ifnames=0 nokaslr' \
-device virtio-net,netdev=user.0 \
-net user,hostfwd=tcp::2222-:22 \
-drive file=$(echo debian-*.qcow2),if=virtio
The image used here is a pretty bare-bones debian 9 instance. There are a few quality of life tweaks I suggest making. The script below will setup ssh (port 2222), set a root password (root:root) and install pwndbg, which comes with a number of great binary analysis tools.
Note - when installing pwndbg, unicorn will fail to compile. In general, your tooling needs for these challenges will not be negatively impacted by this. You should be able to safely ignore this error.
# install minimal packages for pwndbg install, ssh comms and vim
apt-get install -yq git sudo ssh vim
# set root passwd because it is empty on this image
echo root:root | chpasswd
echo "PermitRootLogin yes " >> /etc/ssh/sshd_config
git clone https://github.com/pwndbg/pwndbg
At this point, we should have qemu installed, our MIPS emulated system running and all our favorite tools installed. It's now time copy over the binaries (e.g, scp, wget, etc) and get to work solving the challenges.
Be mindful of the branch/load delay slot! ;-)