ROP Emporium ~ Pwning MIPS

Earlier this month, ROP Emporium updated all eight 32bit and 64bit x86_64 challenges, along with adding challenges for ARM and MIPS.  

Given that most folks are going to be working from an x86_64-based host, I thought I might go over some options for approaching the MIPS binaries.  While I stick strictly to MIPS here, the ARM setup is very similar.


One option is to simply utilize MIPS hardware, avoiding your x86 host all together.  While the ARM folks have it easy with a myriad of boards to choose from like the Raspberry Pi line, it's more limited for MIPS. I've utilized the Creator CI20 and while it's a bit over-priced and has been EOL for a while now, it gets the job done.  Alternatively, you might have a little-endian MIPS device, such as a wireless router, that you could use too.

User-Mode Emulation

The ROPE Beginner's Guide discusses ways to approach the MIPS challenges utilizing qemu in user-mode.  Following those instructions will certainly get you into a position to tackle the MIPS binaries, but do present a few issues that can be a bother, such as qemu-user not supporting ASLR and tools like pwndbg not working too well in this configuration. 

Full-System Emulation

Foregoing available hardware and, in my view, the awkward exploit development workflow that comes with running user-mode qemu, I have found more success with emulating the MIPS machine entirely with qemu-system.  My configuration went something like this...


Install qemu on your system via your package manager (eg., brew, apt, yum)

mipsel 32-bit image

You can build this part yourself by following the great instructions here but I have found it easier to just download a precompiled kernel and disk images:





start the emulated machine

qemu-system is all-powerful so there are a bunch of different settings and flags you can take advantage of.  My startup command is shown below.  When the machine finishes booting, you'll be presented with a login prompt.  The default credential is root with no password.

qemu-system-mips64el \

-M malta \

-cpu MIPS64R2-generic \

-m 2G \

-append 'root=/dev/vda console=ttyS0 mem=2048m net.ifnames=0 nokaslr' \

-netdev user,id=user.0 \

-device virtio-net,netdev=user.0 \

-device usb-kbd \

-device usb-tablet \

-device e1000 \

-net user,hostfwd=tcp::2222-:22 \

-net nic \

-nographic \

-kernel vmlinux-* \

-initrd initrd.img-* \

-drive file=$(echo debian-*.qcow2),if=virtio

qemu guest tweaks

The image used here is a pretty bare-bones debian 9 instance.  There are a few quality of life tweaks I suggest making.  The script below will setup ssh (port 2222), set a root password (root:root) and install pwndbg, which comes with a number of great binary analysis tools.

Note - when installing pwndbg, unicorn will fail to compile.  In general, your tooling needs for these challenges will not be negatively impacted by this.  You should be able to safely ignore this error.


# keep quiet

export DEBIAN_FRONTEND=noninteractive


# install minimal packages for pwndbg install, ssh comms and vim

apt-get update

apt-get install -yq git sudo ssh vim


# set root passwd because it is empty on this image

echo root:root | chpasswd


# allow root ssh

echo "PermitRootLogin yes " >> /etc/ssh/sshd_config

service ssh restart


# install pwndbg

git clone

cd pwndbg

yes | ./


At this point, we should have qemu installed, our MIPS emulated system running and all our favorite tools installed.  It's now time copy over the binaries (e.g, scp, wget, etc) and get to work solving the challenges.

Be mindful of the branch/load delay slot! ;-)

Popular Posts