Earlier this month,
ROP Emporium updated all eight 32bit and 64bit x86_64 challenges, along with adding challenges for ARM and MIPS.
Given that most folks are going to be working from an x86_64-based host, I thought I might go over some options for approaching the MIPS binaries. While I stick strictly to MIPS here, the ARM setup is very similar.
Hardware
One option is to simply utilize MIPS hardware, avoiding your x86 host all together. While the ARM folks have it easy with a myriad of boards to choose from like the Raspberry Pi line, it's more limited for MIPS. I've utilized the
Creator CI20 and while it's a bit over-priced and has been EOL for a while now, it gets the job done. Alternatively, you might have a little-endian MIPS device, such as a wireless router, that you could use too.
User-Mode Emulation
The ROPE
Beginner's Guide discusses ways to approach the MIPS challenges utilizing qemu in user-mode. Following those instructions will certainly get you into a position to tackle the MIPS binaries, but do present a few issues that can be a bother, such as qemu-user not supporting ASLR and tools like pwndbg not working too well in this configuration.
Full-System Emulation
Foregoing available hardware and, in my view, the awkward exploit development workflow that comes with running user-mode qemu, I have found more success with emulating the MIPS machine entirely with qemu-system. My configuration went something like this...
qemu
Install
qemu on your system via your package manager (eg.,
brew,
apt,
yum)
mipsel 32-bit image
You can build this part yourself by following the great instructions
here but I have found it easier to just download a precompiled kernel and disk images:
# https://people.debian.org/~jcowgill/qemu-mips/
wget https://people.debian.org/~jcowgill/qemu-mips/debian-stretch-mipsel.qcow2
wget https://people.debian.org/~jcowgill/qemu-mips/initrd.img-4.9.0-4-5kc-malta.mipsel.stretch
wget https://people.debian.org/~jcowgill/qemu-mips/vmlinux-4.9.0-4-5kc-malta.mipsel.stretch
start the emulated machine
qemu-system is all-powerful so there are a bunch of different settings and flags you can take advantage of. My startup command is shown below. When the machine finishes booting, you'll be presented with a login prompt. The default credential is root with no password.
-append 'root=/dev/vda console=ttyS0 mem=2048m net.ifnames=0 nokaslr' \
-device virtio-net,netdev=user.0 \
-net user,hostfwd=tcp::2222-:22 \
-drive file=$(echo debian-*.qcow2),if=virtio
The image used here is a pretty bare-bones debian 9 instance. There are a few quality of life tweaks I suggest making. The script below will setup ssh (port 2222), set a root password (root:root) and install pwndbg, which comes with a number of great binary analysis tools.
Note - when installing pwndbg, unicorn will fail to compile. In general, your tooling needs for these challenges will not be negatively impacted by this. You should be able to safely ignore this error.
export DEBIAN_FRONTEND=noninteractive
# install minimal packages for pwndbg install, ssh comms and vim
apt-get install -yq git sudo ssh vim
# set root passwd because it is empty on this image
echo root:root | chpasswd
echo "PermitRootLogin yes " >> /etc/ssh/sshd_config
git clone https://github.com/pwndbg/pwndbg
Pwning
At this point, we should have qemu installed, our MIPS emulated system running and all our favorite tools installed. It's now time copy over the binaries (e.g, scp, wget, etc) and get to work solving the challenges.
Be mindful of the branch/load delay slot! ;-)
