Hi there,

As I want to integrate ropstar in OpenCRS, I analyzed the code to better understand the implemented exploitation techniques. Despite the program is meant to be used locally, I want to address a security issue that I discovered.

Description

Command injection is possible while exploiting a statically linked binary with a malicious filename.

Steps to Reproduce

1. Download the source code of an exploitable binary: wget https://raw.githubusercontent.com/TechSecCTF/pwn_challs/master/stack/bof/bof.c -o /tmp.
2. Compile: gcc -m32 -static -fno-stack-protector /tmp/bof.c -o "/tmp/bin/bof;touch here;".
3. Run ropstar: python3 ropstar.py -o 1 -state 1,1,1 "/tmp/bin/bof;touch here;".
4. Observe the creation of the here file (due to command injection): ls here.

Patch

I already forked the repository and proposed a patch. Please see #11.