Thank you for challenging me on my choice of wording. I shouldn't have suggested that the repo was interesting without properly exploring the contents myself. I only discovered that git repo after reading the article this morning and since I am at work I have not been able to explore the code myself. I posted the link just to share it with anyone else that might be interested.
A regular Github search turns up half a dozen more. It feels like you've intentionally limited yourself to the less commonly used tag search in order to attempt to prove a point that isn't there.
This looks like a nice variety of challenges! I've always found constructing ROP chains extremely satisfying, even more than regular exploit development.
As a plug, I wrote a blog post solving a similar exercise using a ROP chain: http://www.kvakil.me/posts/ropchain/ . It looks pretty similar to the pivot challenge here.
There's really no need for a leaderboard on a site like this. It's just a site to teach ROP in isolation. If you want to pwn with a leaderboard I recommend pwnable.tw where you can test the ROP skills you learned in the ROP emporium while also learning about auditing binaries for memory corruption bugs of various kinds.
I am pretty sure this is quite an unpopular opinion, but I think that the biggest issue we have in computer security is culture.
Information security breaches are not victimless crimes. The ubiquity of massive security failures shows that they are not rare occurrences. I believe that this symptomizes a failure of our culture, related to an inability to integrate information technology into the proper context within our society.
Sure, we need to be aware of exploit patterns so that we can make structural improvements, but we don't need to become jolly experts in them. We should stop glorifying cyber-criminals.
Not trying to be rude at all but that's a bit of a dream world. In all of human history the very second someone invents a lock, someone else starts figuring out how to break it. This is extremely unlikely to change, mostly because it's fun and rewarding.
I'd agree the biggest issue in Computer Security is culture but it's not that too many people learn what security is, it's the complete and utter disregard that the majority of developers show for the basics. Combine that with a general attitude of Security experts looking down at non-experts (I think this is getting MUCH better thankfully) and it's no wonder most systems are like Swiss cheese and full of wholes.
> it's the complete and utter disregard that the majority of developers show for the basics
I'm not sure that can be pinned squarely on the developers. IME, it's often their management that wants to cut corners. Since proper security takes many steps, it makes it an easy target for management to negotiate some of those steps out of the project. I'm sure there are a few developers that don't do it correctly out of sheer laziness, and many that don't do it correctly out of ignorance, but for large projects with many developers (e.g., banking websites, etc.) I would think that most of the developers want to do it correctly, but management thinks it costs too much. Besides, there's no real ramifications for management to consider anyway (which is, IMO, the crux of the problem, but also another problem unto itself).
I get your point and I agree about the culture thing, but where do you see someone glorifying criminals with post like this ? It is technical information aimed at ethical hackers or security enthousiasts to improve their skills in a specific domain. For me, it's like saying policeman training to shoot is glorifying criminals.
https://github.com/abatchy17/ROP-Emporium