From d93e4d890307a28653e494d17ab351bb574a4f1b Mon Sep 17 00:00:00 2001
From: Alessandro Lupini <126893851+Disturbante@users.noreply.github.com>
Date: Tue, 22 Oct 2024 19:01:24 +0200
Subject: [PATCH 1/2] Update ropstar.py

---
 ropstar.py | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/ropstar.py b/ropstar.py
index 345b163..2b49868 100644
--- a/ropstar.py
+++ b/ropstar.py
@@ -27,7 +27,8 @@ def __init__(self, argv):
         parser.add_argument('-p', help='use proxy, e.g. https://127.0.0.1:8080')
         parser.add_argument('-m', help='specify address of main method, in case there is no symbols')
         parser.add_argument('-xor', help='xor payload with given byte')     
-        parser.add_argument('-win', help='specify win function address to call')    
+        parser.add_argument('-win', help='specify win function address to call')
+        parser.add_argument('-interactive', help='when selecting win function, toggle interactive mode after entering the function (CTF shell win functions)', action='store_true')        
         parser.add_argument('-magic', help='magic string that needs to be sent before the payload')
         parser.add_argument('-remote_offset', help='get offset remotely via observing responses (often required with canaries)', action='store_true')
         parser.add_argument('-state', help='canary,rbp,rip (comma seperated)')

From ac02c8d6f30a2e27bb41fc5586bf0522626ece9d Mon Sep 17 00:00:00 2001
From: Alessandro Lupini <126893851+Disturbante@users.noreply.github.com>
Date: Tue, 22 Oct 2024 19:02:25 +0200
Subject: [PATCH 2/2] Update exploit.py

---
 ropstar/exploit.py | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/ropstar/exploit.py b/ropstar/exploit.py
index 588c64c..1bebf85 100644
--- a/ropstar/exploit.py
+++ b/ropstar/exploit.py
@@ -29,6 +29,9 @@ def win(self, p, win):
         payload = self.ropstar.fit(rop.chain())     
         self.ropstar.trigger(p, payload)
         # we usually don't get shells from these, mostly just cat on the flag
+        # added pop shell functionality
+        if self.ropstar.args.interactive:
+            p.interactive()
         return
 
 
@@ -211,4 +214,4 @@ def fmt_leak(self, p, addr, offset):
         leak = p.recvall()
         bytes = bytearray(leak)
         l = re.search(b'...\xf7',bytes).group(0)        
-        return self.ux(l)
\ No newline at end of file
+        return self.ux(l)