{"id":13520303,"url":"https://github.com/Ben-Lichtman/ropr","last_synced_at":"2025-03-31T16:31:10.054Z","repository":{"id":39758170,"uuid":"284647852","full_name":"Ben-Lichtman/ropr","owner":"Ben-Lichtman","description":"A blazing fast™ multithreaded ROP Gadget finder. ropper / ropgadget alternative","archived":false,"fork":false,"pushed_at":"2024-10-06T21:39:40.000Z","size":80,"stargazers_count":464,"open_issues_count":5,"forks_count":27,"subscribers_count":6,"default_branch":"master","last_synced_at":"2024-10-06T21:51:01.159Z","etag":null,"topics":["command-line-tool","exploitation","rop","rop-chain","rop-gadget","rust"],"latest_commit_sha":null,"homepage":"","language":"Rust","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Ben-Lichtman.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null}},"created_at":"2020-08-03T08:40:35.000Z","updated_at":"2024-10-06T21:39:43.000Z","dependencies_parsed_at":"2024-01-15T03:59:41.225Z","dependency_job_id":"e90b7eec-b712-4cbc-9eeb-f88d17e0bd9e","html_url":"https://github.com/Ben-Lichtman/ropr","commit_stats":{"total_commits":77,"total_committers":6,"mean_commits":"12.833333333333334","dds":0.1428571428571429,"last_synced_commit":"4b96371bf5f4c51a7c89553e936d035ac29b522a"},"previous_names":[],"tags_count":13,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Ben-Lichtman%2Fropr","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Ben-Lichtman%2Fropr/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Ben-Lichtman%2Fropr/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Ben-Lichtman%2Fropr/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Ben-Lichtman","download_url":"https://codeload.github.com/Ben-Lichtman/ropr/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":222670691,"owners_count":17020513,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["command-line-tool","exploitation","rop","rop-chain","rop-gadget","rust"],"created_at":"2024-08-01T05:02:17.153Z","updated_at":"2024-11-02T03:31:11.035Z","avatar_url":"https://github.com/Ben-Lichtman.png","language":"Rust","funding_links":[],"categories":["Weapons","Vulnerability Assessment","Rust"],"sub_categories":["Tools","Binary Analysis \u0026 Reversing"],"readme":"# ropr\n\nropr is a blazing fast multithreaded ROP Gadget finder\n\n### What is a ROP Gadget?\n\nROP (Return Oriented Programming) Gadgets are small snippets of a few assembly instructions typically ending in a `ret` instruction which already exist as executable code within each binary or library. These gadgets may be used for binary exploitation and to subvert vulnerable executables.\n\nWhen the addresses of many ROP Gadgets are written into a buffer we have formed a ROP Chain. If an attacker can move the stack pointer into this ROP Chain then control can be completely transferred to the attacker.\n\nMost executables contain enough gadgets to write a turing-complete ROP Chain. For those that don't, one can always use dynamic libraries contained in the same address-space such as libc once we know their addresses.\n\nThe beauty of using ROP Gadgets is that no new executable code needs to be written anywhere - an attacker may achieve their objective using only the code that already exists in the program.\n\n### How do I use a ROP Gadget?\n\nTypically the first requirement to use ROP Gadgets is to have a place to write your ROP Chain - this can be any readable buffer. Simply write the addresses of each gadget you would like to use into this buffer. If the buffer is too small there may not be enough room to write a long ROP Chain into and so an attacker should be careful to craft their ROP Chain to be efficient enough to fit into the space available.\n\nThe next requirement is to be able to control the stack - This can take the form of a stack overflow - which allows the ROP Chain to be written directly under the stack pointer, or a \"stack pivot\" - which is usually a single gadget which moves the stack pointer to the rest of the ROP Chain.\n\nOnce the stack pointer is at the start of your ROP Chain, the next `ret` instruction will trigger the gadgets to be excuted in sequence - each using the next as its return address on its own stack frame.\n\nIt is also possible to add function poitners into a ROP Chain - taking care that function arguments be supplied after the next element of the ROP Chain. This is typically combined with a \"pop gadget\", which pops the arguments off the stack in order to smoothly transition to the next gadget after the function arguments.\n\n### How do I install ropr?\n\n- Requires cargo (the rust build system)\n\nEasy install:\n```\ncargo install ropr\n```\nthe application will install to `~/.cargo/bin`\n\nFrom source:\n```\ngit clone https://github.com/Ben-Lichtman/ropr\ncd ropr\ncargo build --release\n```\nthe resulting binary will be located in `target/release/ropr`\n\nAlternatively:\n```\ngit clone https://github.com/Ben-Lichtman/ropr\ncd ropr\ncargo install --path .\n```\nthe application will install to `~/.cargo/bin`\n\n### How do I use ropr?\n\n```\nUSAGE:\n ropr [OPTIONS] \u003cBINARY\u003e\n\nARGS:\n \u003cBINARY\u003e The path of the file to inspect\n\nOPTIONS:\n -b, --base-pivot Filters for gadgets which alter the base pointer\n -c, --colour \u003cCOLOUR\u003e Forces output to be in colour or plain text (`true` or `false`)\n -h, --help Print help information\n -j, --nojop Removes \"JOP Gadgets\" - these may have a controllable branch,\n call, etc. instead of a simple `ret` at the end\n -m, --max-instr \u003cMAX_INSTR\u003e Maximum number of instructions in a gadget [default: 6]\n -n, --noisy Includes potentially low-quality gadgets such as prefixes,\n conditional branches, and near branches (will find significantly\n more gadgets)\n -p, --stack-pivot Filters for gadgets which alter the stack pointer\n -r, --norop Removes normal \"ROP Gadgets\"\n -R, --regex \u003cREGEX\u003e Perform a regex search on the returned gadgets for easy filtering\n --range \u003cRANGE\u003e Search between address ranges (in hexadecial) eg. `0x1234-0x4567`\n --raw \u003cRAW\u003e Treats the input file as a blob of code (`true` or `false`)\n -s, --nosys Removes syscalls and other interrupts\n -V, --version Print version information\n```\n\nFor example if I was looking for a way to fill `rax` with a value from another register I may choose to filter by the regex `^mov eax, ...;`:\n\n```\n❯ ropr /usr/lib/libc.so.6 -R \"^mov eax, ...;\" \u003e /dev/null\n\n==\u003e Found 197 gadgets in 0.118 seconds\n```\n\nNow I can add some filters to the command line for the highest quality results:\n\n```\n❯ ropr /usr/lib/libc.so.6 -m 2 -j -s -R \"^mov eax, ...;\"\n0x000353e7: mov eax, eax; ret;\n0x000788c8: mov eax, ecx; ret;\n0x00052252: mov eax, edi; ret;\n0x0003ae43: mov eax, edx; ret;\n0x000353e6: mov eax, r8d; ret;\n0x000788c7: mov eax, r9d; ret;\n\n==\u003e Found 6 gadgets in 0.046 seconds\n```\n\nNow I have a good `mov` gadget candidate at address `0x00052252`\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FBen-Lichtman%2Fropr","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FBen-Lichtman%2Fropr","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FBen-Lichtman%2Fropr/lists"}