{"id":13845170,"url":"https://github.com/Hakumarachi/Bropper","last_synced_at":"2025-07-12T01:31:49.831Z","repository":{"id":131079400,"uuid":"591336581","full_name":"Hakumarachi/Bropper","owner":"Hakumarachi","description":"An automatic Blind ROP exploitation tool","archived":false,"fork":false,"pushed_at":"2023-06-09T12:40:05.000Z","size":259,"stargazers_count":190,"open_issues_count":1,"forks_count":17,"subscribers_count":5,"default_branch":"main","last_synced_at":"2024-11-21T18:38:58.098Z","etag":null,"topics":["brop","ctf","exploit","pwn","python","rop"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Hakumarachi.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null}},"created_at":"2023-01-20T14:09:19.000Z","updated_at":"2024-11-16T16:51:31.000Z","dependencies_parsed_at":"2023-06-01T01:00:34.653Z","dependency_job_id":null,"html_url":"https://github.com/Hakumarachi/Bropper","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/Hakumarachi/Bropper","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Hakumarachi%2FBropper","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Hakumarachi%2FBropper/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Hakumarachi%2FBropper/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Hakumarachi%2FBropper/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Hakumarachi","download_url":"https://codeload.github.com/Hakumarachi/Bropper/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Hakumarachi%2FBropper/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":264923078,"owners_count":23683716,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["brop","ctf","exploit","pwn","python","rop"],"created_at":"2024-08-04T17:03:15.022Z","updated_at":"2025-07-12T01:31:49.325Z","avatar_url":"https://github.com/Hakumarachi.png","language":"Python","funding_links":[],"categories":["CTF相关","Python"],"sub_categories":[],"readme":"# BROPPER\r\n\r\n\u003cp align=\"center\"\u003e\r\n  An automatic Blind ROP exploitation python tool\r\n  \u003cbr\u003e\r\n  \u003cbr\u003e\r\n\u003c/p\u003e\r\n\r\n## Abstract \r\nBROP (Blind ROP) was a technique found by Andrew Bittau from Stanford in 2014.\r\n\r\n- [Original paper](https://www.scs.stanford.edu/brop/bittau-brop.pdf)\r\n- [Slides](https://www.scs.stanford.edu/brop/bittau-brop-slides.pdf)\r\n\r\nMost servers like nginx, Apache, MySQL, forks then communicates with the client. This means canary and addresses stay the same even if there is ASLR and PIE. So we can use some educated brute force to leak information and subsequently craft a working exploit.\r\n\r\n## Flow of exploitation\r\n\r\n1. Find buffer overflow offset\r\n2. Find canary\r\n3. Find saved registers (RBP / RIP)\r\n4. Find stop gadgets\r\n5. Find brop gadgets\r\n6. Find a Write function (write / dprintf / puts / ...)\r\n7. Leak the binary\r\n\r\n## Examples of Results\r\n\r\nThere is 3 customs vulnerable examples provided in this repository. You can run it directly or build the Dockerfile\r\n\r\n![](./.github/example.png)\r\n\r\nBROPPER will then dump the binary : \r\n\r\n![](./.github/example_dump.png)\r\n\r\nIt's then possible to extract all ROP gadgets from the dumped binary using ROPgadget for example : \r\n```bash\r\n$ ROPgadget --binary dump\r\nGadgets information\r\n============================================================\r\n0x0000000000001177 : adc al, 0 ; add byte ptr [rax], al ; jmp 0x1020\r\n0x0000000000001157 : adc al, byte ptr [rax] ; add byte ptr [rax], al ; jmp 0x1020\r\n0x0000000000001137 : adc byte ptr [rax], al ; add byte ptr [rax], al ; jmp 0x1020\r\n...\r\n...\r\n...\r\n0x0000000000001192 : xor ch, byte ptr [rdi] ; add byte ptr [rax], al ; push 0x16 ; jmp 0x1020\r\n0x000000000000182e : xor eax, 0x891 ; mov rdi, rax ; call rcx\r\n0x0000000000001861 : xor eax, 0xffffff22 ; mov rdi, rax ; call rcx\r\n\r\nUnique gadgets found: 235\r\n```\r\n\r\n## Script usage \r\n\r\nTo use this script:\r\n\r\n```bash\r\npython3 -m pip install -r requirements.txt\r\npython3 bropper.py -t 127.0.0.1 -p 1337 --wait \"Password :\" --expected Bad --expected-stop Welcome -o dump\r\n```\r\n```bash\r\n$ python3 bropper.py -h\r\nusage: bropper.py [-h] -t TARGET -p PORT --expected-stop EXPECTED_STOP --expected EXPECTED --wait WAIT -o OUTPUT [--offset OFFSET] [--canary CANARY] [--no-canary] [--rbp RBP] [--rip RIP] [--stop STOP]\r\n                  [--brop BROP] [--plt PLT] [--strcmp STRCMP] [--elf ELF]\r\n\r\nDescription message\r\n\r\noptions:\r\n  -h, --help            show this help message and exit\r\n  -t TARGET, --target TARGET\r\n                        target url\r\n  -p PORT, --port PORT  target port\r\n  --expected-stop EXPECTED_STOP\r\n                        Expected response for the stop gadget\r\n  --expected EXPECTED   Expected normal response\r\n  --wait WAIT           String to wait before sending payload\r\n  -o OUTPUT, --output OUTPUT\r\n                        File to write dumped remote binary\r\n  --offset OFFSET       set a offset value\r\n  --canary CANARY       set a canary value\r\n  --no-canary           Use this argument if there is no stack canary protection\r\n  --rbp RBP             set rbp address\r\n  --rip RIP             set rip address\r\n  --stop STOP           set stop gadget address\r\n  --brop BROP           set brop gadget address\r\n  --plt PLT             set plt address\r\n  --strcmp STRCMP       set strcmp entry value\r\n  --elf ELF             set elf address\r\n```\r\n## Contributing\r\n\r\nPull requests are welcome. Feel free to open an issue if you want to add other features.\r\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FHakumarachi%2FBropper","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FHakumarachi%2FBropper","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FHakumarachi%2FBropper/lists"}