Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/hugsy/ropgadget-rs

Another (bad) ROP gadget finder, but this time in Rust
https://github.com/hugsy/ropgadget-rs

exploit-development pwn rop rop-gadget-finder ropgadget rust

Last synced: 3 months ago
JSON representation

Another (bad) ROP gadget finder, but this time in Rust

Awesome Lists containing this project

README 

        


  logo




# `ropgadget-rs`





    Discord

    




RopGadget-rs started as a weekend project to learn [Rust](https://www.rust-lang.org/). But as usual it also started from the need to get really fast & easily portable ropgadget finder capable of handling quickly any binary (especially very large ones such as mshtml, ntoskrnl, chrome, etc.).



> [!NOTE]

> This library is a side project to learn Rust. If you want better tools, see the ones mentioned at the bottom of the page. 



Currently supports:



|       |  ELF   |  PE   |    MachO  |

| :---: | :----: |:-----:|:---------:|

|  x86  |   ✅   |   ✅   |   ✅   |

|  x64  |   ✅   |   ✅   |   ✅   |

|  arm  |   ✅   |   ✅   |   ❌   |

| arm64 |   ✅   |   ✅   |   ❌   |



## `ropgadget-rs`



Since 0.4, RopGadget-Rs was re-designed to be built as a library so it can be integrated to other projects.

But a lightweight standalone binary that features all what the library offers, can also be built.



## Build



(Optionally) If you don't have `cargo`:



 - On Linux/MacOS

```bash

curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh

```



 - On Windows

```ps1

Invoke-WebRequest https://win.rustup.rs/x86_64 -UseBasicParsing -OutFile "rustup-init.exe"

Invoke-Expression rustup-init.exe

```



Then build:

```bash

git clone https://github.com/hugsy/ropgadget-rs

cd ropgadget-rs

cargo build --release --lib

```



You might also want to build the ropgadget-rs binary so it can be easily used from the command line:

```bash

cargo build --release --example rp-rs

```



And run:

```bash

cargo run -- --help

```



## Install



Via `cargo`



```bash

cargo install --bins --git https://github.com/hugsy/ropgadget-rs.git

```



## Performance



The tool performs decently but could largely be optimized (and will be, over time).

Here are some performance obtained on an old i5-4300M (build in `--release` mode) with 2 threads (default)



 * `ntoskrnl.exe` (Windows 10 RS6 - 10.0.19041.329) - 10,921,280 bytes



```console

>  ./ropgadget-rs.exe -o rop.txt -vv ./ntoskrnl-rs6.exe

[INFO] - Checking file './ntoskrnl-rs6.exe'

[INFO] - Creating new Session(file=./ntoskrnl-rs6.exe, Info(Arch=x86-64, OS=PE))

[INFO] - Looking for gadgets in 15 sections (with 2 threads)...'

[INFO] - Dumping 336787 gadgets to 'rop.txt'...

[INFO] - Done!

[INFO] - Execution: 336787 gadgets found in 13.5224138s

```



 * `msedge.dll` (Chromium Edge - 83.0.478.64) - 145,665,416 bytes



```console

> ./ropgadget-rs -o rop.txt -vv ./msedge.dll

[INFO] - Checking file './msedge.dll'

[INFO] - Creating new Session(file=./msedge.dll, Info(Arch=x86-64, OS=PE))

[INFO] - Looking for gadgets in 1 sections (with 2 threads)...'

[INFO] - Dumping 5713703 gadgets to 'rop.txt'...

[INFO] - Done!

[INFO] - Execution: 5713703 gadgets found in 132.2237842s

```



YMMV but most small files (like Unix binaries) will execute in way under 1 second.



```console

$ ./ropgadget-rs -vv -o /dev/null /bin/ls

[INFO] - Checking file '/bin/ls'

[INFO] - Creating new Session(file=/bin/ls, Info(Arch=x86-64, OS=ELF))

[INFO] - Looking for gadgets in 5 sections (with 2 threads)...'

[INFO] - Dumping 3544 gadgets to '/dev/null'...

[INFO] - Done!

[INFO] - Execution: 3544 gadgets found in 151.5587ms

```



## Better projects



Unless you're ok with experiencing my bugs, you should probably check out one of those projects:

 - [rp++](https://github.com/0vercl0k/rp)

 - [ropper](https://github.com/sashs/ropper)

 - [RopGadget](https://github.com/JonathanSalwan/ROPgadget)