https://github.com/jonathansalwan/ropgadget

This tool lets you search your gadgets on your binaries to facilitate your ROP exploitation. ROPgadget supports ELF, PE and Mach-O format on x86, x64, ARM, ARM64, PowerPC, SPARC, MIPS, RISC-V 64, and RISC-V Compressed architectures.
https://github.com/jonathansalwan/ropgadget

binary-exploitation reverse-engineering rop rop-exploitation rop-gadgets

Last synced: about 2 months ago
JSON representation

This tool lets you search your gadgets on your binaries to facilitate your ROP exploitation. ROPgadget supports ELF, PE and Mach-O format on x86, x64, ARM, ARM64, PowerPC, SPARC, MIPS, RISC-V 64, and RISC-V Compressed architectures.

• Host: GitHub
• URL: https://github.com/jonathansalwan/ropgadget
• Owner: JonathanSalwan
• License: other
• Created: 2011-08-19T15:30:14.000Z (about 13 years ago)
• Default Branch: master
• Last Pushed: 2023-09-01T07:07:28.000Z (about 1 year ago)
• Last Synced: 2024-06-20T06:33:35.868Z (3 months ago)
• Topics: binary-exploitation, reverse-engineering, rop, rop-exploitation, rop-gadgets
• Language: Python
• Homepage:
• Size: 42.8 MB
• Stars: 3,762
• Watchers: 121
• Forks: 543
• Open Issues: 9
• Metadata Files:
  • Readme: README.md
  • License: LICENSE_BSD.txt

Awesome Lists containing this project

README

        
ROPgadget Tool

==============

This tool lets you search your gadgets on your binaries to facilitate your ROP

exploitation. ROPgadget supports ELF/PE/Mach-O/Raw formats on x86, x64, ARM,

ARM64, PowerPC, SPARC, MIPS, RISC-V 64, and RISC-V Compressed architectures.

Install

-------

The easiest way is installing ROPgadget from PyPi:

    $ sudo apt install python3-pip

    $ sudo -H python3 -m pip install ROPgadget

    $ ROPgadget --help

Alternatively you can install ROPgadget from source.

You have to install [Capstone](http://www.capstone-engine.org/) first.

For the Capstone's installation on nix machine:

    $ sudo apt install python3-pip

    $ sudo -H python3 -m pip install capstone

Capstone supports multi-platforms (windows, ios, android, cygwin...). For the cross-compilation,

please refer to the https://github.com/capstone-engine/capstone/blob/master/COMPILE.TXT file.

After Capstone is installed, ROPgadget can be used as a standalone tool:

    $ python3 ROPgadget.py --help

Or installed into the Python site-packages library, and executed from $PATH.

    $ sudo -H python3 setup.py install

    $ ROPgadget --help

Usage

-----

    usage: ROPgadget.py [-h] [-v] [-c] [--binary ] [--opcode ]

                        [--string ] [--memstr ] [--depth ]

                        [--only ] [--filter ] [--range ]

                        [--badbytes ] [--rawArch ] [--rawMode ]

                        [--rawEndian ] [--re ] [--offset ]

                        [--ropchain] [--thumb] [--console] [--norop] [--nojop]

                        [--callPreceded] [--nosys] [--multibr] [--all] [--noinstr]

                        [--dump] [--silent] [--align ALIGN] [--mipsrop ]

    description:

      ROPgadget lets you search your gadgets on a binary. It supports several

      file formats and architectures and uses the Capstone disassembler for

      the search engine.

    formats supported:

      - ELF

      - PE

      - Mach-O

      - Raw

    architectures supported:

      - x86

      - x86-64

      - ARM

      - ARM64

      - MIPS

      - PowerPC

      - Sparc

      - RISC-V 64

      - RISC-V Compressed

    optional arguments:

      -h, --help            show this help message and exit

      -v, --version         Display the ROPgadget's version

      -c, --checkUpdate     Checks if a new version is available

      --binary      Specify a binary filename to analyze

      --opcode     Search opcode in executable segment

      --string      Search string in readable segment

      --memstr      Search each byte in all readable segment

      --depth        Depth for search engine (default 10)

      --only           Only show specific instructions

      --filter         Suppress specific mnemonics

      --range    Search between two addresses (0x...-0x...)

      --badbytes      Rejects specific bytes in the gadget's address

      --rawArch       Specify an arch for a raw file

                            x86|arm|arm64|sparc|mips|ppc|riscv

      --rawMode       Specify a mode for a raw file 32|64|arm|thumb

      --rawEndian   Specify an endianness for a raw file little|big

      --re              Regular expression

      --offset     Specify an offset for gadget addresses

      --ropchain            Enable the ROP chain generation

      --thumb               Use the thumb mode for the search engine (ARM only)

      --console             Use an interactive console for search engine

      --norop               Disable ROP search engine

      --nojop               Disable JOP search engine

      --callPreceded        Only show gadgets which are call-preceded

      --nosys               Disable SYS search engine

      --multibr             Enable multiple branch gadgets

      --all                 Disables the removal of duplicate gadgets

      --noinstr             Disable the gadget instructions console printing

      --dump                Outputs the gadget bytes

      --silent              Disables printing of gadgets during analysis

      --align ALIGN         Align gadgets addresses (in bytes)

      --mipsrop      MIPS useful gadgets finder

                            stackfinder|system|tails|lia0|registers

    examples:

      ROPgadget.py --binary ./test-suite-binaries/elf-Linux-x86

      ROPgadget.py --binary ./test-suite-binaries/elf-Linux-x86 --ropchain

      ROPgadget.py --binary ./test-suite-binaries/elf-Linux-x86 --depth 3

      ROPgadget.py --binary ./test-suite-binaries/elf-Linux-x86 --string "main"

      ROPgadget.py --binary ./test-suite-binaries/elf-Linux-x86 --string "m..n"

      ROPgadget.py --binary ./test-suite-binaries/elf-Linux-x86 --opcode c9c3

      ROPgadget.py --binary ./test-suite-binaries/elf-Linux-x86 --only "mov|ret"

      ROPgadget.py --binary ./test-suite-binaries/elf-Linux-x86 --only "mov|pop|xor|ret"

      ROPgadget.py --binary ./test-suite-binaries/elf-Linux-x86 --filter "xchg|add|sub|cmov.*"

      ROPgadget.py --binary ./test-suite-binaries/elf-Linux-x86 --norop --nosys

      ROPgadget.py --binary ./test-suite-binaries/elf-Linux-x86 --range 0x08041000-0x08042000

      ROPgadget.py --binary ./test-suite-binaries/elf-Linux-x86 --string main --range 0x080c9aaa-0x080c9aba

      ROPgadget.py --binary ./test-suite-binaries/elf-Linux-x86 --memstr "/bin/sh"

      ROPgadget.py --binary ./test-suite-binaries/elf-Linux-x86 --console

      ROPgadget.py --binary ./test-suite-binaries/elf-Linux-x86 --badbytes "00|01-1f|7f|42"

      ROPgadget.py --binary ./test-suite-binaries/Linux_lib64.so --offset 0xdeadbeef00000000

      ROPgadget.py --binary ./test-suite-binaries/elf-ARMv7-ls --depth 5

      ROPgadget.py --binary ./test-suite-binaries/elf-ARM64-bash --depth 5

      ROPgadget.py --binary ./test-suite-binaries/raw-x86.raw --rawArch=x86 --rawMode=32

      ROPgadget.py --binary ./test-suite-binaries/elf-Linux-RISCV_64 --depth 8

How can I contribute ?

----------------------

- Add system gadgets for PPC, Sparc, ARM64 (Gadgets.addSYSGadgets()).

- Support RISC-V 32-bit.

- Handle bad bytes in data during ROP chain generation.

- Manage big endian in Mach-O format like the ELF class.

- Everything you think is cool :)

Bugs/Patches/Contact

--------------------

Please, report bugs, submit pull requests, etc. on GitHub at https://github.com/JonathanSalwan/ROPgadget

License

-------

See LICENSE_BSD.txt and the license header on all source files.

Screenshots

-----------