Login: Password: Remember Me Register Blogs >> dennis 's Blog

Created: Saturday, July 24 2010 06:23.54 CDT Modified: Saturday, July 31 2010 05:41.04 CDT Printer Friendly ... Dr. Gadget IDAPython plugin Author: dennis # Views: 20714

Hi,



I wanted to share with you this little IDAPython plugin which helps in writing and analyzing return oriented payload. It uses IDA's custom viewers in order to display an array of DWORDs called 'items', where an item can be either a pointer to a gadget or a simple 'value'.

There are several keyboard shortcuts to access functionality that otherwise also is accessible via the context menu:



ESC - closes the plugin

ENTER - jumps to item address in disassembly

O - toggles item type (offset, value)

D - deletes an item

I - inserts an item

E - edits an item's value



Functionality that is accessible via context menu only:



Load payload - loads a payload from disk

Save payload - saves a payload to disk



Auto analysis I - tries to determine each item's type (offset, value)

Reset - resets each item's type

Show disassembly - opens a disassembly subwindow





Below screenshots show the plugin's interface. The IDB is a disassembly

of 'BIB.dll' (MD5: 2ec16a4cdb828a31a432513a82cbafdf). _rop.bin is some

exploit's payload in binary form (more info:

http://blog.zynamics.com/2010/06/09/analyzing-the-currently-exploited-0-day-for-adobe-reader-and-adobe-flash/)



















The plugin can be used either on a static disassembly or during an IDA debugging session.



The plugin is available here: http://www.openrce.org/repositories/users/dennis/drgadget.py

_rop.bin is available here: http://www.openrce.org/repositories/users/dennis/rop.bin



edit:

just uploaded v0.2 which adds Elias Bachaalany's "find instruction/opcode" script from

http://hexblog.com/2009/09/assembling_and_finding_instruc.html







Blog Comments dennis Posted: Thursday, August 26 2010 02:49.19 CDT new version 0.3 uploaded, introducing following changes:



- bugfixes

- added ARM support

- primitive stack/pc tracing for ARM

- Disassembly view export to file

- string reference scanning in disasm view

- add support for comments both in rop view and disasm view in sync

- sync offset number display between ropview and disasm



screenshot below shows stage 2 of the ROP code of the http://www.jailbreakme.com/ exploit.







code is available here



all changes courtesy of Karthik (neox.fx at gmail dot com)





dennis Posted: Wednesday, September 12 2012 06:11.12 CDT Dr. Gadget has just been updated due to a bugfix (thanks Ivanlef0u). The project is now available on github (https://github.com/patois/DrGadget) and licensed under the Beerware license ;-)





