ROPgadget - Gadgets finder and auto-roper

Description

by Jonathan Salwan - 2011-03-12

This tool lets you search your gadgets on your binaries to facilitate your ROP exploitation. ROPgadget supports ELF/PE/Mach-O format on x86, x64, ARM, PowerPC, SPARC and MIPS architectures. Since the version 5, ROPgadget has a new core which is written in Python using Capstone disassembly framework for the gadgets search engine - The older version can be found in the Archives directory but it will not be maintained.

GitHub https://github.com/JonathanSalwan/ROPgadget

Change Log

v5.4: Fix: bug e_shstrndx = UNDEF Add: gadget intel x64 - 0F05 syscall Add: gadget arm64 - ret reg Add: gadget arm64 - bl/blr reg Add: gadget intel x64 - jmp/call [reg+imm] Add: Improve performance around the search engine Add: Python3 support Add: test suite file v5.3: Fix: some Bugs Fix: Use segment instead of section to find gadgets Add: --all option Add: --multibr option Add: --offset option Add: --rawArch option Add: --rawMode option Add: pypi setup install Add: support for Universal binaries on OS X Add: more console commands Add: Add ARM64 gadgets Add: x86_64 ROP chain generation Add: more x86 branch instructions Update: design v5.1: Bug fix: Aligning Instruction Add: --badbytes option Add: System gadget for MIPS arch Fix: JOP PPC v5.0: Restart from scratch New core in Python using Capstone Framework Support ARM, x86, x64, MIPS, Sparc and PowerPC Suport Mach-O, PE and ELF Add console mode v4.0.3: Made searching for gadgets faster by dark-rose v4.0.2: Bug fix genInstrX86. Bug fix by cao - comparison in gadget search for gadgets with null character v4.0.1: Update python3 to python2. Add new script python to generate gadgets table 32 and 64 bits. Update default syntax to Intel. genInstrX86.py: Add severals pop + ret combination v4.0.0: Addition of 64 bit linux support for ROP exploit generation. Addition of 64 bit support for ROP gadget searching. Addition of Windows PE file loading for gadget searching. Addition of detection of shared libraries and improved code gen for them. Generation of execve ROP exploits with arbitrary argument vectors. Payload generation in PHP, C and Perl as well as improved generation for python. Color disable/enable switch. Improved user friendliness. Vastly increased ROP searching speed. Code restructuring for easing addition of new architectures/platforms. General refacoring and code friendiness. v3.4.1: Bug Fix in module importsc with intel syntax v3.4.0: Feature - Support Att and intel syntax v3.3.4: Bug Fix - Fake positive (github issue) v3.3.3: Bug Fix in the supported architecures. (src/check_arch_supported.c) v3.3.2: Bug Fix (Buffer Overflow - src/check_bind_mode.c) v3.3.1: Segmentation Fault fixed, on compilation x86 64 bits (src/varop.c) v3.3: New Core and news features.

How to install

$ git clone -b master http://github.com/JonathanSalwan/ROPgadget.git $ cd ROPgadget $ cd ./dependencies/capstone-next $ ./make.sh $ sudo ./make.sh install $ cd ./bindings/python $ make $ sudo make install

Usage

usage: ROPgadget [-h] [-v] [-c] [--binary <binary>] [--opcode <opcodes>] [--string <string>] [--memstr <string>] [--depth <nbyte>] [--only <key>] [--filter <key>] [--range <start-end>] [--badbytes <byte>] [--rawArch <arch>] [--rawMode <mode>] [--re <re>] [--offset <hexaddr>] [--ropchain] [--thumb] [--console] [--norop] [--nojop] [--nosys] [--multibr] [--all] [--dump] optional arguments: -h, --help show this help message and exit -v, --version Display the ROPgadget's version -c, --checkUpdate Checks if a new version is available --binary <binary> Specify a binary filename to analyze --opcode <opcodes> Search opcode in executable segment --string <string> Search string in readable segment --memstr <string> Search each byte in all readable segment --depth <nbyte> Depth for search engine (default 10) --only <key> Only show specific instructions --filter <key> Suppress specific instructions --range <start-end> Search between two addresses (0x...-0x...) --badbytes <byte> Rejects specific bytes in the gadget's address --rawArch <arch> Specify an arch for a raw file --rawMode <mode> Specify a mode for a raw file --re <re> Regular expression --offset <hexaddr> Specify an offset for gadget addresses --ropchain Enable the ROP chain generation --thumb Use the thumb mode for the search engine (ARM only) --console Use an interactive console for search engine --norop Disable ROP search engine --nojop Disable JOP search engine --nosys Disable SYS search engine --multibr Enable multiple branch gadgets --all Disables the removal of duplicate gadgets --dump Outputs the gadget bytes

Screenshot

Intel x64

ARM v7

Sparc v8

MIPS

PowerPC

ROP chain generation