Shell-Storm.org is a development organization based on GNU/Linux systems
that provide free projects and source codes.
Shell-storm.org provides useful information to people who perform security testing.
ROPgadget tool
==============
This tool lets you search your gadgets on your binaries (ELF format) to facilitate your ROP exploitation.
The gadgets are found on executable segments.
Since version 3.0, ROPgadget has a auto-roper for build your payload automatically with the gadgets found.
Download (Stable v3.3.3) http://www.shell-storm.org/project/ROPgadget/files/GitHub (Stable v3.3.3) https://github.com/JonathanSalwan/ROPgadget/Authors
========
- Jonathan SalwanChange Log
==========
- v3.3.3: Bug Fix in the supported architecures. (src/check_arch_supported.c)
- v3.3.2: Bug Fix (Buffer Overflow - src/check_bind_mode.c)
- v3.3.1: Segmentation Fault fixed, on compilation x86 64 bits (src/varop.c)
- v3.3: New Core and news features.
How to install
==============
git clone -b v3.3.3 git://github.com/JonathanSalwan/ROPgadget.git
cd ./ROPgadget
make
sudo make install
Usage
=====
Syntax: ./ROPgadget <option> <binary> [FLAGS]
Options:
-file Load file
-g Search gadgets and make payload
-elfheader Display ELF Header
-progheader Display Program Header
-sectheader Display Section Header
-symtab Display Symbols Table
-allheader Display ELF/Program/Section/Symbols Header
-v Version
Flags:
-bind Set this flag for make a bind shellcode (optional) (Default local exploit)
-port <port> Set a listen port, optional (Default 1337)
-importsc <shellcode> Make payload and convert your shellcode in ROP payload
-filter <word> Word filter (research slowed)
-only <keyword> Keyword research (research slowed)
-opcode <opcode> Search a specific opcode on exec segment
-string <string> Search a specific hard string on read segment ('?' any char)
-asm <instructions> Search a specific instructions on exec segment
-limit <value> Limit the display of gadgets
-map <start-end> Search gadgets on exec segment between two address
Ex:
./ROPgadget -file ./smashme.bin -g -bind -port 8080
./ROPgadget -file ./smashme.bin -g -importsc "\x6a\x02\x58\xcd\x80\xeb\xf9"
./ROPgadget -file ./smashme.bin -g -filter "add %eax" -filter "dec" -bind -port 8080
./ROPgadget -file ./smashme.bin -g -only "pop" -filter "eax"
./ROPgadget -file ./smashme.bin -g -opcode "\xcd\x80"
./ROPgadget -file ./smashme.bin -g -asm "xor %eax,%eax ; ret"
./ROPgadget -file ./smashme.bin -g -asm "int \$0x80"
./ROPgadget -file ./smashme.bin -g -string "main"
./ROPgadget -file ./smashme.bin -g -string "m?in"
Architecture supported for analyse
==================================
- Linux/x86-32bits
- FreeBSD/x86-32bits
(Only for 32 bits architecture)Gadgets found
=============
The tool can find a gadget in other gadget.
ropgadget find it: `0x0806bb68: mov $0x5e5bf089,%edi | ret`
The original gadget is:
| |
| 806bb68 ! bf db 0bfh |
| 806bb69 ! |
| ....... ! loc_806bb69: ;xref j806bb4c j806bb53 j806bb5e |
| ....... ! 89f0 mov eax, esi |
| 806bb6b ! |
| ....... ! loc_806bb6b: ;xref j806bb2e j806bb36 j806bb3d |
| ....... ! ;xref j806bb44 j806bb70 j806bb77 |
| ....... ! ;xref j806bb7e |
| ....... ! 5b pop ebx |
| 806bb6c ! 5e pop esi |
| 806bb6d ! c3 ret |
| 806bb6e ! |
Demo ROPgadget v3.3
===================
