ROPgadget - Gadgets finder and auto-roper

By @JonathanSalwan - 2011-03-12

ROPgadget tool

This tool lets you search your gadgets on your binaries (ELF format) to facilitate your ROP exploitation. Since version 3.0, ROPgadget has a auto-roper for build your payload automatically with the gadgets found.

GitHub (Stable v4.0.2) https://github.com/JonathanSalwan/ROPgadget/

Authors
Contributors
Change Log
v4.0.2:
          Bug fix genInstrX86.
          Bug fix by cao - comparison in gadget search for gadgets with null character

v4.0.1:   Update python3 to python2.
          Add new script python to generate gadgets table 32 and 64 bits.
          Update default syntax to Intel.
          genInstrX86.py: Add severals pop + ret combination

v4.0.0:   Addition of 64 bit linux support for ROP exploit generation.
          Addition of 64 bit support for ROP gadget searching.
          Addition of Windows PE file loading for gadget searching.
          Addition of detection of shared libraries and improved code gen for them.
          Generation of execve ROP exploits with arbitrary argument vectors.
          Payload generation in PHP, C and Perl as well as improved generation for python.
          Color disable/enable switch.
          Improved user friendliness.
          Vastly increased ROP searching speed.
          Code restructuring for easing addition of new architectures/platforms.
          General refacoring and code friendiness.

v3.4.1:   Bug Fix in module importsc with intel syntax
v3.4.0:   Feature - Support Att and intel syntax
v3.3.4:   Bug Fix - Fake positive (github issue)
v3.3.3:   Bug Fix in the supported architecures. (src/check_arch_supported.c)
v3.3.2:   Bug Fix (Buffer Overflow - src/check_bind_mode.c)
v3.3.1:   Segmentation Fault fixed, on compilation x86 64 bits (src/varop.c)
v3.3:     New Core and news features.
How to install
git clone git://github.com/JonathanSalwan/ROPgadget.git
cd ./ROPgadget
make
sudo make install
Usage
Syntax:  ./ROPgadget [FLAGS]  [argv...]

Flags:

    Syntax (default is att):

         -att                      Display all asm in att syntax
         -intel                    Display all asm in intel syntax

    Generation Target (only one can be specified, default is execve /bin/sh):

         -bind      <port>         Set this flag to make a bind shellcode
         -importsc  <shellcode>    Make custom payload (\xFF notation)

    Search Filtering (all can be specified multiple times):

         -filter    <word>         Suppress instructions containing word
         -only      <word>         Only show instructions containg word

    Search Target (only one can be specified, default is internal oplist):

         -opcode    <opcode>       Find opcode in exec segment (\xFF notation)
         -string    <string>       Find string in read segment ('?' any char)
         -asm       <instructions> Assemble instructions then search for them

    Search Limits:

         -limit     <n>            Only find and show n gadgets/strings
         -map       <start-end>    Search between two addresses (0x...-0x...)

    Output Format (default is python):

         -pysyn                    Use Python syntax.
         -perlsyn                  Use Perl syntax.
         -csyn                     Use C syntax.
         -phpsyn                   Use PHP syntax.

    Program/Meta:

         -v                        Version
         -h                        Display this help and exit
         -color                    Force color output
         -nocolor                  Disable color output
         -nopayload                Disable payload generation

Arguments: 
    The first non-flag argument is the file to perform operations on.
    If any positional arguments remain after the file, they are
    used as the argv for the execve ROP exploit (thus the first
    should be a full path to an executable).

Ex: 
         ./ROPgadget ./smashme.bin -bind 8080
         ./ROPgadget ./smashme.bin -importsc "\x6a\x02\x58\xcd\x80\xeb\xf9"
         ./ROPgadget ./smashme.bin -only "pop" -filter "eax"
         ./ROPgadget ./smashme.bin -opcode "\xcd\x80"
         ./ROPgadget ./smashme.bin -intel -asm "mov eax, [eax] ; ret"
         ./ROPgadget ./smashme.bin -att -asm "int \$0x80"
         ./ROPgadget ./smashme.bin -string "main"
         ./ROPgadget ./smashme.bin -string "m?in"
         ./ROPgadget ./smashme.bin /bin/echo "1 4m 4 1337 h4x0r!"
Gadgets found

The tool can find a gadget in other gadget.

ropgadget find it: `0x0806bb68: mov $0x5e5bf089,%edi | ret`

The original gadget is:
|                                                                            |
| 806bb68 ! bf                               db          0bfh                |
| 806bb69 !                                                                  |
| ....... ! loc_806bb69:                    ;xref j806bb4c j806bb53 j806bb5e |
| ....... ! 89f0                             mov         eax, esi            |
| 806bb6b !                                                                  |
| ....... ! loc_806bb6b:                    ;xref j806bb2e j806bb36 j806bb3d |
| ....... !                                 ;xref j806bb44 j806bb70 j806bb77 |
| ....... !                                 ;xref j806bb7e                   |
| ....... ! 5b                               pop         ebx                 |
| 806bb6c ! 5e                               pop         esi                 |
| 806bb6d ! c3                               ret                             |
| 806bb6e !                                                                  |
Demo ROPgadget v3.3


ROPgadget Screenshots v3