GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → uZetta27 → Easyrop

uZetta27 / Easyrop

Licence: gpl-3.0
A Python tool to generate ROP chains

Programming Languages

python
139335 projects - #7 most used programming language

Labels

capstonerop

Projects that are alternatives of or similar to Easyrop

Universalrop
Small tool for generating ropchains using unicorn and z3
Stars: ✭ 196 (+262.96%)
Mutual labels:  capstone, rop
Chiasm Shell
Python-based interactive assembler/disassembler CLI, powered by Keystone/Capstone.
Stars: ✭ 24 (-55.56%)
Mutual labels:  capstone
ROP-Emporium
Solutions for ROP Emporium challenges (https://ropemporium.com/) in python.
Stars: ✭ 38 (-29.63%)
Mutual labels:  rop
Trinity
Trinity Exploit - Emulator Escape
Stars: ✭ 371 (+587.04%)
Mutual labels:  rop
xgadget
Fast, parallel, cross-variant ROP/JOP gadget search for x86/x64 binaries.
Stars: ✭ 33 (-38.89%)
Mutual labels:  rop
Makin
makin - reveal anti-debugging and anti-VM tricks [This project is not maintained anymore]
Stars: ✭ 645 (+1094.44%)
Mutual labels:  capstone
Springboard-DataScienceTrack-Student
Springboard Program: Data Science Career Track - NLP
Stars: ✭ 92 (+70.37%)
Mutual labels:  capstone
Baresifter
A bare-metal x86 instruction set fuzzer a la Sandsifter
Stars: ✭ 33 (-38.89%)
Mutual labels:  capstone
Shellen
🌸 Interactive shellcoding environment to easily craft shellcodes
Stars: ✭ 799 (+1379.63%)
Mutual labels:  capstone
Easy Linux Pwn
A set of Linux binary exploitation tasks for beginners on various architectures
Stars: ✭ 353 (+553.7%)
Mutual labels:  rop
Plasma
Plasma is an interactive disassembler for x86/ARM/MIPS. It can generates indented pseudo-code with colored syntax.
Stars: ✭ 2,956 (+5374.07%)
Mutual labels:  capstone
pwnscripts
Very simple script(s) to hasten binary exploit creation
Stars: ✭ 66 (+22.22%)
Mutual labels:  rop
Exploit me
Very vulnerable ARM/AARCH64 application (CTF style exploitation tutorial with 14 vulnerability techniques)
Stars: ✭ 665 (+1131.48%)
Mutual labels:  rop
rop-benchmark
ROP Benchmark is a tool to compare ROP compilers
Stars: ✭ 23 (-57.41%)
Mutual labels:  rop
Rp
rp++ is a full-cpp written tool that aims to find ROP sequences in PE/Elf/Mach-O x86/x64 binaries. It is open-source and has been tested on several OS: Debian / Windows 8.1 / Mac OSX Lion (10.7.3). Moreover, it is x64 compatible and supports Intel syntax. Standalone executables can also be directly downloaded.
Stars: ✭ 960 (+1677.78%)
Mutual labels:  rop
ropr
A blazing fast™ multithreaded ROP Gadget finder. ropper / ropgadget alternative
Stars: ✭ 200 (+270.37%)
Mutual labels:  rop
KeyPlexer
Capstone: Keylogger Trojan
Stars: ✭ 32 (-40.74%)
Mutual labels:  capstone
Rop Tool
A tool to help you write binary exploits
Stars: ✭ 590 (+992.59%)
Mutual labels:  rop
Pwntools
CTF framework and exploit development library
Stars: ✭ 8,585 (+15798.15%)
Mutual labels:  rop
H Encore
Fully chained kernel exploit for the PS Vita on firmwares 3.65-3.68
Stars: ✭ 968 (+1692.59%)
Mutual labels:  rop
View All Similar Projects ➔

EasyROP

This Python tool allows you to search gadgets, operations formed by gadgets and generate automatic ROP chains in Portable Executable (PE). EasyROP is based in Capstone Disassembly Framework to search gadgets.

Install

EasyROP needs Python3, Capstone and pefile installation.

Once you solve these dependencies, EasyROP can be used as:

$> python EasyROP.py

Use

usage: EasyROP.py [-h] [-v] [--binary <path> [<path> ...]] [--depth <bytes>]
                  [--all] [--nojop] [--noretf] [--op <op>] [--reg-dst <reg>]
                  [--reg-src <reg>] [--ropchain <file>]

optional arguments:
  -h, --help            show this help message and exit
  -v, --version         display EasyROP's version
  --binary <path> [<path> ...]
                        specify a list of binary paths to analyze
  --depth <bytes>       depth for search engine (default 5 bytes)
  --all                 disables the removal of duplicate gadgets
  --nojop               disables JOP gadgets
  --noretf              disables gadgets terminated in a far return (retf)
  --op <op>             search for operation
  --reg-dst <reg>       specify a destination reg to operation
  --reg-src <reg>       specify a source reg to operation
  --ropchain <file>     plain text file with rop chains

Operations

This operations are high level operations built by gadgets. The following is an example to move a value from one register to another:

xchg dst, src

xor dst, dst
add dst, src

Specification of operations

Following the next DTD you can specify your own operations through a XML file:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE operations [
        <!ELEMENT operations (operation)+>
        <!ELEMENT operation (set)+>
        <!ATTLIST operation
                name CDATA #REQUIRED>
        <!ELEMENT set (ins)+>
        <!ELEMENT ins (reg1|reg2)*>
        <!ATTLIST ins
                mnemonic CDATA #REQUIRED>
        <!ELEMENT reg1 (#PCDATA)>
        <!ATTLIST reg1
                value CDATA #IMPLIED>
        <!ELEMENT reg2 (#PCDATA)>
        <!ATTLIST reg2
                value CDATA #IMPLIED>
        ]>
<operations>
    <operation name="move">
        <set>
            <ins mnemonic="xor">
                <reg1>dst</reg1>
                <reg2>dst</reg2>
            </ins>
            <ins mnemonic="add">
                <reg1>dst</reg1>
                <reg2>src</reg2>
            </ins>
        </set>
    </operation>
</operations>

This XML structure allows you to define register value of each instruction:

  • dst: destination register
  • src: source register
  • aux: auxiliary register (only one by set)
  • [dst]: destination direction allocated in a register
  • [src]: source direction allocated in a register
  • {eax, ebx, ecx...}: specific register
  • {[eax, ebx, ecx...]}: direction allocated in a specific register
  • <reg{1,2} value ="0xFFFFFFFF">: mandatory value of register

Automatic ROP chains generation

Through the --ropchain <path> option you can specify in a plaintex file a ROP attack composed by operations defined in the XML. An example:

lc(reg1)
lc(reg2)
sub(reg2, reg1)
clear(reg3)
move(reg3, reg2)

Which results in the following output (summarized for the sake of readability):

$> python EasyROP.py --binary C:\Windows\system32\kernel32.dll --ropchain rop.txt --nojop --noretf
[+] Analyzing kernel32.dll

lc(reg1)
	[kernel32.dll @ 0x77e1f35d]: pop ebp ; adc bh, dh ; ret 
	[kernel32.dll @ 0x77e000ad]: pop ebp ; ret 
	[kernel32.dll @ 0x77e4a3ed]: pop ecx ; pop ebp ; pop ecx ; pop ebx ; ret 4 
	[kernel32.dll @ 0x77e4a3ef]: pop ecx ; pop ebx ; ret 4 
	[kernel32.dll @ 0x77e2922d]: pop edi ; pop esi ; ret 
	[kernel32.dll @ 0x77e5238b]: pop edi ; ret 
	[kernel32.dll @ 0x77e85f37]: pop edx ; pop eax ; ret 
	[kernel32.dll @ 0x77e976d4]: pop edx ; ret 0xb 
	[kernel32.dll @ 0x77e123a0]: pop esi ; leave ; ret 
	[kernel32.dll @ 0x77e77f01]: pop esi ; ret 4 
	[kernel32.dll @ 0x77e2683c]: pop esp ; add byte ptr [eax], al ; leave ; ret 4 
	[kernel32.dll @ 0x77e735e0]: pop esp ; ret 0xfffb 
lc(reg2)
	[kernel32.dll @ 0x77e6f379]: pop eax ; leave ; ret 
	[kernel32.dll @ 0x77e78a2d]: pop eax ; ret 
	[kernel32.dll @ 0x77e2e386]: pop ebx ; ret 
	[kernel32.dll @ 0x77e4a3f0]: pop ebx ; ret 4 
	[kernel32.dll @ 0x77e93018]: pop ecx ; leave ; ret 4 
	[kernel32.dll @ 0x77e4a3ed]: pop ecx ; pop ebp ; pop ecx ; pop ebx ; ret 4 
	[kernel32.dll @ 0x77e2ef97]: pop edi ; leave ; ret 
	[kernel32.dll @ 0x77e5238b]: pop edi ; ret 
	[kernel32.dll @ 0x77e2683c]: pop esp ; add byte ptr [eax], al ; leave ; ret 4 
	[kernel32.dll @ 0x77e735e0]: pop esp ; ret 0xfffb 
sub(reg2, reg1)
	[kernel32.dll @ 0x77e1d2b1]: sub eax, ecx ; pop ebx ; pop ebp ; ret 8 
	[kernel32.dll @ 0x77e3ec10]: sub eax, esi ; pop esi ; pop ebp ; ret 8 
	[kernel32.dll @ 0x77e1f2ce]: sub ebx, edx ; add byte ptr [eax], al ; ret 4 
	[kernel32.dll @ 0x77e928ed]: sub ecx, ebp ; ja 0x77e928d9 ; ret 
	[kernel32.dll @ 0x77e306a1]: sub ecx, edx ; mov dword ptr [edi], ecx ; ret 
	[kernel32.dll @ 0x77e1fece]: sub ecx, esi ; add byte ptr [eax], al ; ret 8 
	[kernel32.dll @ 0x77e699d2]: sub edi, esp ; dec ecx ; ret 0x14 
	[kernel32.dll @ 0x77e69b50]: sub esp, edi ; dec ecx ; ret 0x14 
clear(reg3)
	[kernel32.dll @ 0x77e0b823]: xor eax, eax ; ret 
	[kernel32.dll @ 0x77e02ce5]: xor eax, eax ; ret 4 
move(reg3, reg2)
	[kernel32.dll @ 0x77e79dcd]: and eax, ecx ; pop ebp ; ret 0xc  (eax = 0xFFFFFFFF)
	[kernel32.dll @ 0x77e3e168]: and eax, ecx ; pop ebp ; ret 4  (eax = 0xFFFFFFFF)
	[kernel32.dll @ 0x77e2243b]: mov eax, eax ; ret 
	[kernel32.dll @ 0x77e913ae]: mov eax, ebx ; pop ebx ; leave ; ret 0x10 
	[kernel32.dll @ 0x77e94bf8]: mov eax, ecx ; leave ; ret 0x18 
	[kernel32.dll @ 0x77e2a43f]: mov eax, ecx ; pop ebp ; ret 8 
	[kernel32.dll @ 0x77e3e138]: mov eax, edi ; pop edi ; leave ; ret 0xc 
	[kernel32.dll @ 0x77e3da51]: mov eax, edi ; pop edi ; leave ; ret 8 
	[kernel32.dll @ 0x77e8772e]: push edi ; pop eax ; pop ebp ; ret 4 
	[kernel32.dll @ 0x77e90c9a]: push edi ; pop eax ; pop esi ; leave ; ret 8 
	[kernel32.dll @ 0x77e63143]: xchg eax, ebx ; cld ; dec ecx ; ret 4 
	[kernel32.dll @ 0x77e631c7]: xchg eax, ebx ; sti ; dec ecx ; ret 4 
	[kernel32.dll @ 0x77e34c56]: xchg eax, edi ; add al, byte ptr [eax] ; leave ; ret 
	[kernel32.dll @ 0x77e212c2]: xchg eax, esp ; ret 

Time elapsed: 0:00:05.522

License

This tool is published under the GNU GPLv3 license.

Thanks

Special thanks to ricardojrdez for directing this project.

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].