d4em0n / Exrop
Licence: mit
Automatic ROPChain Generation
Stars: ✭ 191
Programming Languages
python
139335 projects - #7 most used programming language
Projects that are alternatives of or similar to Exrop
My-PWN-Life
This is a PWN challenges repo.###### 1f y0u l1ke, g1v3 m3 a star~
Stars: ✭ 23 (-87.96%)
Mutual labels: pwn, ctf, rop
pwnscripts
Very simple script(s) to hasten binary exploit creation
Stars: ✭ 66 (-65.45%)
Mutual labels: pwn, ctf, rop
Hyperpwn
A hyper plugin to provide a flexible GDB GUI with the help of GEF, pwndbg or peda
Stars: ✭ 387 (+102.62%)
Mutual labels: ctf, pwn, reverse-engineering
Gef
GEF (GDB Enhanced Features) - a modern experience for GDB with advanced debugging features for exploit developers & reverse engineers ☢
Stars: ✭ 4,197 (+2097.38%)
Mutual labels: ctf, pwn, reverse-engineering
Pwndra
A collection of pwn/CTF related utilities for Ghidra
Stars: ✭ 417 (+118.32%)
Mutual labels: ctf, pwn, reverse-engineering
Ctf Pwn Tips
Here record some tips about pwn. Something is obsoleted and won't be updated. Sorry about that.
Stars: ✭ 1,249 (+553.93%)
Mutual labels: ctf, pwn
Pentesting toolkit
🏴☠️ Tools for pentesting, CTFs & wargames. 🏴☠️
Stars: ✭ 1,268 (+563.87%)
Mutual labels: ctf, reverse-engineering
Bap
Binary Analysis Platform
Stars: ✭ 1,385 (+625.13%)
Mutual labels: symbolic-execution, reverse-engineering
Pwn Sandbox
A sandbox to protect your pwn challenges being pwned in CTF AWD.
Stars: ✭ 81 (-57.59%)
Mutual labels: ctf, pwn
Rebel Framework
Advanced and easy to use penetration testing framework 💣🔎
Stars: ✭ 183 (-4.19%)
Mutual labels: ctf, reverse-engineering
Awesome Hacking Resources
A collection of hacking / penetration testing resources to make you better!
Stars: ✭ 11,466 (+5903.14%)
Mutual labels: ctf, reverse-engineering
One gadget
The best tool for finding one gadget RCE in libc.so.6
Stars: ✭ 1,306 (+583.77%)
Mutual labels: ctf, pwn
Libc Database
Build a database of libc offsets to simplify exploitation
Stars: ✭ 1,122 (+487.43%)
Mutual labels: ctf, pwn
Triton
Triton is a Dynamic Binary Analysis (DBA) framework. It provides internal components like a Dynamic Symbolic Execution (DSE) engine, a dynamic taint engine, AST representations of the x86, x86-64, ARM32 and AArch64 Instructions Set Architecture (ISA), SMT simplification passes, an SMT solver interface and, the last but not least, Python bindings.
Stars: ✭ 1,934 (+912.57%)
Mutual labels: symbolic-execution, reverse-engineering
Exrop
Exrop is automatic ROP chains generator tool which can build gadget chain automatically from given binary and constraints
Requirements : Triton, ROPGadget
Only support for x86-64 for now!
Features:
- handling non-return gadgets (jmp reg, call reg)
- set registers (
rdi=0xxxxxx, rsi=0xxxxxx) - set register to register (
rdi=rax) - write to mem
- write string/bytes to mem
- function call (
open('/etc/passwd',0)) - pass register in function call (
read('rax', bss, 0x100)) - avoiding badchars
- stack pivoting (
Exrop.stack_pivot) - syscall (
Exrop.syscall) - see examples
installation
- install python (3.6 is recomended and tested)
- install triton (https://triton.quarkslab.com/documentation/doxygen/index.html#linux_install_sec), make sure you add
-DPYTHON36=onas cmake option - install ropgadget (https://github.com/JonathanSalwan/ROPgadget)
- to install exrop, easily add
export PYTHONPATH=/path/to/exrop:$PYTHONPATHin your.bashrc(depends on your shell)
demo
from Exrop import Exrop
rop = Exrop("/bin/ls")
rop.find_gadgets(cache=True)
print("write-regs gadgets: rdi=0x41414141, rsi:0x42424242, rdx: 0x43434343, rax:0x44444444, rbx=0x45454545")
chain = rop.set_regs({'rdi':0x41414141, 'rsi': 0x42424242, 'rdx':0x43434343, 'rax':0x44444444, 'rbx': 0x45454545})
chain.dump()
print("write-what-where gadgets: [0x41414141]=0xdeadbeefff, [0x43434343]=0x110011")
chain = rop.set_writes({0x41414141: 0xdeadbeefff, 0x43434343: 0x00110011})
chain.dump()
print("write-string gadgets 0x41414141=\"Hello world!\\n\"")
chain = rop.set_string({0x41414141: "Hello world!\n"})
chain.dump()
print("func-call gadgets 0x41414141(0x20, 0x30, \"Hello\")")
chain = rop.func_call(0x41414141, (0x20, 0x30, "Hello"), 0x7fffff00)
chain.dump()
Output:
write-regs gadget: rdi=0x41414141, rsi:0x42424242, rdx: 0x43434343, rax:0x44444444, rbx=0x45454545
$RSP+0x0000 : 0x00000000000060d0 # pop rbx; ret
$RSP+0x0008 : 0x0000000044444444
$RSP+0x0010 : 0x0000000000014852 # mov rax, rbx; pop rbx; ret
$RSP+0x0018 : 0x0000000000000000
$RSP+0x0020 : 0x0000000000004ce5 # pop rdi; ret
$RSP+0x0028 : 0x0000000041414141
$RSP+0x0030 : 0x000000000000629c # pop rsi; ret
$RSP+0x0038 : 0x0000000042424242
$RSP+0x0040 : 0x0000000000003a62 # pop rdx; ret
$RSP+0x0048 : 0x0000000043434343
$RSP+0x0050 : 0x00000000000060d0 # pop rbx; ret
$RSP+0x0058 : 0x0000000045454545
write-what-where gadgets: [0x41414141]=0xdeadbeefff, [0x43434343]=0x110011
$RSP+0x0000 : 0x0000000000004ce5 # pop rdi; ret
$RSP+0x0008 : 0x000000deadbeefff
$RSP+0x0010 : 0x000000000000d91f # mov rax, rdi; ret
$RSP+0x0018 : 0x0000000000004ce5 # pop rdi; ret
$RSP+0x0020 : 0x0000000041414139
$RSP+0x0028 : 0x000000000000e0fb # mov qword ptr [rdi + 8], rax; ret
$RSP+0x0030 : 0x0000000000004ce5 # pop rdi; ret
$RSP+0x0038 : 0x0000000000110011
$RSP+0x0040 : 0x000000000000d91f # mov rax, rdi; ret
$RSP+0x0048 : 0x0000000000004ce5 # pop rdi; ret
$RSP+0x0050 : 0x000000004343433b
$RSP+0x0058 : 0x000000000000e0fb # mov qword ptr [rdi + 8], rax; ret
write-string gadgets 0x41414141="Hello world!\n"
$RSP+0x0000 : 0x0000000000004ce5 # pop rdi; ret
$RSP+0x0008 : 0x6f77206f6c6c6548
$RSP+0x0010 : 0x000000000000d91f # mov rax, rdi; ret
$RSP+0x0018 : 0x0000000000004ce5 # pop rdi; ret
$RSP+0x0020 : 0x0000000041414139
$RSP+0x0028 : 0x000000000000e0fb # mov qword ptr [rdi + 8], rax; ret
$RSP+0x0030 : 0x0000000000004ce5 # pop rdi; ret
$RSP+0x0038 : 0x0000000a21646c72
$RSP+0x0040 : 0x000000000000d91f # mov rax, rdi; ret
$RSP+0x0048 : 0x0000000000004ce5 # pop rdi; ret
$RSP+0x0050 : 0x0000000041414141
$RSP+0x0058 : 0x000000000000e0fb # mov qword ptr [rdi + 8], rax; ret
func-call gadgets 0x41414141(0x20, 0x30, "Hello")
$RSP+0x0000 : 0x0000000000004ce5 # pop rdi; ret
$RSP+0x0008 : 0x0000006f6c6c6548
$RSP+0x0010 : 0x000000000000d91f # mov rax, rdi; ret
$RSP+0x0018 : 0x0000000000004ce5 # pop rdi; ret
$RSP+0x0020 : 0x000000007ffffef8
$RSP+0x0028 : 0x000000000000e0fb # mov qword ptr [rdi + 8], rax; ret
$RSP+0x0030 : 0x0000000000004ce5 # pop rdi; ret
$RSP+0x0038 : 0x0000000000000020
$RSP+0x0040 : 0x000000000000629c # pop rsi; ret
$RSP+0x0048 : 0x0000000000000030
$RSP+0x0050 : 0x0000000000003a62 # pop rdx; ret
$RSP+0x0058 : 0x000000007fffff00
$RSP+0x0060 : 0x0000000041414141
python3 tests.py 1,48s user 0,05s system 97% cpu 1,566 total
Another example: open-read-write gadgets!
from pwn import *
import time
from Exrop import Exrop
binname = "/lib/x86_64-linux-gnu/libc.so.6"
libc = ELF(binname, checksec=False)
open = libc.symbols['open']
read = libc.symbols['read']
write = libc.symbols['write']
bss = libc.bss()
t = time.mktime(time.gmtime())
rop = Exrop(binname)
rop.find_gadgets(cache=True)
print("open('/etc/passwd', 0)")
chain = rop.func_call(open, ("/etc/passwd", 0), bss)
chain.set_base_addr(0x00007ffff79e4000)
chain.dump()
print("read('rax', bss, 0x100)") # register can be used as argument too!
chain = rop.func_call(read, ('rax', bss, 0x100))
chain.set_base_addr(0x00007ffff79e4000)
chain.dump()
print("write(1, bss, 0x100)")
chain = rop.func_call(write, (1, bss, 0x100))
chain.set_base_addr(0x00007ffff79e4000)
chain.dump()
print("done in {}s".format(time.mktime(time.gmtime()) - t))
Output:
open('/etc/passwd', 0)
$RSP+0x0000 : 0x00007ffff7a05a45 # pop r13 ; ret
$RSP+0x0008 : 0x00000000003ec860
$RSP+0x0010 : 0x00007ffff7a7630c # xor edi, edi ; pop rbx ; mov rax, rdi ; pop rbp ; pop r12 ; ret
$RSP+0x0018 : 0x00007ffff7a0555f
$RSP+0x0020 : 0x0000000000000000
$RSP+0x0028 : 0x0000000000000000
$RSP+0x0030 : 0x00007ffff7a06b8a # mov r9, r13 ; call rbx: next -> (0x0002155f) # pop rdi ; ret
$RSP+0x0038 : 0x00007ffff7a0555f # pop rdi ; ret
$RSP+0x0040 : 0x7361702f6374652f
$RSP+0x0048 : 0x00007ffff7b251c7 # mov qword ptr [r9], rdi ; ret
$RSP+0x0050 : 0x00007ffff7a05a45 # pop r13 ; ret
$RSP+0x0058 : 0x00000000003ec868
$RSP+0x0060 : 0x00007ffff7a7630c # xor edi, edi ; pop rbx ; mov rax, rdi ; pop rbp ; pop r12 ; ret
$RSP+0x0068 : 0x00007ffff7a0555f
$RSP+0x0070 : 0x0000000000000000
$RSP+0x0078 : 0x0000000000000000
$RSP+0x0080 : 0x00007ffff7a06b8a # mov r9, r13 ; call rbx: next -> (0x0002155f) # pop rdi ; ret
$RSP+0x0088 : 0x00007ffff7a0555f # pop rdi ; ret
$RSP+0x0090 : 0x0000000000647773
$RSP+0x0098 : 0x00007ffff7b251c7 # mov qword ptr [r9], rdi ; ret
$RSP+0x00a0 : 0x00007ffff7a62c70 # xor esi, esi ; mov rax, rsi ; ret
$RSP+0x00a8 : 0x00007ffff7a0555f # pop rdi ; ret
$RSP+0x00b0 : 0x00000000003ec860
$RSP+0x00b8 : 0x000000000010fc40
read('rax', bss, 0x100)
$RSP+0x0000 : 0x00007ffff7a71362 # mov dh, 0xc5 ; pop rbx ; pop rbp ; pop r12 ; ret
$RSP+0x0008 : 0x0000000000000000
$RSP+0x0010 : 0x0000000000000000
$RSP+0x0018 : 0x00007ffff7a0555f
$RSP+0x0020 : 0x00007ffff7aea899 # mov r8, rax ; call r12: next -> (0x0002155f) # pop rdi ; ret
$RSP+0x0028 : 0x00007ffff7b4a3b1 # pop rax ; pop rdx ; pop rbx ; ret
$RSP+0x0030 : 0x00007ffff79e5b96
$RSP+0x0038 : 0x0000000000000000
$RSP+0x0040 : 0x0000000000000000
$RSP+0x0048 : 0x00007ffff7a7fa08 # mov rdi, r8 ; call rax: next -> (0x00001b96) # pop rdx ; ret
$RSP+0x0050 : 0x00007ffff79e5b96 # pop rdx ; ret
$RSP+0x0058 : 0x0000000000000100
$RSP+0x0060 : 0x00007ffff7a07e6a # pop rsi ; ret
$RSP+0x0068 : 0x00000000003ec860
$RSP+0x0070 : 0x0000000000110070
write(1, bss, 0x100)
$RSP+0x0000 : 0x00007ffff7a0555f # pop rdi ; ret
$RSP+0x0008 : 0x0000000000000001
$RSP+0x0010 : 0x00007ffff79e5b96 # pop rdx ; ret
$RSP+0x0018 : 0x0000000000000100
$RSP+0x0020 : 0x00007ffff7a07e6a # pop rsi ; ret
$RSP+0x0028 : 0x00000000003ec860
$RSP+0x0030 : 0x0000000000110140
done in 3.0s (Running on: A9-9420 RADEON R5 2C+3G (2) @ 3.000GHz (using cached))
Note that the project description data, including the texts, logos, images, and/or trademarks,
for each open source project belongs to its rightful owner.
If you wish to add or remove any projects, please contact us at [email protected].