GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → Ben-Lichtman → ropr

Ben-Lichtman / ropr

Licence: other
A blazing fast™ multithreaded ROP Gadget finder. ropper / ropgadget alternative

Programming Languages

rust
11053 projects

Labels

ropcommand-line-toolexploitationrop-chainrop-gadget

Projects that are alternatives of or similar to ropr

DrGadget
dr.rer.oec.gadget IDAPython plugin for the Interactive Disassembler <ABANDONED PROJECT>
Stars: ✭ 61 (-69.5%)
Mutual labels:  rop, exploitation, rop-chain
ROP-Emporium
Solutions for ROP Emporium challenges (https://ropemporium.com/) in python.
Stars: ✭ 38 (-81%)
Mutual labels:  rop, exploitation
rop-benchmark
ROP Benchmark is a tool to compare ROP compilers
Stars: ✭ 23 (-88.5%)
Mutual labels:  rop, rop-chain
Exploit-Development
Exploit Development - Weaponized Exploit and Proof of Concepts (PoC)
Stars: ✭ 84 (-58%)
Mutual labels:  rop, rop-chain
Ropa
GUI tool to create ROP chains using the ropper API
Stars: ✭ 151 (-24.5%)
Mutual labels:  rop, exploitation
Exploit me
Very vulnerable ARM/AARCH64 application (CTF style exploitation tutorial with 14 vulnerability techniques)
Stars: ✭ 665 (+232.5%)
Mutual labels:  rop, exploitation
xgadget
Fast, parallel, cross-variant ROP/JOP gadget search for x86/x64 binaries.
Stars: ✭ 33 (-83.5%)
Mutual labels:  rop, exploitation
Ropper
Display information about files in different file formats and find gadgets to build rop chains for different architectures (x86/x86_64, ARM/ARM64, MIPS, PowerPC, SPARC64). For disassembly ropper uses the awesome Capstone Framework.
Stars: ✭ 1,218 (+509%)
Mutual labels:  rop, exploitation
Arm exploitation
Exploitation on ARM-based Systems (Troopers18)
Stars: ✭ 139 (-30.5%)
Mutual labels:  rop, exploitation
readhook
Red-team tool to hook libc read syscall with a buffer overflow vulnerability.
Stars: ✭ 31 (-84.5%)
Mutual labels:  rop, rop-chain
BFS2019
Bluefrost Exploitation Challenge 2019 - Exploit and Writeup
Stars: ✭ 20 (-90%)
Mutual labels:  exploitation, rop-chain
vimwasm-try-plugin
Try Vim plugin on your browser without installing it using vim.wasm!
Stars: ✭ 21 (-89.5%)
Mutual labels:  command-line-tool
swift-commandlinekit
Framework supporting the development of command-line tools in Swift on macOS and Linux. The framework supports managing command-line arguments, provides lightweight functions to deal with escape sequences, and defines an API for reading strings from the terminal.
Stars: ✭ 38 (-81%)
Mutual labels:  command-line-tool
maalik
Feature-rich Post Exploitation Framework with Network Pivoting capabilities.
Stars: ✭ 75 (-62.5%)
Mutual labels:  exploitation
SQL-Injection-cheat-sheet
Cheatsheet to exploit and learn SQL Injection.
Stars: ✭ 69 (-65.5%)
Mutual labels:  exploitation
SimpleSqlExec
Lightweight command-line utility to execute queries on SQL Server in place of SQLCMD
Stars: ✭ 20 (-90%)
Mutual labels:  command-line-tool
metronome
A set of tools for modifying and randomizing Pokémon games
Stars: ✭ 23 (-88.5%)
Mutual labels:  command-line-tool
Bash
Collection of bash scripts I wrote to make my life easier or test myself that you may find useful.
Stars: ✭ 19 (-90.5%)
Mutual labels:  exploitation
rclc
Mathematical expression calculator with big integers, floats, common fractions, and complex numbers support
Stars: ✭ 24 (-88%)
Mutual labels:  command-line-tool
wholesome-cli
Command Line Tool for managing Flutter projects
Stars: ✭ 57 (-71.5%)
Mutual labels:  command-line-tool
View All Similar Projects ➔

ropr

ropr is a blazing fast multithreaded ROP Gadget finder

What is a ROP Gadget?

ROP (Return Oriented Programming) Gadgets are small snippets of a few assembly instructions typically ending in a ret instruction which already exist as executable code within each binary or library. These gadgets may be used for binary exploitation and to subvert vulnerable executables.

When the addresses of many ROP Gadgets are written into a buffer we have formed a ROP Chain. If an attacker can move the stack pointer into this ROP Chain then control can be completely transferred to the attacker.

Most executables contain enough gadgets to write a turing-complete ROP Chain. For those that don't, one can always use dynamic libraries contained in the same address-space such as libc once we know their addresses.

The beauty of using ROP Gadgets is that no new executable code needs to be written anywhere - an attacker may achieve their objective using only the code that already exists in the program.

How do I use a ROP Gadget?

Typically the first requirement to use ROP Gadgets is to have a place to write your ROP Chain - this can be any readable buffer. Simply write the addresses of each gadget you would like to use into this buffer. If the buffer is too small there may not be enough room to write a long ROP Chain into and so an attacker should be careful to craft their ROP Chain to be efficient enough to fit into the space available.

The next requirement is to be able to control the stack - This can take the form of a stack overflow - which allows the ROP Chain to be written directly under the stack pointer, or a "stack pivot" - which is usually a single gadget which moves the stack pointer to the rest of the ROP Chain.

Once the stack pointer is at the start of your ROP Chain, the next ret instruction will trigger the gadgets to be excuted in sequence - each using the next as its return address on its own stack frame.

It is also possible to add function poitners into a ROP Chain - taking care that function arguments be supplied after the next element of the ROP Chain. This is typically combined with a "pop gadget", which pops the arguments off the stack in order to smoothly transition to the next gadget after the function arguments.

How do I install ropr?

  • Requires cargo (the rust build system)

Easy install:

cargo install ropr

the application will install to ~/.cargo/bin

From source:

git clone https://github.com/Ben-Lichtman/ropr
cd ropr
cargo build --release

the resulting binary will be located in target/release/ropr

Alternatively:

git clone https://github.com/Ben-Lichtman/ropr
cd ropr
cargo install --path .

the application will install to ~/.cargo/bin

How do I use ropr?

USAGE:
    ropr [OPTIONS] <BINARY>

ARGS:
    <BINARY>    The path of the file to inspect

OPTIONS:
    -b, --base-pivot               Filters for gadgets which alter the base pointer
    -c, --colour <COLOUR>          Forces output to be in colour or plain text (`true` or `false`)
    -h, --help                     Print help information
    -j, --nojop                    Removes "JOP Gadgets" - these may have a controllable branch,
                                   call, etc. instead of a simple `ret` at the end
    -m, --max-instr <MAX_INSTR>    Maximum number of instructions in a gadget [default: 6]
    -n, --noisy                    Includes potentially low-quality gadgets such as prefixes,
                                   conditional branches, and near branches (will find significantly
                                   more gadgets)
    -p, --stack-pivot              Filters for gadgets which alter the stack pointer
    -r, --norop                    Removes normal "ROP Gadgets"
    -R, --regex <REGEX>            Perform a regex search on the returned gadgets for easy filtering
        --range <RANGE>            Search between address ranges (in hexadecial) eg. `0x1234-0x4567`
        --raw <RAW>                Treats the input file as a blob of code (`true` or `false`)
    -s, --nosys                    Removes syscalls and other interrupts
    -V, --version                  Print version information

For example if I was looking for a way to fill rax with a value from another register I may choose to filter by the regex ^mov eax, ...;:

❯ ropr /usr/lib/libc.so.6 -R "^mov eax, ...;" > /dev/null

==> Found 197 gadgets in 0.118 seconds

Now I can add some filters to the command line for the highest quality results:

❯ ropr /usr/lib/libc.so.6 -m 2 -j -s -R "^mov eax, ...;"
0x000353e7: mov eax, eax; ret;
0x000788c8: mov eax, ecx; ret;
0x00052252: mov eax, edi; ret;
0x0003ae43: mov eax, edx; ret;
0x000353e6: mov eax, r8d; ret;
0x000788c7: mov eax, r9d; ret;

==> Found 6 gadgets in 0.046 seconds

Now I have a good mov gadget candidate at address 0x00052252

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].