Ropper – rop gadget finder and binary information tool
https://www.ispeech.org/text.to.speech
With ropper you can show information about files in different file formats and you can find gadgets to build rop chains for different architectures. For disassembly ropper uses the awesome Capstone Framework.
Ropper is inspired by ROPgadget, but should be more than a gadgets finder. So it is possible to show information about a binary like header, segments, sections etc. Furthermore it is possible to edit the binaries and edit the header fields. Until now you can set the aslr and nx flags.
[adsense size='1']
Now you can generate rop chain automatically (auto-roper) for execve and mprotect syscall.
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
|
usage: ropper [-h] [-v] [--console] [-f <file>] [-a <arch>] [-i] [-e]
[--imagebase] [-c] [-s] [-S] [--imports] [--symbols]
[--set <option>] [--unset <option>] [-I <imagebase>] [-p]
[-j <reg>] [--depth <n bytes>] [--search <regex>]
[--quality <quality>] [--filter <regex>] [--opcode <opcode>]
[--type <type>] [--detail] [--chain <generator>] [-b <badbytes>]
[--nocolor]
With ropper you can show information about files in different file formats
and you can find gadgets to build rop chains for different architectures.
supported filetypes:
ELF
PE
Mach-O
Raw
supported architectures:
x86 [x86]
x86_64 [x86_64]
MIPS [MIPS, MIPS64]
ARM/Thumb [ARM, ARMTHUMB]
ARM64 [ARM64]
PowerPC [PPC, PPC64]
available rop chain generators:
execve (execve[=<cmd>], default /bin/sh) [Linux x86]
mprotect (mprotect=<address>:<size>) [Linux x86]
optional arguments:
-h, --help show this help message and exit
-v, --version Print version
--console Starts interactive commandline
-f <file>, --file <file>
The file to load
-a <arch>, --arch <arch>
The architecture of the loaded file
-i, --info Shows file header [ELF/PE/Mach-O]
-e Shows EntryPoint
--imagebase Shows ImageBase [ELF/PE/Mach-O]
-c, --dllcharacteristics
Shows DllCharacteristics [PE]
-s, --sections Shows file sections [ELF/PE/Mach-O]
-S, --segments Shows file segments [ELF/Mach-O]
--imports Shows imports [ELF/PE]
--symbols Shows symbols [ELF]
--set <option> Sets options. Available options: aslr nx
--unset <option> Unsets options. Available options: aslr nx
-I <imagebase> Uses this imagebase for gadgets
-p, --ppr Searches for 'pop reg; pop reg; ret' instructions
[only x86/x86_64]
-j <reg>, --jmp <reg>
Searches for 'jmp reg' instructions (-j reg[,reg...])
[only x86/x86_64]
--depth <n bytes> Specifies the depth of search (default: 10)
--search <regex> Searches for gadgets
--quality <quality> The quality for gadgets which are found by search (1 =
best)
--filter <regex> Filters gadgets
--opcode <opcode> Searches for opcodes
--type <type> Sets the type of gadgets [rop, jop, all] (default:
all)
--detail Prints gadgets more detailed
--chain <generator> Generates a ropchain [generator=parameter]
-b <badbytes>, --badbytes <badbytes>
Set bytes which should not contains in gadgets
--nocolor Disables colored output
example uses:
[Generic]
ropper.py
ropper.py --file /bin/ls --console
[Informations]
ropper.py --file /bin/ls --info
ropper.py --file /bin/ls --imports
ropper.py --file /bin/ls --sections
ropper.py --file /bin/ls --segments
ropper.py --file /bin/ls --set nx
ropper.py --file /bin/ls --unset nx
[Gadgets]
ropper.py --file /bin/ls --depth 5
ropper.py --file /bin/ls --search "sub eax" --badbytes 000a0d
ropper.py --file /bin/ls --search "sub eax" --detail
ropper.py --file /bin/ls --filter "sub eax"
ropper.py --file /bin/ls --depth 5 --filter "sub eax"
ropper.py --file /bin/ls --opcode ffe4
ropper.py --file /bin/ls --detail
ropper.py --file /bin/ls --ppr --nocolor
ropper.py --file /bin/ls --jmp esp,eax
ropper.py --file /bin/ls --type jop
ropper.py --file /bin/ls --chain execve=/bin/sh
ropper.py --file /bin/ls --chain execve=/bin/sh --badbytes 000a0d
ropper.py --file /bin/ls --chain mprotect=0xbfdff000:0x21000
[Search]
? any character
% any string
Example:
ropper.py --file /bin/ls --search "mov e?x"
0x000067f1: mov edx, dword ptr [ebp + 0x14]; mov dword ptr [esp], edx; call eax
0x00006d03: mov eax, esi; pop ebx; pop esi; pop edi; pop ebp; ret ;
0x00006d6f: mov ebx, esi; mov esi, dword ptr [esp + 0x18]; add esp, 0x1c; ret ;
0x000076f8: mov eax, dword ptr [eax]; mov byte ptr [eax + edx], 0; add esp, 0x18; pop ebx; ret ;
ropper.py --file /bin/ls --search "mov [%], ecx"
0x000067ed: mov dword ptr [esp + 4], edx; mov edx, dword ptr [ebp + 0x14]; mov dword ptr [esp], edx; call eax;
0x00006f4e: mov dword ptr [ecx + 0x14], edx; add esp, 0x2c; pop ebx; pop esi; pop edi; pop ebp; ret ;
0x000084b8: mov dword ptr [eax], edx; ret ;
0x00008d9b: mov dword ptr [eax], edx; add esp, 0x18; pop ebx; ret ;
ropper.py --file /bin/ls --search "mov [%], edx" --quality 1
0x000084b8: mov dword ptr [eax], edx; ret ;
|
Download
https://github.com/sashs/Ropper (v1.4.3, 05.03.2015)
Gloss