This tool lets you search your gadgets on your binaries (ELF format) to facilitate your ROP exploitation. Since version 3.0, ROPgadget has a auto-roper for build your payload automatically with the gadgets found.
GitHub (Stable v4.0.3) https://github.com/JonathanSalwan/ROPgadget/
v4.0.3: Made searching for gadgets faster by dark-rose v4.0.2: Bug fix genInstrX86. Bug fix by cao - comparison in gadget search for gadgets with null character v4.0.1: Update python3 to python2. Add new script python to generate gadgets table 32 and 64 bits. Update default syntax to Intel. genInstrX86.py: Add severals pop + ret combination v4.0.0: Addition of 64 bit linux support for ROP exploit generation. Addition of 64 bit support for ROP gadget searching. Addition of Windows PE file loading for gadget searching. Addition of detection of shared libraries and improved code gen for them. Generation of execve ROP exploits with arbitrary argument vectors. Payload generation in PHP, C and Perl as well as improved generation for python. Color disable/enable switch. Improved user friendliness. Vastly increased ROP searching speed. Code restructuring for easing addition of new architectures/platforms. General refacoring and code friendiness. v3.4.1: Bug Fix in module importsc with intel syntax v3.4.0: Feature - Support Att and intel syntax v3.3.4: Bug Fix - Fake positive (github issue) v3.3.3: Bug Fix in the supported architecures. (src/check_arch_supported.c) v3.3.2: Bug Fix (Buffer Overflow - src/check_bind_mode.c) v3.3.1: Segmentation Fault fixed, on compilation x86 64 bits (src/varop.c) v3.3: New Core and news features.
git clone git://github.com/JonathanSalwan/ROPgadget.git cd ./ROPgadget make sudo make install
Syntax: ./ROPgadget [FLAGS] [argv...] Flags: Syntax (default is att): -att Display all asm in att syntax -intel Display all asm in intel syntax Generation Target (only one can be specified, default is execve /bin/sh): -bind <port> Set this flag to make a bind shellcode -importsc <shellcode> Make custom payload (\xFF notation) Search Filtering (all can be specified multiple times): -filter <word> Suppress instructions containing word -only <word> Only show instructions containg word Search Target (only one can be specified, default is internal oplist): -opcode <opcode> Find opcode in exec segment (\xFF notation) -string <string> Find string in read segment ('?' any char) -asm <instructions> Assemble instructions then search for them Search Limits: -limit <n> Only find and show n gadgets/strings -map <start-end> Search between two addresses (0x...-0x...) Output Format (default is python): -pysyn Use Python syntax. -perlsyn Use Perl syntax. -csyn Use C syntax. -phpsyn Use PHP syntax. Program/Meta: -v Version -h Display this help and exit -color Force color output -nocolor Disable color output -nopayload Disable payload generation Arguments: The first non-flag argument is the file to perform operations on. If any positional arguments remain after the file, they are used as the argv for the execve ROP exploit (thus the first should be a full path to an executable). Ex: ./ROPgadget ./smashme.bin -bind 8080 ./ROPgadget ./smashme.bin -importsc "\x6a\x02\x58\xcd\x80\xeb\xf9" ./ROPgadget ./smashme.bin -only "pop" -filter "eax" ./ROPgadget ./smashme.bin -opcode "\xcd\x80" ./ROPgadget ./smashme.bin -intel -asm "mov eax, [eax] ; ret" ./ROPgadget ./smashme.bin -att -asm "int \$0x80" ./ROPgadget ./smashme.bin -string "main" ./ROPgadget ./smashme.bin -string "m?in" ./ROPgadget ./smashme.bin /bin/echo "1 4m 4 1337 h4x0r!"