Ropper v1.11.11 releases: find gadgets to build rop chains for different architectures

Ropper

You can use ropper to display information about binary files in different file formats and you can search for gadgets to build rop chains for different architectures (x86/X86_64, ARM/ARM64, MIPS/MIPS64, PowerPC). For disassembly, it uses the awesome Capstone Framework.

NOTE: I recommend to use the dev version of ropper because bugfixes are earlier available in the dev branch.

Install

Install Capstone with PyPi:

$ sudo pip install capstone

Install filebytes with PyPi:

$ sudo pip install filebytes

Optional:

Install Keystone:

$ sudo pip install keystone-engine

Install

$ git clone https://github.com/sashs/Ropper.git
$ python setup.py install

You can also install with pip

$ pip install ropper

If you don’t want to install filebytes, filebytes is a submodule of the ropper repository. This means you don’t need to install filebytes and ropper.

$ git clone https://github.com/sashs/ropper.git
$ cd ropper
$ git submodule init
$ git submodule update
$ ./Ropper.py

 

THIS FEATURE IS STILL UNDER DEVELOPMENT! Ropper has a semantic search command, which offers the possibility to search for gadgets. Due to a dependency, this command only works with python2 on Linux, but I am working on porting this dependency to python3. Since python3 defaults on some systems, ropper2 can be used to execute ropper with python2.

$ ropper2 --file <afile> --semantic "<any constraint>"

The following optional dependencies are needed to use semantic search:

Install pyvex

$ sudo pip install pyvex

Install z3py

$ python scripts/mk_make.py
$ cd build
$ make
$ sudo make install

 

Currently Possible Constraints

reg == reg     -  assign register to another
reg == number  -  assign number to register
reg == [reg]   -  assign memory to register
reg += number/reg/[reg]
reg -= number/reg/[reg]
reg *= number/reg/[reg]
reg /= number/reg/[reg]

 

Constraint Example

eax==1 !ebx    - set eax to 1 and look for gadgets which does not clobber ebx

 

semantic_search

Usage

usage: Ropper.py [-h] [-v] [--console] [-f <file>] [-r] [-a <arch>]
                 [--section <section>] [--string [<string>]] [--hex]
                 [--asm <asm> [H|S|R] [<asm> [H|S|R] ...]] [--disasm <opcode>]
                 [--disassemble-address <address:length>] [-i] [-e]
                 [--imagebase] [-c] [-s] [-S] [--imports] [--symbols]
                 [--set <option>] [--unset <option>] [-I <imagebase>] [-p]
                 [-j <reg>] [--stack-pivot] [--inst-count <n bytes>]
                 [--search <regex>] [--quality <quality>] [--opcode <opcode>]
                 [--instructions <instructions>] [--type <type>] [--detailed]
                 [--all] [--cfg-only] [--chain <generator>] [-b <badbytes>]
                 [--nocolor] [--clear-cache]

You can use ropper to display information about binary files in different file formats
    and you can search for gadgets to build rop chains for different architectures

supported filetypes:
  ELF
  PE
  Mach-O
  Raw

supported architectures:
  x86 [x86]
  x86_64 [x86_64]
  MIPS [MIPS, MIPS64]
  ARM/Thumb [ARM, ARMTHUMB]
  ARM64 [ARM64]
  PowerPC [PPC, PPC64]

available rop chain generators:
  execve (execve[=<cmd>], default /bin/sh) [Linux x86, x86_64]
  mprotect  (mprotect=<address>:<size>) [Linux x86, x86_64]
  virtualprotect (virtualprotect=<address iat vp>:<size>) [Windows x86]

optional arguments:
  -h, --help            show this help message and exit
  -v, --version         Print version
  --console             Starts interactive commandline
  -f <file>, --file <file>
                        The file to load
  -r, --raw             Loads the file as raw file
  -a <arch>, --arch <arch>
                        The architecture of the loaded file
  --section <section>   The data of the this section should be printed
  --string [<string>]   Looks for the string <string> in all data sections
  --hex                 Prints the selected sections in a hex format
  --asm <asm> [H|S|R] [<asm> [H|S|R] ...]
                        A string to assemble and a format of the output
                        (H=HEX, S=STRING, R=RAW, default: H)
  --disasm <opcode>     Opcode to disassemble (e.g. ffe4, 89c8c3, ...)
  --disassemble-address <address:length>
                        Disassembles instruction at address <address>
                        (0x12345678:L3). The count of instructions to
                        disassemble can be specified (0x....:L...)
  -i, --info            Shows file header [ELF/PE/Mach-O]
  -e                    Shows EntryPoint
  --imagebase           Shows ImageBase [ELF/PE/Mach-O]
  -c, --dllcharacteristics
                        Shows DllCharacteristics [PE]
  -s, --sections        Shows file sections [ELF/PE/Mach-O]
  -S, --segments        Shows file segments [ELF/Mach-O]
  --imports             Shows imports [ELF/PE]
  --symbols             Shows symbols [ELF]
  --set <option>        Sets options. Available options: aslr nx
  --unset <option>      Unsets options. Available options: aslr nx
  -I <imagebase>        Uses this imagebase for gadgets
  -p, --ppr             Searches for 'pop reg; pop reg; ret' instructions
                        [only x86/x86_64]
  -j <reg>, --jmp <reg>
                        Searches for 'jmp reg' instructions (-j reg[,reg...])
                        [only x86/x86_64]
  --stack-pivot         Prints all stack pivot gadgets
  --inst-count <n bytes>
                        Specifies the max count of instructions in a gadget
                        (default: 6)
  --search <regex>      Searches for gadgets
  --quality <quality>   The quality for gadgets which are found by search (1 =
                        best)
  --opcode <opcode>     Searchs for opcodes (e.g. ffe4 or ffe? or ff??)
  --instructions <instructions>
                        Searchs for instructions (e.g. "jmp esp", "pop eax;
                        ret")
  --type <type>         Sets the type of gadgets [rop, jop, sys, all]
                        (default: all)
  --detailed            Prints gadgets more detailed
  --all                 Does not remove duplicate gadgets
  --cfg-only            Filters out gadgets which fail the Microsoft CFG
                        check. Only for PE files which are compiled with CFG
                        check enabled (check DllCharachteristics) [PE]
  --chain <generator>   Generates a ropchain [generator parameter=value[
                        parameter=value]]
  -b <badbytes>, --badbytes <badbytes>
                        Set bytes which should not contains in gadgets
  --nocolor             Disables colored output
  --clear-cache         Clears the cache

example uses:
  [Generic]
  ./Ropper.py
  ./Ropper.py --file /bin/ls --console

  [Informations]
  ./Ropper.py --file /bin/ls --info
  ./Ropper.py --file /bin/ls --imports
  ./Ropper.py --file /bin/ls --sections
  ./Ropper.py --file /bin/ls --segments
  ./Ropper.py --file /bin/ls --set nx
  ./Ropper.py --file /bin/ls --unset nx
  ./Ropper.py --file /bin/ls --inst-count 5
  ./Ropper.py --file /bin/ls --search "sub eax" --badbytes 000a0d
  ./Ropper.py --file /bin/ls --search "sub eax" --detail
  ./Ropper.py --file /bin/ls --filter "sub eax"
  ./Ropper.py --file /bin/ls --inst-count 5 --filter "sub eax"
  ./Ropper.py --file /bin/ls --opcode ffe4
  ./Ropper.py --file /bin/ls --opcode ffe?
  ./Ropper.py --file /bin/ls --opcode ??e4
  ./Ropper.py --file /bin/ls --detailed
  ./Ropper.py --file /bin/ls --ppr --nocolor
  ./Ropper.py --file /bin/ls --jmp esp,eax
  ./Ropper.py --file /bin/ls --type jop
  ./Ropper.py --file /bin/ls --chain execve
  ./Ropper.py --file /bin/ls --chain "execve cmd=/bin/sh" --badbytes 000a0d
  ./Ropper.py --file /bin/ls --chain "mprotect address=0xbfdff000 size=0x21000"
  ./Ropper.py --file /bin/ls /lib/libc.so.6 --console

  [Assemble/Disassemble]
  ./Ropper.py --asm "jmp esp"
  ./Ropper.py --asm "mov eax, ecx; ret"
  ./Ropper.py --disasm ffe4

  [Search]
  ./Ropper.py --file /bin/ls --search <searchstring>
  ?     any character
  %     any string

  Example:

  ./Ropper.py --file /bin/ls --search "mov e?x"
  0x000067f1: mov edx, dword ptr [ebp + 0x14]; mov dword ptr [esp], edx; call eax
  0x00006d03: mov eax, esi; pop ebx; pop esi; pop edi; pop ebp; ret ;
  0x00006d6f: mov ebx, esi; mov esi, dword ptr [esp + 0x18]; add esp, 0x1c; ret ;
  0x000076f8: mov eax, dword ptr [eax]; mov byte ptr [eax + edx], 0; add esp, 0x18; pop ebx; ret ;

  ./Ropper.py --file /bin/ls --search "mov [%], edx"
  0x000067ed: mov dword ptr [esp + 4], edx; mov edx, dword ptr [ebp + 0x14]; mov dword ptr [esp], edx; call eax;
  0x00006f4e: mov dword ptr [ecx + 0x14], edx; add esp, 0x2c; pop ebx; pop esi; pop edi; pop ebp; ret ;
  0x000084b8: mov dword ptr [eax], edx; ret ;
  0x00008d9b: mov dword ptr [eax], edx; add esp, 0x18; pop ebx; ret ;

  ./Ropper.py --file /bin/ls --search "mov [%], edx" --quality 1
  0x000084b8: mov dword ptr [eax], edx; ret ;; ret ;

 

Screenshots

load

x86

arm

mips

ppc

ropchain

header

Copyright 2018 Sascha Schirra

Source: https://github.com/sashs/

Share