Exrop is automatic ROP chains generator tool which can build gadget chain automatically from given binary and constraints
Requirements : Triton, ROPGadget
Only support for x86-64 for now!
Features:
- handling non-return gadgets (jmp reg, call reg)
- set registers (
rdi=0xxxxxx, rsi=0xxxxxx) - set register to register (
rdi=rax) - write to mem
- write string/bytes to mem
- function call (
open('/etc/passwd',0)) - pass register in function call (
read('rax', bss, 0x100)) - avoiding badchars
- stack pivoting (
Exrop.stack_pivot) - syscall (
Exrop.syscall) - see examples
- install python (3.6 is recomended and tested)
- install triton (https://triton.quarkslab.com/documentation/doxygen/index.html#linux_install_sec), make sure you add
-DPYTHON36=onas cmake option - install ropgadget (https://github.com/JonathanSalwan/ROPgadget)
- to install exrop, easily add
export PYTHONPATH=/path/to/exrop:$PYTHONPATHin your.bashrc(depends on your shell)
from Exrop import Exrop
rop = Exrop("/bin/ls")
rop.find_gadgets(cache=True)
print("write-regs gadgets: rdi=0x41414141, rsi:0x42424242, rdx: 0x43434343, rax:0x44444444, rbx=0x45454545")
chain = rop.set_regs({'rdi':0x41414141, 'rsi': 0x42424242, 'rdx':0x43434343, 'rax':0x44444444, 'rbx': 0x45454545})
chain.dump()
print("write-what-where gadgets: [0x41414141]=0xdeadbeefff, [0x43434343]=0x110011")
chain = rop.set_writes({0x41414141: 0xdeadbeefff, 0x43434343: 0x00110011})
chain.dump()
print("write-string gadgets 0x41414141=\"Hello world!\\n\"")
chain = rop.set_string({0x41414141: "Hello world!\n"})
chain.dump()
print("func-call gadgets 0x41414141(0x20, 0x30, \"Hello\")")
chain = rop.func_call(0x41414141, (0x20, 0x30, "Hello"), 0x7fffff00)
chain.dump()Output: