def collect(self, do_filter_unsafe=True):
print('Collecting...')
logging.info("Starting Collection phase")
options = {
'color':
False, # if gadgets are printed, use colored output: default: False
'badbytes':
'', # bad bytes which should not be in addresses or ropchains; default: ''
'all':
False, # Show all gadgets, this means to not remove double gadgets; default: False
'inst_count': 6, # Number of instructions in a gadget; default: 6
'type': 'rop', # rop, jop, sys, all; default: all
'detailed': True
} # if gadgets are printed, use detailed output; default: False
rs = RopperService(options)
rs.addFile(self._filename)
rs.loadGadgetsFor(name=self._filename)
ropper_gadgets = rs.getFileFor(name=self._filename).gadgets
# set architecture!!
Arch.init(str(rs.getFileFor(name=self._filename).arch))
gadgets = []
for g in ropper_gadgets:
address = g._lines[0][0] + g.imageBase
address_end = g._lines[-1][0] + g.imageBase
hex_bytes = g._bytes
#check ret type
ret = next(
Arch.md.disasm(hex_bytes[address_end - address:], 0x0,
count=1))
if ret.id != X86_INS_RET:
continue
if ret.operands:
retn = ret.operands[0].value.imm
else:
retn = 0
if retn < MAX_RETN:
gadgets.append(
Gadget(hex_bytes,
address=address,
address_end=address_end,
retn=retn,
arch=Arch.ARCH_BITS))
if do_filter_unsafe:
return filter_unsafe(gadgets)
else:
return gadgets
def sys_collect(self, do_filter_unsafe=True):
# add syscall gadgets
options = {
'color':
False, # if gadgets are printed, use colored output: default: False
'badbytes':
'', # bad bytes which should not be in addresses or ropchains; default: ''
'all':
False, # Show all gadgets, this means to not remove double gadgets; default: False
'inst_count': 6, # Number of instructions in a gadget; default: 6
'type': 'sys', # rop, jop, sys, all; default: all
'detailed': True
} # if gadgets are printed, use detailed output; default: False
rs = RopperService(options)
rs.addFile(self._filename)
rs.loadGadgetsFor(name=self._filename)
ropper_gadgets = rs.getFileFor(name=self._filename).gadgets
gadgets = []
for g in ropper_gadgets:
address = g._lines[0][0] + g.imageBase
address_end = g._lines[-1][0] + g.imageBase
hex_bytes = g._bytes
_g = Gadget(hex_bytes,
address=address,
address_end=address_end,
retn=0,
modified_regs=[],
arch=Arch.ARCH_BITS)
gadgets.append(Other_Gadget(_g))
if do_filter_unsafe:
return sys_filter_unsafe(gadgets)
else:
return gadgets
rs.options.type = 'jop'
rs.loadGadgetsFor()
rs.options.type = 'rop'
rs.loadGadgetsFor()
# change instruction count
rs.options.inst_count = 10
rs.loadGadgetsFor()
##### print gadgets #######
rs.printGadgetsFor() # print all gadgets
rs.printGadgetsFor(name=ls)
##### Get gadgets ######
gadgets = rs.getFileFor(name=ls).gadgets
##### search pop pop ret ######
pprs = rs.searchPopPopRet(name=ls) # looks for ppr only in 'test-binaries/ls-x86'
pprs = rs.searchPopPopRet() # looks for ppr in all opened files
for file, ppr in pprs.items():
for p in ppr:
print p
##### load jmp reg ######
jmp_regs = rs.searchJmpReg(name=ls, regs=['esp', 'eax']) # looks for jmp reg only in 'test-binaries/ls-x86'
jmp_regs = rs.searchJmpReg(regs=['esp', 'eax'])
jmp_regs = rs.searchJmpReg() # looks for jmp esp in all opened files
for file, jmp_reg in jmp_regs.items():
for j in jmp_reg:
#!/usr/bin/env python3
from ropper import RopperService
def are_bytes_printable(num):
for x in range(0, 4):
byte = (num >> x * 8) & 0xFF
if byte < 0x20 or byte > 0x7f:
return False
return True
options = {'color': False, 'all': True, type: 'all'}
rs = RopperService(options)
rs.addFile('libc-2.15.so')
rs.loadGadgetsFor()
gadgets = rs.getFileFor(name='libc-2.15.so').gadgets
printable = [gadget for gadget in gadgets if are_bytes_printable(gadget.address + 0x5555e000)]
for gadget in printable:
print(gadget)
from ropper import RopperService
import argparse
"""The regular Ropper.py was throwing an error, so im doing this"""
parser = argparse.ArgumentParser()
parser.add_argument("filepath", help="File to get gadgets from")
args = parser.parse_args()
options = {
'color': False,
'badbytes': '00',
'all': False,
'inst_count': 6,
'type': 'all',
'detailed': False
}
filename = args.filepath
rs = RopperService(options)
rs.addFile(filename)
rs.loadGadgetsFor()
gadgets = rs.getFileFor(filename).gadgets
for i in gadgets:
print(f"{hex(i.address)}: {i.simpleInstructionString()}")
rs.options.type = 'jop'
rs.loadGadgetsFor()
rs.options.type = 'rop'
rs.loadGadgetsFor()
# change instruction count
rs.options.inst_count = 10
rs.loadGadgetsFor()
##### print gadgets #######
rs.printGadgetsFor() # print all gadgets
rs.printGadgetsFor(name=ls)
##### Get gadgets ######
gadgets = rs.getFileFor(name=ls).gadgets
##### search pop pop ret ######
pprs = rs.searchPopPopRet(
name=ls) # looks for ppr only in 'test-binaries/ls-x86'
pprs = rs.searchPopPopRet() # looks for ppr in all opened files
for file, ppr in pprs.items():
for p in ppr:
print p
##### load jmp reg ######
jmp_regs = rs.searchJmpReg(
name=ls, regs=['esp',
'eax']) # looks for jmp reg only in 'test-binaries/ls-x86'
jmp_regs = rs.searchJmpReg(regs=['esp', 'eax'])
jmp_regs = rs.searchJmpReg() # looks for jmp esp in all opened files
]
rg_args = Args(config).getArgs()
rg_bin = Binary(rg_args)
G = Gadgets(rg_bin, rg_args, rg_offset)
exec_sections = rg_bin.getExecSections()
rg_gadgets = []
for section in exec_sections:
rg_gadgets += G.addROPGadgets(section)
rg_gadgets = G.passClean(rg_gadgets, rg_args.multibr)
rg_gadgets = Options(rg_args, rg_bin, rg_gadgets).getGadgets()
# ---------------------
if not ropper_parsing_error:
rs.setArchitectureFor(name=f, arch='x86')
rs.loadGadgetsFor(name=f)
rp_gadgets = rs.getFileFor(f).gadgets
rp_gadgets.sort(key=attrgetter('address'))
print 'Found {} gadgets!'.format(len(rp_gadgets))
rs.setImageBaseFor(name=f, imagebase=0x0)
else:
rp_gadgets = []
rp_len = len(rp_gadgets)
rg_len = len(rg_gadgets)
rp = True
gadgets = rp_gadgets
if rp_len < rg_len:
gadgets = rg_gadgets
rp = False
rep = (len(gadgets) / 5000) + 1
for r in xrange(rep):