table of contents
ROPGADGET(1) | General Commands Manual | ROPGADGET(1) |
NAME¶
ROPgadget - search executables for exploitable ROP gadgets
SYNOPSIS¶
ROPgadget |
[--binary FILE][options] |
DESCRIPTION¶
ROPGadgetis a tool for security research and vulnerability exploitation. It lets yousearch binaries for sequences of useful machine code instructions followed by areturn statement ("gadgets"). If an exploit can manipulate the callstack topoint to a sequence of gadgets, the return statements will redirect the programflow to execute the sequence ("return oriented programming"). By reusingexisting code out of context, an attacker can potentially circumvent securitymeasures which prevent the execution of injected code.ROPgadgetsupports ELF/PE/Mach-O format on x86, x64, ARM, PowerPC, SPARC and MIPSarchitectures.
The following options are available:
- --binary FILE
- specify the executable to be analyzed
- --opcode OPCODES
- Search for particular opcodes in executable sections
- --string STRING
- Search for a particular string in readable sections
- --memstr STRING
- Search for each byte in readable sections
- --depth DEPTH
- Limit search depth for internal engine (default: 10)
- --only KEY
- Only show specific instructions
- --filter KEY
- Suppress specific instructions
- --range START-END
- Limit search to address range betweenSTARTandEND.
- --badbytes BYTES
- Reject specific bytes in the address of a gadget
- --rawArch ARCH
- Specify architecture for raw binaries
- --rawMode MODE
- Specify mode for raw binaries
- --re EXPR
- Search for gadgets using the regular expressionEXPR.
- --offsetOFFSET
- Add an offset to all gadget addresses
- --ropchain
- Enable ROP chain generation
- --thumb
- Use thumb mode for ARM architecture binaries
- --console
- Enable the interactive console for the search engine
- --norop
- Disable ROP search engine
- --nojop
- Disable JOP search engine
- --nosys
- Disable SYS search engine
- --multibr
- Enable multiple branch gadgets
- --all
- Show all gadgets, even duplicates
- --dump
- Output the gadget bytes
AUTHOR¶
This manual page was written for Debian by Timo Röhling andmay be used without restriction.