ROPium (ex-ROPGenerator) is a library/tool that makes ROP-exploits easy. It automatically extracts and analyses gadgets from binaries and lets you find ROP-chains with semantic queries. ROPium supports X86 and X64 architectures, soon to be extended with ARM.
Key features:
- Effortless: ROPium works out-of-the-box with a smooth Command Line Interface
- Python API: It is easy to integrate ROPium in script thanks to its python API
- Automatic chaining: ROPium automatically combines gadgets to create complex ROP-chains
- Advanced features: ROPium supports function calls for various ABIs, syscalls, ...
- Semantic queries: ROPium queries are quick and convenient to write :
rax=rbx+8
,[rdi+0x20]=rax
,rsi=[rbx+16]
,0x08040212(1, 2, rax)
,[0xdeadbeaf] = "/bin/sh\x00"
,sys_execve(0xdeadbeef, 0, 0)
,sys_0x1(0)
,...
First install the Capstone disassembly framework:
sudo apt-get install libcapstone-dev
You also need the latest ROPgadget release:
git clone https://github.com/JonathanSalwan/ROPgadget && cd ROPgadget
python setup.py install --user
To use the CLI tool, install prompt_toolkit:
pip3 install prompt_toolkit
Finally install ROPium:
git clone https://github.com/Boyan-MILANOV/ropium && cd ropium
make
make test
sudo make install
Thanks to a Command-Line-Interface wrapper, you can use ROPium interactively to quickly build ropchains:
Do you need to integrate ropchains directly in your scripts ? Good news, ROPium has a python API !
Loading a binary and finding ropchains:
from ropium import *
rop = ROPium(ARCH.X64)
rop.load('/lib/x86_64-linux-gnu/libc-2.27.so')
chain = rop.compile('rbx = [rax + 0x20]')
Dumping a ropchain in various formats:
>>> print( chain.dump() )
0x000000000009a851 (sub rax, 0x10; ret)
0x0000000000130018 (mov rax, qword ptr [rax + 0x30]; ret)
0x0000000000052240 (push rax; pop rbx; ret)
>>> print(chain.dump('python'))
from struct import pack
off = 0x0
p = ''
p += pack('<Q', 0x000000000009a851+off) # sub rax, 0x10; ret
p += pack('<Q', 0x0000000000130018+off) # mov rax, qword ptr [rax + 0x30]; ret
p += pack('<Q', 0x0000000000052240+off) # push rax; pop rbx; ret
>>> print(chain.dump('raw'))
b'Q\xa8\t\x00\x00\x00\x00\x00\x18\x00\x13\x00\x00\x00\x00\x00@"\x05\x00\x00\x00\x00\x00'
Set constraints on ropchains:
# Bytes that should not appear in the ropchain
rop.bad_bytes = [0x00, 0x0a, 0x0b]
# Register that should not be clobbered by the ropchain
rop.keep_regs = ['rsi', 'rdx']
# Enable/Forbid ropchain to dereference registers that might hold invalid addresses
# Safe mode is 'True' by default
rop.safe_mem = False
# Specify which ABI you want to use when calling functions
rop.abi = ABI.X86_CDECL
# Specify which system to target when doing syscalls
rop.os = OS.LINUX
If needed you can run ROPium in a docker container. The container can be generated from the Dockerfile as follows:
# Create your docker image (this will take time!)
docker build . --tag ropium
# Run the image in interactive mode, bind mounting the file to analyze
docker run --rm -it -v /FULL/HOST/PATH/FILE:/tmp/FILE:ro ropium
(ropium)> load -a X86 /tmp/FILE
The actual image is around 200 MB based on a Debian Stretch with a Python 3.7.3 installed.
Boyan MILANOV - boyan.milanov (at) hotmail (dot) fr
ROPium is provided under the MIT licence.
Contributors:
- Docker container support: migounette, clslgrnc
ROPium uses the following awesome projects:
- capstone : Disassembly Framework
- ROPgadget : Gadget extractor
- prompt-toolkit : Python CLI interface library