ROPgadget - search executables for exploitable ROP gadgets
[
--binary FILE] [
options]
ROPGadget is a tool for security research and vulnerability exploitation.
It lets you search binaries for sequences of useful machine code instructions
followed by a return statement ("gadgets"). If an exploit can
manipulate the callstack to point to a sequence of gadgets, the return
statements will redirect the program flow to execute the sequence
("return oriented programming"). By reusing existing code out of
context, an attacker can potentially circumvent security measures which
prevent the execution of injected code.
ROPgadget supports
ELF/PE/Mach-O format on x86, x64, ARM, PowerPC, SPARC and MIPS architectures.
The following options are available:
-
--binary FILE
- specify the executable to be analyzed
-
--opcode OPCODES
- Search for particular opcodes in executable sections
-
--string STRING
- Search for a particular string in readable sections
-
--memstr STRING
- Search for each byte in readable sections
-
--depth DEPTH
- Limit search depth for internal engine (default: 10)
-
--only KEY
- Only show specific instructions
-
--filter KEY
- Suppress specific instructions
-
--range START-END
- Limit search to address range between START and
END.
-
--badbytes BYTES
- Reject specific bytes in the address of a gadget
-
--rawArch ARCH
- Specify architecture for raw binaries
-
--rawMode MODE
- Specify mode for raw binaries
-
--re EXPR
- Search for gadgets using the regular expression
EXPR.
-
--offsetOFFSET
- Add an offset to all gadget addresses
- --ropchain
- Enable ROP chain generation
- --thumb
- Use thumb mode for ARM architecture binaries
- --console
- Enable the interactive console for the search engine
- --norop
- Disable ROP search engine
- --nojop
- Disable JOP search engine
- --nosys
- Disable SYS search engine
- --multibr
- Enable multiple branch gadgets
- --all
- Show all gadgets, even duplicates
- --dump
- Output the gadget bytes
This manual page was written for Debian by Timo Röhling and may be used
without restriction.