NAME¶

ROPgadget - search executables for exploitable ROP gadgets

SYNOPSIS¶

DESCRIPTION¶

ROPGadget is a tool for security research and vulnerability exploitation. It lets you search binaries for sequences of useful machine code instructions followed by a return statement ("gadgets"). If an exploit can manipulate the callstack to point to a sequence of gadgets, the return statements will redirect the program flow to execute the sequence ("return oriented programming"). By reusing existing code out of context, an attacker can potentially circumvent security measures which prevent the execution of injected code. ROPgadget supports ELF/PE/Mach-O format on x86, x64, ARM, PowerPC, SPARC and MIPS architectures.

The following options are available:

--binary FILE

specify the executable to be analyzed

--opcode OPCODES

Search for particular opcodes in executable sections

--string STRING

Search for a particular string in readable sections

--memstr STRING

Search for each byte in readable sections

--depth DEPTH

Limit search depth for internal engine (default: 10)

--only KEY

Only show specific instructions

--filter KEY

Suppress specific instructions

--range START-END

Limit search to address range between START and END.

--badbytes BYTES

Reject specific bytes in the address of a gadget

--rawArch ARCH

Specify architecture for raw binaries

--rawMode MODE

Specify mode for raw binaries

--re EXPR

Search for gadgets using the regular expression EXPR.

--offsetOFFSET

Add an offset to all gadget addresses

--ropchain

Enable ROP chain generation

--thumb

Use thumb mode for ARM architecture binaries

--console

Enable the interactive console for the search engine

--norop

Disable ROP search engine

--nojop

Disable JOP search engine

--nosys

Disable SYS search engine

--multibr

Enable multiple branch gadgets

--all

Show all gadgets, even duplicates

--dump

Output the gadget bytes

AUTHOR¶

This manual page was written for Debian by Timo Röhling and may be used without restriction.