How to use ROPGadget - 10 common examples
To help you get started, we’ve selected a few ROPGadget examples, based on popular ways it is used in public projects.
Secure your code as it's written. Use Snyk Code to scan source code in minutes - no build needed - and fix issues immediately.
Gallopsled / pwntools / pwnlib / rop / rop.py View on Github 
def __getattr__(self, k):
return self._fd.__getattribute__(k)
gadgets = {}
for elf in self.elfs:
cache = self.__cache_load(elf)
if cache:
gadgets.update(cache)
continue
log.info_once('Loading gadgets for %r' % elf.path)
try:
sys.stdout = Wrapper(sys.stdout)
import ropgadget
sys.argv = ['ropgadget', '--binary', elf.path, '--only', 'sysenter|syscall|int|add|pop|leave|ret', '--nojop']
args = ropgadget.args.Args().getArgs()
core = ropgadget.core.Core(args)
core.do_binary(elf.path)
core.do_load(0)
finally:
sys.argv = argv
sys.stdout = stdout
elf_gadgets = {}
for gadget in core._Core__gadgets:
address = gadget['vaddr'] - elf.load_addr + elf.address
insns = [ g.strip() for g in gadget['gadget'].split(';') ]
if all(map(valid, insns)):
elf_gadgets[address] = insns
self.__cache_save(elf, elf_gadgets)
gadgets.update(elf_gadgets)def __getattr__(self, k):
return self._fd.__getattribute__(k)
gadgets = {}
for elf in self.elfs:
cache = self.__cache_load(elf)
if cache:
gadgets.update(cache)
continue
log.info_once('Loading gadgets for %r' % elf.path)
try:
sys.stdout = Wrapper(sys.stdout)
import ropgadget
sys.argv = ['ropgadget', '--binary', elf.path, '--only', 'sysenter|syscall|int|add|pop|leave|ret', '--nojop']
args = ropgadget.args.Args().getArgs()
core = ropgadget.core.Core(args)
core.do_binary(elf.path)
core.do_load(0)
finally:
sys.argv = argv
sys.stdout = stdout
elf_gadgets = {}
for gadget in core._Core__gadgets:
address = gadget['vaddr'] - elf.load_addr + elf.address
insns = [ g.strip() for g in gadget['gadget'].split(';') ]
if all(map(valid, insns)):
elf_gadgets[address] = insns
self.__cache_save(elf, elf_gadgets)
gadgets.update(elf_gadgets)def __getattr__(self, k):
return self._fd.__getattribute__(k)
gadgets = {}
for elf in self.elfs:
cache = self.__cache_load(elf)
if cache:
gadgets.update(cache)
continue
log.info_once('Loading gadgets for %r' % elf.path)
try:
sys.stdout = Wrapper(sys.stdout)
import ropgadget
sys.argv = ['ropgadget', '--binary', elf.path, '--only', 'sysenter|syscall|int|add|pop|leave|ret', '--nojop']
args = ropgadget.args.Args().getArgs()
core = ropgadget.core.Core(args)
core.do_binary(elf.path)
core.do_load(0)
finally:
sys.argv = argv
sys.stdout = stdout
elf_gadgets = {}
for gadget in core._Core__gadgets:
address = gadget['vaddr'] - elf.load_addr + elf.address
insns = [ g.strip() for g in gadget['gadget'].split(';') ]
if all(map(valid, insns)):
elf_gadgets[address] = insns
self.__cache_save(elf, elf_gadgets)
gadgets.update(elf_gadgets)def __getattr__(self, k):
return self._fd.__getattribute__(k)
gadgets = {}
for elf in self.elfs:
cache = self.__cache_load(elf)
if cache:
gadgets.update(cache)
continue
log.info_once('Loading gadgets for %r' % elf.path)
try:
sys.stdout = Wrapper(sys.stdout)
import ropgadget
sys.argv = ['ropgadget', '--binary', elf.path, '--only', 'sysenter|syscall|int|add|pop|leave|ret', '--nojop']
args = ropgadget.args.Args().getArgs()
core = ropgadget.core.Core(args)
core.do_binary(elf.path)
core.do_load(0)
finally:
sys.argv = argv
sys.stdout = stdout
elf_gadgets = {}
for gadget in core._Core__gadgets:
address = gadget['vaddr'] - elf.load_addr + elf.address
insns = [ g.strip() for g in gadget['gadget'].split(';') ]
if all(map(valid, insns)):
elf_gadgets[address] = insns
self.__cache_save(elf, elf_gadgets)
gadgets.update(elf_gadgets)def __setShdr(self):
shdr_num = self.__ElfHeader.e_shnum
base = self.__binary[self.__ElfHeader.e_shoff:]
shdr_l = []
e_ident = self.__binary[:15]
ei_data = e_ident[ELFFlags.EI_DATA]
for i in range(shdr_num):
if self.getArchMode() == CS_MODE_32:
if ei_data == ELFFlags.ELFDATA2LSB: shdr = Elf32_Shdr_LSB.from_buffer_copy(base)
elif ei_data == ELFFlags.ELFDATA2MSB: shdr = Elf32_Shdr_MSB.from_buffer_copy(base)
elif self.getArchMode() == CS_MODE_64:
if ei_data == ELFFlags.ELFDATA2LSB: shdr = Elf64_Shdr_LSB.from_buffer_copy(base)
elif ei_data == ELFFlags.ELFDATA2MSB: shdr = Elf64_Shdr_MSB.from_buffer_copy(base)
self.__shdr_l.append(shdr)
base = base[self.__ElfHeader.e_shentsize:]
# setup name from the strings table
if self.__ElfHeader.e_shstrndx != 0:
string_table = bytes(self.__binary[(self.__shdr_l[self.__ElfHeader.e_shstrndx].sh_offset):])
for i in range(shdr_num):
self.__shdr_l[i].str_name = string_table[self.__shdr_l[i].sh_name:].split(b'\x00')[0].decode('utf8')def __setShdr(self):
shdr_num = self.__ElfHeader.e_shnum
base = self.__binary[self.__ElfHeader.e_shoff:]
shdr_l = []
e_ident = self.__binary[:15]
ei_data = e_ident[ELFFlags.EI_DATA]
for i in range(shdr_num):
if self.getArchMode() == CS_MODE_32:
if ei_data == ELFFlags.ELFDATA2LSB: shdr = Elf32_Shdr_LSB.from_buffer_copy(base)
elif ei_data == ELFFlags.ELFDATA2MSB: shdr = Elf32_Shdr_MSB.from_buffer_copy(base)
elif self.getArchMode() == CS_MODE_64:
if ei_data == ELFFlags.ELFDATA2LSB: shdr = Elf64_Shdr_LSB.from_buffer_copy(base)
elif ei_data == ELFFlags.ELFDATA2MSB: shdr = Elf64_Shdr_MSB.from_buffer_copy(base)
self.__shdr_l.append(shdr)
base = base[self.__ElfHeader.e_shentsize:]
# setup name from the strings table
if self.__ElfHeader.e_shstrndx != 0:
string_table = bytes(self.__binary[(self.__shdr_l[self.__ElfHeader.e_shstrndx].sh_offset):])
for i in range(shdr_num):
self.__shdr_l[i].str_name = string_table[self.__shdr_l[i].sh_name:].split(b'\x00')[0].decode('utf8')def __setShdr(self):
shdr_num = self.__ElfHeader.e_shnum
base = self.__binary[self.__ElfHeader.e_shoff:]
shdr_l = []
e_ident = self.__binary[:15]
ei_data = e_ident[ELFFlags.EI_DATA]
for i in range(shdr_num):
if self.getArchMode() == CS_MODE_32:
if ei_data == ELFFlags.ELFDATA2LSB: shdr = Elf32_Shdr_LSB.from_buffer_copy(base)
elif ei_data == ELFFlags.ELFDATA2MSB: shdr = Elf32_Shdr_MSB.from_buffer_copy(base)
elif self.getArchMode() == CS_MODE_64:
if ei_data == ELFFlags.ELFDATA2LSB: shdr = Elf64_Shdr_LSB.from_buffer_copy(base)
elif ei_data == ELFFlags.ELFDATA2MSB: shdr = Elf64_Shdr_MSB.from_buffer_copy(base)
self.__shdr_l.append(shdr)
base = base[self.__ElfHeader.e_shentsize:]
# setup name from the strings table
if self.__ElfHeader.e_shstrndx != 0:
string_table = bytes(self.__binary[(self.__shdr_l[self.__ElfHeader.e_shstrndx].sh_offset):])
for i in range(shdr_num):
self.__shdr_l[i].str_name = string_table[self.__shdr_l[i].sh_name:].split(b'\x00')[0].decode('utf8')def __setShdr(self):
shdr_num = self.__ElfHeader.e_shnum
base = self.__binary[self.__ElfHeader.e_shoff:]
shdr_l = []
e_ident = self.__binary[:15]
ei_data = e_ident[ELFFlags.EI_DATA]
for i in range(shdr_num):
if self.getArchMode() == CS_MODE_32:
if ei_data == ELFFlags.ELFDATA2LSB: shdr = Elf32_Shdr_LSB.from_buffer_copy(base)
elif ei_data == ELFFlags.ELFDATA2MSB: shdr = Elf32_Shdr_MSB.from_buffer_copy(base)
elif self.getArchMode() == CS_MODE_64:
if ei_data == ELFFlags.ELFDATA2LSB: shdr = Elf64_Shdr_LSB.from_buffer_copy(base)
elif ei_data == ELFFlags.ELFDATA2MSB: shdr = Elf64_Shdr_MSB.from_buffer_copy(base)
self.__shdr_l.append(shdr)
base = base[self.__ElfHeader.e_shentsize:]
# setup name from the strings table
if self.__ElfHeader.e_shstrndx != 0:
string_table = bytes(self.__binary[(self.__shdr_l[self.__ElfHeader.e_shstrndx].sh_offset):])
for i in range(shdr_num):
self.__shdr_l[i].str_name = string_table[self.__shdr_l[i].sh_name:].split(b'\x00')[0].decode('utf8')def ropSearchJmp(elf, instruction):
oldargv = sys.argv
sys.argv = ['ropgadget', '--binary', elf.path, '--only', 'jmp']
args = ropgadget.args.Args().getArgs()
core = ropgadget.core.Core(args)
core.do_binary(elf.path)
core.do_load(0)
sys.argv = oldargv
for gadget in core._Core__gadgets:
address = gadget['vaddr'] - elf.load_addr + elf.address
if gadget['gadget'] == instruction:
return address
raisedef ropSearchJmp(elf, instruction):
oldargv = sys.argv
sys.argv = ['ropgadget', '--binary', elf.path, '--only', 'jmp']
args = ropgadget.args.Args().getArgs()
core = ropgadget.core.Core(args)
core.do_binary(elf.path)
core.do_load(0)
sys.argv = oldargv
for gadget in core._Core__gadgets:
address = gadget['vaddr'] - elf.load_addr + elf.address
if gadget['gadget'] == instruction:
return address
raiseROPGadget
This tool lets you search your gadgets on your binaries to facilitate your ROP exploitation.
Package Health Score
77 / 100Popular ROPGadget functions
- ropgadget.args
- ropgadget.binary.Binary
- ropgadget.core
- ropgadget.gadgets.Gadgets
- ropgadget.loaders.elf.Elf32_Ehdr_LSB.from_buffer_copy
- ropgadget.loaders.elf.Elf32_Ehdr_MSB.from_buffer_copy
- ropgadget.loaders.elf.Elf32_Phdr_LSB.from_buffer_copy
- ropgadget.loaders.elf.Elf32_Phdr_MSB.from_buffer_copy
- ropgadget.loaders.elf.Elf32_Shdr_LSB.from_buffer_copy
- ropgadget.loaders.elf.Elf32_Shdr_MSB.from_buffer_copy
- ropgadget.loaders.elf.Elf64_Ehdr_LSB.from_buffer_copy
- ropgadget.loaders.elf.ELFFlags
- ropgadget.loaders.macho.MACHOFlags
- ropgadget.loaders.macho.SECTION.from_buffer_copy
- ropgadget.loaders.macho.SECTION64.from_buffer_copy
- ropgadget.loaders.pe.PEFlags
- ropgadget.rgutils.alphaSortgadgets
- ropgadget.rgutils.deleteDuplicateGadgets