LinuxCommandLibrary

ropgadget

Find ROP gadgets in binary executables

TLDR

Find gadgets in binary

$ ROPgadget --binary [binary]
copy
Search for specific gadget
$ ROPgadget --binary [binary] --string "[/bin/sh]"
copy
Filter gadgets by regex
$ ROPgadget --binary [binary] --re "[pop.*ret]"
copy
Show only unique gadgets
$ ROPgadget --binary [binary] --nojop
copy
Limit gadget depth
$ ROPgadget --binary [binary] --depth [5]
copy
Generate ropchain
$ ROPgadget --binary [binary] --ropchain
copy
Output to file
$ ROPgadget --binary [binary] > [gadgets.txt]
copy

SYNOPSIS

ROPgadget [--binary file] [--string str] [--re pattern] [options]

DESCRIPTION

ROPgadget finds ROP (Return-Oriented Programming) gadgets in binaries. It's used for exploit development and security research.
Gadgets are small instruction sequences ending in returns. They're chained to build exploits.
String searching finds useful data in binaries. Shell paths and other strings located.
Automatic ropchain generation builds exploit templates. Creates execve chains for common scenarios.
Depth limits instruction sequence length. Shorter gadgets are generally more useful.

PARAMETERS

--binary FILE

Target binary.
--string STR
Find string in binary.
--re REGEX
Filter by regex.
--ropchain
Generate ROP chain.
--depth N
Gadget instruction depth.
--nojop
No JOP gadgets.
--nosys
No syscall gadgets.
--multibr
Multiple branches.
--all
All sections.

CAVEATS

For authorized security research only. Understanding assembly required. Results need manual analysis.

HISTORY

ROPgadget was created by Jonathan Salwan for ROP exploit development. It's widely used in CTF competitions and security research.

SEE ALSO

ropper(1), objdump(1), pwntools(1), radare2(1)

> TERMINAL_GEAR

Curated for the Linux community

Copied to clipboard

> TERMINAL_GEAR

Curated for the Linux community