ropgadget

Find ROP gadgets in binary executables

TLDR

Find gadgets in binary

$ ROPgadget --binary [binary]

Search for specific gadget

$ ROPgadget --binary [binary] --string "[/bin/sh]"

Filter gadgets by regex

$ ROPgadget --binary [binary] --re "[pop.*ret]"

Show only unique gadgets

$ ROPgadget --binary [binary] --nojop

Limit gadget depth

$ ROPgadget --binary [binary] --depth [5]

Generate ropchain

$ ROPgadget --binary [binary] --ropchain

Output to file

$ ROPgadget --binary [binary] > [gadgets.txt]

SYNOPSIS

ROPgadget [--binary file] [--string str] [--re pattern] [options]

ROPgadget finds ROP (Return-Oriented Programming) gadgets in binaries. It's used for exploit development and security research.
Gadgets are small instruction sequences ending in returns. They're chained to build exploits.
String searching finds useful data in binaries. Shell paths and other strings located.
Automatic ropchain generation builds exploit templates. Creates execve chains for common scenarios.
Depth limits instruction sequence length. Shorter gadgets are generally more useful.

PARAMETERS

--binary FILE

Target binary.

--string STR

Find string in binary.

--re REGEX

Filter by regex.

--ropchain

Generate ROP chain.

--depth N

Gadget instruction depth.

--nojop

No JOP gadgets.

--nosys

No syscall gadgets.

--multibr

Multiple branches.

--all

All sections.

CAVEATS

For authorized security research only. Understanding assembly required. Results need manual analysis.

HISTORY

ROPgadget was created by Jonathan Salwan for ROP exploit development. It's widely used in CTF competitions and security research.