ropgadget

List gadgets in the binary file

$ ROPgadget --binary [path/to/binary]

$ ROPgadget --binary [path/to/binary] --re [regex]

$ ROPgadget --binary [path/to/binary] --[norop|nojob|nosys]

$ ROPgadget --binary [path/to/binary] --badbytes [byte_string]

$ ROPgadget --binary [path/to/binary] --depth [nbyte]

ropgadget [options]

--binary , -f
    Specify target binary file(s) for analysis. Multiple files can be provided.

--depth
    Set the maximum number of instructions allowed for a gadget (default: 6).

--badbytes
    A comma-separated list of hexadecimal bytes to avoid in gadgets (e.g., 00,0a,0d). Gadgets containing these bytes will be filtered out.

--raw
    Search for gadgets in a raw binary file without parsing its header or structure.

--opcode
    Search for a specific sequence of hexadecimal opcode bytes within the binary.

--string
    Search for a specific string literal within the binary's data or code sections.

--memdump
    Search gadgets in a memory dump file, useful for analyzing live processes or crash dumps.

--check-ret
    Verify that identified ret instructions are valid returns (e.g., not part of another instruction).

--all
    Show all discovered gadgets, including those not ending with a ret instruction.

--offset

ropgadget is a powerful command-line tool designed for finding Return-Oriented Programming (ROP) gadgets in executable binaries. ROP is a bypass technique used to circumvent security mitigations like Non-Executable (NX) stacks and Address Space Layout Randomization (ASLR), allowing an attacker to execute arbitrary code.

Instead of injecting shellcode, an attacker chains together small sequences of instructions (gadgets) already present in the program's memory, each ending with a ret instruction. ropgadget disassembles the binary, scans for specific instruction sequences (often ending in ret), and outputs their addresses along with the instructions.

It supports various architectures (x86, x64, ARM, MIPS, PowerPC) and file formats (ELF, PE, Mach-O). This tool is essential for security researchers, exploit developers, and reverse engineers during vulnerability analysis and exploit creation, providing the building blocks for crafting complex ROP chains.

ropgadget might produce a large number of gadgets, requiring manual filtering and analysis to identify truly useful ones. False positives can occur, especially when using options like --all. Its effectiveness is limited by the quality of its internal disassembler and the presence of suitable ret instructions in the binary. It provides building blocks, but does not guarantee exploitability; crafting an exploit still requires deep understanding of the vulnerability and target architecture.

ropgadget is primarily used in the exploit development lifecycle. After identifying a memory corruption vulnerability (e.g., a buffer overflow), security researchers use it to find suitable ROP gadgets within a target binary's address space. These gadgets are then chained together to achieve specific goals, such as calling system("/bin/sh") or bypassing ASLR, without injecting new code.

The default output typically lists the hexadecimal address of the gadget followed by its disassembled instructions. For example:
0x00401234: pop rdi ; ret
This format is designed for easy parsing and integration into exploit scripts, commonly used with libraries like pwntools.

ropgadget was developed by Jonathan Salwan (@JonathanSalwan) as a standalone tool. It quickly gained popularity within the security community, particularly for exploit development, due to the increasing prevalence of Address Space Layout Randomization (ASLR) and Non-Executable (NX) stack mitigations. Its development reflects the ongoing evolution in exploit techniques, providing a crucial tool for Return-Oriented Programming (ROP) attacks and defense research.

objdump(1), readelf(1), gdb(1), radare2(1)