Rop gadgets搜索工具 Ropper 的安装与使用

Rop gadgets搜索工具 Ropper 的安装与使用

时间：20220504，版本：V0.1

作者：robotech_erx

1.安装

环境：

Ubuntu20 LTS桌面版；Python 3.8.10。

 

先装好pip3：

$ sudo apt install python-pip3

 

安装Capstone 和 filebyteswith:

$ sudo pip3 install capstone

$ sudo pip3 install filebytes

Optional (not needed to run ropper just to look for gadgets):

Install Keystone:

$ sudo pip3 install keystone-engine

Install and execute Ropper

$ python setup.py install

$ ropper

You can also install Ropper with pip

$ pip3 install ropper

If you want, you can use Ropper without installation

$ ./Ropper.py

 

这里直接使用pip3安装的:

$ pip3 install capstone filebytes unicorn keystone-engine ropper

安装完成有一个提示：

  WARNING: The script ropper is installed in '/home/jack/.local/bin' which is not on PATH.

  Consider adding this directory to PATH or, if you prefer to suppress this warning, use --no-warn-script-location.

手动添加一下就好。

2.常用命令

(1)File：加载文件

(ropper)> file /usr/bin/ls

(ls/ELF/x86_64)>

加载某个文件后就进入了交互模式，这里的命令都是交互模式下的。

支持加载多个文件，加载后输入file可以显示当前加载的文件，file 文件id可以切换当前文件。

(2)Show显示一些信息

(ls/ELF/x86_64)> show

show <info>  -  shows informations about the loaded fileAvailable informations:

architecture
entry_point
file_type
image_base
imports
information
sections
segments
symbols

(3)search搜索 gadgets

search [/<quality>/] <string>  -  search gadgets.

/quality/ The quality of the gadget (1 = best).The better the quality the less instructions are between the found intruction and ret。

? any character

% any string

(ls/ELF/x86_64)> search /1/ mov [%], edx  #注意edx之前是有空格的，没有或者多个都不会得到结果

[INFO] Searching for gadgets: mov [%], edx


[INFO] File: /usr/bin/ls
0x0000000000014916: mov dword ptr [rsi], edx; ret;


(ls/ELF/x86_64)> search /1/ mov [%], e?x

[INFO] Searching for gadgets: mov [%], e?x
[INFO] File: /usr/bin/ls
0x000000000000f4b0: mov dword ptr [rdi + 8], eax; ret;
0x00000000000077e7: mov dword ptr [rip + 0x1ca27], eax; ret;
0x000000000000e4c0: mov dword ptr [rsi + 0xa], eax; ret;
0x0000000000014916: mov dword ptr [rsi], edx; ret;

 

(4)type

设置gadget 的类型，sets the gadget type (rop, jop, sys, all, default:all)

(5)inst

searches instructions in executable sections。

貌似这个命令有问题，无法执行。文档里也没有提到怎样找 executable sections的gadgets。

(6)stack_pivot

Prints all stack pivot gadgets。

(7)settings

显示当前的设置

Settings

========

Name            Value  Description                                                                                       

----            -----  -----------                                                                                       

all            off    If on shows all found gadgets including double gadgets
color           on     If on output is colored
badbytes                  Gadget addresses are not allowed to contain this bytes
detailed         off    If on the gadgets will be printed with more detailed information
inst_count         6      The max count of instructions in a gadgets
type           all    The file is scanned for this type of gadgets. (rop, jop, sys, all)
cfg_only         off    if on gadgets are filtered for use in CFG exploits (only PE)
count_of_findings        5      The max count of findings which will be printed with semantic search (0 = undefined, default: 5)
multiprocessing        on     If on multiple processes will be used for gadget scanning (not supported on Windows.)

(8)ropchain

生成完整的rop链，执行后会生成一段python代码，执行这段代码可以生成相应的rop链。

目前支持三个：execve、mprotect、virtualprotect。

 

3.example uses

都是文档里的：

  [Generic]

 ./Ropper.py
 ./Ropper.py --file /bin/ls --console

  [Informations]

 ./Ropper.py --file /bin/ls           #打印出所有的gadgets
 ./Ropper.py --file /bin/ls --info   #显示文件信息Shows file header
 ./Ropper.py --file /bin/ls --imports
 ./Ropper.py --file /bin/ls --sections
 ./Ropper.py --file /bin/ls --segments
 ./Ropper.py --file /bin/ls --set nx  # 设置nx ？？？
 ./Ropper.py --file /bin/ls --unset nx
 ./Ropper.py --file /bin/ls --inst-count 5
 ./Ropper.py --file /bin/ls --search "sub eax" --badbytes 000a0d
 ./Ropper.py --file /bin/ls --search "sub eax" --detail     #奇怪的是，交互模式下，--detail、--badbytes参数都不起作用
 ./Ropper.py --file /bin/ls --filter "sub eax"               #
 ./Ropper.py --file /bin/ls --inst-count 5 --filter "sub eax"
 ./Ropper.py --file /bin/ls --opcode ffe4
 ./Ropper.py --file /bin/ls --opcode ffe?
 ./Ropper.py --file /bin/ls --opcode ??e4
 ./Ropper.py --file /bin/ls --detailed                          #打印出所有的gadgets，detailed
 ./Ropper.py --file /bin/ls --ppr --nocolor
 ./Ropper.py --file /bin/ls --jmp esp,eax
 ./Ropper.py --file /bin/ls --type jop
 ./Ropper.py --file /bin/ls --chain execve
 ./Ropper.py --file /bin/ls --chain "execve cmd=/bin/sh" --badbytes 000a0d
 ./Ropper.py --file /bin/ls --chain "mprotect address=0xbfdff000 size=0x21000"

 [Assemble/Disassemble]

  ./Ropper.py --asm "jmp esp"
  ./Ropper.py --asm "mov eax, ecx; ret"
  ./Ropper.py --disasm ffe4

  [Search]

  ./Ropper.py --file /bin/ls --search <searchstring>
  ?     any character
  %     any string

搜索vmlinux里的所有stack-pivot并保存到文本中：

$ ropper  --file  ~/worktable/linux-4.9.304/vmlinux --stack-pivot > stack-pivot.txt

4.semantic搜索

使用Z3来搜索满足一定约束条件的gadget，需要安装 pyvex 和z3py，目前仍然是开发状态。 没用过。

5.参考

https://github.com/sashs/Ropper