ROPgadget – This Tool Lets You Search Your Gadgets On Your Binaries To Facilitate Your ROP Exploitation

This tool lets you search your gadgets on your binaries to facilitate your ROP exploitation. ROPgadget supports ELF/PE/Mach-O format on x86, x64, ARM, ARM64, PowerPC, SPARC and MIPS architectures. Since the version 5, ROPgadget has a new core which is written in Python using Capstone disassembly framework for the gadgets search engine – The older version can be found in the Archives directory but it will not be maintained.InstallIf you want to use ROPgadget, you have to install Capstone first.For the Capstone’s installation on nix machine:$ sudo pip install capstoneCapstone supports multi-platforms (windows, ios, android, cygwin…). For the cross-compilation, please refer to the https://github.com/aquynh/capstone/blob/master/COMPILE.TXT file.After Capstone is installed, ROPgadget can be used as a standalone tool:$ ROPgadget.pyOr installed into the Python site-packages library, and executed from $PATH.$ python setup.py install$ ROPgadgetOr installed from PyPi$ pip install ropgadget$ ROPgadgetUsageusage: ROPgadget.py [-h] [-v] [-c] [–binary ] [–opcode <opcodes>] [–string <string>] [–memstr <string>] [–depth <nbyte>] [–only <key>] [–filter <key>] [–range <start-end>] [–badbytes <byte>] [–rawArch <arch>] [–rawMode <mode>] [–re <re>] [–offset <hexaddr>] [–ropchain] [–thumb] [–console] [–norop] [–nojop] [–nosys] [–multibr] [–all] [–dump]optional arguments: -h, –help show this help message and exit -v, –version Display the ROPgadget’s version -c, –checkUpdate Checks if a new version is available –binary <binary> Specify a binary filename to analyze –opcode <opcodes> Search opcode in executable segment –string <string> Search string in readable segment –memstr <string> Search each byte in all readable segment –depth <nbyte> Depth for search engine (default 10) –only <key> Only show specific instructions –filter <key> Suppress specific instructions –range <start-end> Search between two addresses (0x…-0x…) –badbytes <byte> Rejects specific bytes in the gadget’s address –rawArch <arch> Specify an arch for a raw file –rawMode <mode> Specify a mode for a raw file –re <re> Regular expression –offset <hexaddr> Specify an offset for gadget addresses –ropchain Enable the ROP chain generation –thumb Use the thumb mode for the search engine (ARM only) –console Use an interactive console for search engine –norop Disable ROP search engine –nojop Disable JOP search engine –callPreceded Only show gadgets which are call-preceded (x86 only) –nosys Disable SYS search engine –multibr Enable multiple branch gadgets –all Disables the removal of duplicate gadgets –dump Outputs the gadget bytesScreenshotsDownload ROPgadget

Link: http://feedproxy.google.com/~r/PentestTools/~3/GLrMnvW88oo/ropgadget-this-tool-lets-you-search.html

Rop-Tool – A Tool To Help You Write Binary Exploits

A tool to help you writing binary exploitsOPTIONSrop-tool v2.4.1Help you to make binary exploits.Usage: rop-tool [OPTIONS]Commands : gadget Search gadgets patch Patch the binary info Print info about binary heap Display heap structure disassemble Disassemble the binary search Search on binary help Print help version Print versionTry “rop-tool help <cmd>" for more informations about a command.GADGET COMMANDUsage : rop-tool gadget [OPTIONS] [FILENAME]OPTIONS: –arch, -A Select an architecture (x86, x86-64, arm, arm64) –all, -a Print all gadgets (even gadgets which are not uniq) –depth, -d [d] Specify the depth for gadget searching (default is 5) –flavor, -f [f] Select a flavor (att or intel) –no-filter, -F Do not apply some filters on gadgets –help, -h Print this help message –no-color, -N Do not colorize outputSEARCH COMMANDUsage : rop-tool search [OPTIONS] [FILENAME]OPTIONS: –all-string, -a [n] Search all printable strings of at least [n] caracteres. (default is 6) –byte, -b [b] Search the byte [b] in binary –dword, -d [d] Search the dword [d] in binary –help, -h Print this help message –no-color, -N Don’t colorize output –qword, -q [q] Search the qword [q] in binary –raw, -r Open file in raw mode (don’t considere any file format) –split-string, -s [s] Search a string "splited" in memory (which is not contiguous in memory) –string, -S [s] Search a string (a byte sequence) in binary –word, -w [w] Search the word [w] in binaryPATCH COMMANDUsage : rop-tool patch [OPTIONS] [FILENAME]OPTIONS: –address, -a [a] Select an address to patch –bytes, -b [b] A byte sequence (e.g. : "\xaa\xbb\xcc") to write –filename, -f [f] Specify the filename –help, -h Print this help message –offset, -o [o] Select an offset to patch (from start of the file) –output, -O [o] Write to an another filename –raw, -r Open file in raw modeINFO COMMANDUsage : rop-tool info [OPTIONS] [FILENAME]OPTIONS: –all, -a Show all infos –segments, -l Show segments –sections, -s Show sections –syms, -S Show symbols –filename, -f [f] Specify the filename –help, -h Print this help message –no-color, -N Disable colorsHEAP COMMANDUsage : rop-tool heap [OPTIONS] [COMMAND]OPTIONS: –calloc, -C Trace calloc calls –free, -F Trace free calls –realloc, -R Trace realloc calls –malloc, -M Trace malloc calls –dumpdata, -d Dump chunk’s data –output, -O Output in a file –help, -h Print this help message –tmp, -t <d> Specify the writable directory, to dump the library (default: /tmp/) –no-color, -N Do not colorize outputSmall explication about output of heap commandEach line correspond to a malloc chunk, and the heap is dumped after each execution of heap functions (free, malloc, realloc, calloc)addr: is the real address of the malloc chunk usr_addr: is the address returned by malloc functions to user size: is the size of the malloc chunk flags: P is PREV_INUSE, M is IS_MAPED and A is NON_MAIN_ARENA DISASSEMBLE COMMANDUsage : rop-tool dis [OPTIONS] [FILENAME]OPTIONS: –help, -h Print this help message –no-color, -N Do not colorize output –address, -a <a> Start disassembling at address <a> –offset, -o <o> Start disassembling at offset <o> –sym, -s <s> Disassemble symbol –len, -l <l> Disassemble only <l> bytes –arch, -A <a> Select architecture (x86, x86-64, arm, arm64) –flavor, -f <f> Change flavor (intel, att)FEATURESString searching, Gadget searching, patching, info, heap visualization, disassemblingColored outputIntel and AT&T flavorSupport of ELF, PE and MACH-O binary formatSupport of big and little endianSupport of x86, x86_64, ARM and ARM64 architectureEXAMPLESBasic gadget searchingrop-tool gadget ./programDisplay all gadgets with AT&T syntaxrop-tool gadget ./program -f att -aSearch in RAW x86 filerop-tool gadget ./program -A x86Search a "splitted" string in the binaryrop-tool search ./program -s "/bin/sh"Search all strings in binaryrop-tool search ./program -aPatch binary at offset 0x1000, with "\xaa\xbb\xcc\xdd" and save as "patched" :rop-tool patch ./program -o 0x1000 -b "\xaa\xbb\xcc\xdd" -O patchedVisualize heap allocation of /bin/ls command :rop-tool heap /bin/lsDisassemble 0x100 bytes at address 0x08048452rop-tool dis /bin/ls -l 0x100 -a 0x08048452SCREENSHOTSrop-tool gadget /bin/lsrop-tool search /bin/ls -arop-tool search /bin/ls -s "/bin/sh\x00"rop-tool search /bin/ls -w 0x90rop-tool heap ./a.outrop-tool dis ./bin # Many formatsHOW TO CONTRIBUTEProgramming (see TODO file if you need ideas)Report bugsImprove documentationSubmit new ideas…DEPENDENCIEScapstoneAUTHORToshtosh -at- t0x0shdotorgDownload rop-tool

Link: http://feedproxy.google.com/~r/PentestTools/~3/RUqTfHOHOPU/rop-tool-tool-to-help-you-write-binary.html

CAVE MINER – Search for Code Cave in All Binaries (ELF, PE and Mach-o) and Inject Payload

This tools search for code cave in binaries (Elf, Mach-o, Pe), and inject code in them.FeaturesFind code caves in ELF, PE and Mach-oUse custom bytes for the search (ex: 0xCC can be used as nullbytes on PE)See virtual address of the code cave.See the permissions of the code caves.Search custom cave sizeInject the payload into the binaryDependenciesPython2.7Installationpip install cave-minerExempleDownload CAVE MINER

Link: http://feedproxy.google.com/~r/PentestTools/~3/ZobfyklO66M/cave-miner-search-for-code-cave-in-all.html