Skip to content

Another (bad) ROP gadget finder, but this time in Rust

License

Notifications You must be signed in to change notification settings

hugsy/ropgadget-rs

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

69 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

logo

ropgadget-rs

Discord

RopGadget-rs started as a weekend project to learn Rust. But as usual it also started from the need to get really fast & easily portable ropgadget finder capable of handling quickly any binary (especially very large ones such as mshtml, ntoskrnl, chrome, etc.).

Note

This library is a side project to learn Rust. If you want better tools, see the ones mentioned at the bottom of the page.

Currently supports:

ELF PE MachO
x86
x64
arm
arm64

ropgadget-rs

Since 0.4, RopGadget-Rs was re-designed to be built as a library so it can be integrated to other projects. But a lightweight standalone binary that features all what the library offers, can also be built.

Build

(Optionally) If you don't have cargo:

  • On Linux/MacOS
curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh
  • On Windows
Invoke-WebRequest https://win.rustup.rs/x86_64 -UseBasicParsing -OutFile "rustup-init.exe"
Invoke-Expression rustup-init.exe

Then build:

git clone https://github.com/hugsy/ropgadget-rs
cd ropgadget-rs
cargo build --release --lib

You might also want to build the ropgadget-rs binary so it can be easily used from the command line:

cargo build --release --example rp-rs

And run:

cargo run -- --help

Install

Via cargo

cargo install --bins --git https://github.com/hugsy/ropgadget-rs.git

Performance

The tool performs decently but could largely be optimized (and will be, over time). Here are some performance obtained on an old i5-4300M (build in --release mode) with 2 threads (default)

  • ntoskrnl.exe (Windows 10 RS6 - 10.0.19041.329) - 10,921,280 bytes
>  ./ropgadget-rs.exe -o rop.txt -vv ./ntoskrnl-rs6.exe
[INFO] - Checking file './ntoskrnl-rs6.exe'
[INFO] - Creating new Session(file=./ntoskrnl-rs6.exe, Info(Arch=x86-64, OS=PE))
[INFO] - Looking for gadgets in 15 sections (with 2 threads)...'
[INFO] - Dumping 336787 gadgets to 'rop.txt'...
[INFO] - Done!
[INFO] - Execution: 336787 gadgets found in 13.5224138s
  • msedge.dll (Chromium Edge - 83.0.478.64) - 145,665,416 bytes
> ./ropgadget-rs -o rop.txt -vv ./msedge.dll
[INFO] - Checking file './msedge.dll'
[INFO] - Creating new Session(file=./msedge.dll, Info(Arch=x86-64, OS=PE))
[INFO] - Looking for gadgets in 1 sections (with 2 threads)...'
[INFO] - Dumping 5713703 gadgets to 'rop.txt'...
[INFO] - Done!
[INFO] - Execution: 5713703 gadgets found in 132.2237842s

YMMV but most small files (like Unix binaries) will execute in way under 1 second.

$ ./ropgadget-rs -vv -o /dev/null /bin/ls
[INFO] - Checking file '/bin/ls'
[INFO] - Creating new Session(file=/bin/ls, Info(Arch=x86-64, OS=ELF))
[INFO] - Looking for gadgets in 5 sections (with 2 threads)...'
[INFO] - Dumping 3544 gadgets to '/dev/null'...
[INFO] - Done!
[INFO] - Execution: 3544 gadgets found in 151.5587ms

Better projects

Unless you're ok with experiencing my bugs, you should probably check out one of those projects: