Autore Topic: Rop-Tool - A Tool To Help You Write Binary Exploits  (Letto 201 volte)

0 Utenti e 1 Visitatore stanno visualizzando questo topic.

Offline Ruggero Respigo

  • Global Moderator
  • Newbie
  • *****
  • Post: 0
  • Karma: 2
  • Ruggero Respigo - Milano
    • Mostra profilo
    • Ruggero Resppigo - Dottore Commercialista a Milano
    • E-mail
Rop-Tool - A Tool To Help You Write Binary Exploits
« Risposta #1 il: Marzo 19, 2018, 07:08:31 pm »
Advertisement
Rop-Tool - A Tool To Help You Write Binary Exploits

A tool to help you writing binary exploits

OPTIONS
rop-tool v2.4.1
Help you to make binary exploits.

Usage: rop-tool <cmd> [OPTIONS]

Commands :
   gadget        Search gadgets
   patch         Patch the binary
   info          Print info about binary
   heap          Display heap structure
   disassemble   Disassemble the binary
   search        Search on binary
   help          Print help
   version       Print version

Try "rop-tool help <cmd>" for more informations about a command.

GADGET COMMAND
Usage : rop-tool gadget [OPTIONS] [FILENAME]

OPTIONS:
  --arch, -A               Select an architecture (x86, x86-64, arm, arm64)
  --all, -a                Print all gadgets (even gadgets which are not uniq)
  --depth, -d         [d]  Specify the depth for gadget searching (default is 5)
  --flavor, -f        [f]  Select a flavor (att or intel)
  --no-filter, -F          Do not apply some filters on gadgets
  --help, -h               Print this help message
  --no-color, -N           Do not colorize output

SEARCH COMMAND
Usage : rop-tool search [OPTIONS] [FILENAME]

OPTIONS:
  --all-string, -a    [n]  Search all printable strings of at least [n] caracteres. (default is 6)
  --byte, -b          [b]  Search the byte [b] in binary
  --dword, -d         [d]  Search the dword [d] in binary
  --help, -h               Print this help message
  --no-color, -N           Don't colorize output
  --qword, -q         [q]  Search the qword [q] in binary
  --raw, -r                Open file in raw mode (don't considere any file format)
  --split-string, -s  [s]  Search a string "splited" in memory (which is not contiguous in memory)
  --string, -S        [s]  Search a string (a byte sequence) in binary
  --word, -w          [w]  Search the word [w] in binary

PATCH COMMAND
Usage : rop-tool patch [OPTIONS] [FILENAME]

OPTIONS:
  --address, -a       [a]  Select an address to patch
  --bytes, -b         [b]  A byte sequence (e.g. : "\xaa\xbb\xcc") to write
  --filename, -f      [f]  Specify the filename
  --help, -h               Print this help message
  --offset, -o        [o]  Select an offset to patch (from start of the file)
  --output, -O        [o]  Write to an another filename
  --raw, -r                Open file in raw mode

INFO COMMAND
Usage : rop-tool info [OPTIONS] [FILENAME]

OPTIONS:
  --all, -a                Show all infos
  --segments, -l           Show segments
  --sections, -s           Show sections
  --syms, -S               Show symbols
  --filename, -f      [f]  Specify the filename
  --help, -h               Print this help message
  --no-color, -N           Disable colors

HEAP COMMAND
Usage : rop-tool heap [OPTIONS] [COMMAND]

OPTIONS:
  --calloc, -C             Trace calloc calls
  --free, -F               Trace free calls
  --realloc, -R            Trace realloc calls
  --malloc, -M             Trace malloc calls
  --dumpdata, -d           Dump chunk's data
  --output, -O             Output in a file
  --help, -h               Print this help message
  --tmp, -t        <d>     Specify the writable directory, to dump the library (default: /tmp/)
  --no-color, -N           Do not colorize output
Small explication about output of heap command
Each line correspond to a malloc chunk, and the heap is dumped after each execution of heap functions (free, malloc, realloc, calloc)
  • addr: is the real address of the malloc chunk
     
  • usr_addr: is the address returned by malloc functions to user
     
  • size: is the size of the malloc chunk
     
  • flags: P is PREV_INUSE, M is IS_MAPED and A is NON_MAIN_ARENA
     

DISASSEMBLE COMMAND
Usage : rop-tool dis [OPTIONS] [FILENAME]

OPTIONS:
  --help, -h               Print this help message
  --no-color, -N           Do not colorize output
  --address, -a    <a>     Start disassembling at address <a>
  --offset, -o     <o>     Start disassembling at offset <o>
  --sym, -s        <s>     Disassemble symbol
  --len, -l        <l>     Disassemble only <l> bytes
  --arch, -A       <a>     Select architecture (x86, x86-64, arm, arm64)
  --flavor, -f     <f>     Change flavor (intel, att)

FEATURES
  • String searching, Gadget searching, patching, info, heap visualization, disassembling
  • Colored output
  • Intel and AT&T flavor
  • Support of ELF, PE and MACH-O binary format
  • Support of big and little endian
  • Support of x86, x86_64, ARM and ARM64 architecture

EXAMPLES
Basic gadget searching
  • rop-tool gadget ./program
Display all gadgets with AT&T syntax
  • rop-tool gadget ./program -f att -a
Search in RAW x86 file
  • rop-tool gadget ./program -A x86
Search a "splitted" string in the binary
  • rop-tool search ./program -s "/bin/sh"
Search all strings in binary
  • rop-tool search ./program -a
Patch binary at offset 0x1000, with "\xaa\xbb\xcc\xdd" and save as "patched" :
  • rop-tool patch ./program -o 0x1000 -b "\xaa\xbb\xcc\xdd" -O patched
Visualize heap allocation of /bin/ls command :
  • rop-tool heap /bin/ls
Disassemble 0x100 bytes at address 0x08048452
  • rop-tool dis /bin/ls -l 0x100 -a 0x08048452

SCREENSHOTS
rop-tool gadget /bin/ls


rop-tool search /bin/ls -a


rop-tool search /bin/ls -s "/bin/sh\x00"


rop-tool search /bin/ls -w 0x90


rop-tool heap ./a.out


rop-tool dis ./bin  # Many formats


HOW TO CONTRIBUTE
  • Programming (see TODO file if you need ideas)
  • Report bugs
  • Improve documentation
  • Submit new ideas
  • ...

DEPENDENCIES

AUTHOR
Tosh
tosh -at- t0x0sh
dotorg



Source: Rop-Tool - A Tool To Help You Write Binary Exploits


Ruggero Respigo , dottore commercialista a Milano, svolge dal 1979 l’attività di  Libero Professionista e Consulente aziendale per le maggiori aziende italiane ed estere. https://www.ruggerorespigo.it

 

Related Topics

  Oggetto / Aperto da Risposte Ultimo post
0 Risposte
82 Visite
Ultimo post Aprile 20, 2018, 08:14:28 am
da Ruggero Respigo
0 Risposte
108 Visite
Ultimo post Aprile 22, 2018, 08:45:51 pm
da Ruggero Respigo
0 Risposte
141 Visite
Ultimo post Luglio 12, 2018, 08:02:04 pm
da Ruggero Respigo
0 Risposte
125 Visite
Ultimo post Luglio 14, 2018, 04:00:43 am
da Ruggero Respigo
0 Risposte
81 Visite
Ultimo post Settembre 04, 2018, 04:04:22 am
da Flavio58

Sitemap 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326