• Stars
    star
    597
  • Rank 74,979 (Top 2 %)
  • Language
    Python
  • License
    BSD 2-Clause "Sim...
  • Created over 8 years ago
  • Updated about 2 months ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

angrop

angrop is a rop gadget finder and chain builder

Overview

angrop is a tool to automatically generate rop chains.

It is built on top of angr's symbolic execution engine, and uses constraint solving for generating chains and understanding the effects of gadgets.

angrop should support all the architectures supported by angr, although more testing needs to be done.

Typically, it can generate rop chains (especially long chains) faster than humans.

It includes functions to generate chains which are commonly used in exploitation and CTF's, such as setting registers, and calling functions.

Usage

The ROP analysis finds rop gadgets and can automatically build rop chains.

>>> import angr, angrop
>>> p = angr.Project("/bin/ls")
>>> rop = p.analyses.ROP()
>>> rop.find_gadgets()
>>> chain = rop.set_regs(rax=0x1337, rbx=0x56565656)
>>> chain.payload_str()
b'\xb32@\x00\x00\x00\x00\x007\x13\x00\x00\x00\x00\x00\x00\xa1\x18@\x00\x00\x00\x00\x00VVVV\x00\x00\x00\x00'
>>> chain.print_payload_code()
chain = b""
chain += p64(0x410b23)	# pop rax; ret
chain += p64(0x1337)
chain += p64(0x404dc0)	# pop rbx; ret
chain += p64(0x56565656)

Chains

# angrop includes methods to create certain common chains

# setting registers
chain = rop.set_regs(rax=0x1337, rbx=0x56565656)

# writing to memory 
# writes "/bin/sh\0" to address 0x61b100
chain = rop.write_to_mem(0x61b100, b"/bin/sh\0")

# calling functions
chain = rop.func_call("read", [0, 0x804f000, 0x100])

# adding values to memory
chain = rop.add_to_mem(0x804f124, 0x41414141)

# chains can be added together to chain operations
chain = rop.write_to_mem(0x61b100, b"/home/ctf/flag\x00") + rop.func_call("open", [0x61b100,os.O_RDONLY]) + ...

# chains can be printed for copy pasting into exploits
>>> chain.print_payload_code()
chain = b""
chain += p64(0x410b23)	# pop rax; ret
chain += p64(0x74632f656d6f682f)
chain += p64(0x404dc0)	# pop rbx; ret
chain += p64(0x61b0f8)
chain += p64(0x40ab63)	# mov qword ptr [rbx + 8], rax; add rsp, 0x10; pop rbx; ret
...

Gadgets

Gadgets contain a lot of information:

For example look at how the following code translates into a gadget

   0x403be4:	and    ebp,edi
   0x403be6:	mov    QWORD PTR [rbx+0x90],rax
   0x403bed:	xor    eax,eax
   0x403bef:	add    rsp,0x10
   0x403bf3:	pop    rbx
   0x403bf4:	ret    
>>> print(rop.gadgets[0])
Gadget 0x403be4
Stack change: 0x20
Changed registers: set(['rbx', 'rax', 'rbp'])
Popped registers: set(['rbx'])
Register dependencies:
    rbp: [rdi, rbp]
Memory write:
    address (64 bits) depends on: ['rbx']
    data (64 bits) depends on: ['rax']

The dependencies describe what registers affect the final value of another register. In the example above, the final value of rbp depends on both rdi and rbp. Dependencies are analyzed for registers and for memory actions. All of the information is stored as properties in the gadgets, so it is easy to iterate over them and find gadgets which fit your needs.

>>> for g in rop.gadgets:
    if "rax" in g.popped_regs and "rbx" not in g.changed_regs:
        print(g)
Gadget 0x4032b3
Stack change: 0x10
Changed registers: set(['rax'])
Popped registers: set(['rax'])
Register dependencies:

TODO's

Allow strings to be passed as arguments to func_call(), which are then written to memory and referenced.

Add a function for open, read, write (for ctf's)

Allow using of angr objects such as BVV, BVS to make using symbolic values easy

The segment analysis for finding executable addresses seems to break on non-elf binaries often, such as PE files, kernel modules.

Allow setting constraints on the generated chain e.g. bytes that are valid.

Common gotchas

Make sure to import angrop before calling proj.analyses.ROP()

Make sure to call find_gadets() before trying to make chains

More Repositories

1

angr

A powerful and user-friendly binary analysis platform!
Python
7,537
star
2

angr-management

The official angr GUI.
Python
892
star
3

angr-doc

Documentation for the angr suite
TeX
837
star
4

rex

Shellphish's automated exploitation engine, originally created for the Cyber Grand Challenge.
Python
634
star
5

cle

CLE Loads Everything (at least, many binary formats!)
Python
412
star
6

pyvex

Python bindings for Valgrind's VEX IR.
Python
337
star
7

claripy

An abstraction layer for constraint solvers.
Python
286
star
8

patcherex

Shellphish's automated patching engine, originally created for the Cyber Grand Challenge.
Python
249
star
9

heaphopper

HeapHopper is a bounded model checking framework for Heap-implementations
Python
212
star
10

pypcode

Python bindings to Ghidra's SLEIGH library for disassembly and lifting to P-Code IR
C++
179
star
11

phuzzer

The new phuzzing framework!
Python
148
star
12

angr-dev

Some helper scripts to set up an environment for angr development.
Shell
115
star
13

vex

A patched version of VEX to work with PyVEX.
C
105
star
14

tracer

Utilities for generating dynamic traces
Python
88
star
15

archinfo

Classes with architecture-specific information useful to other projects.
Python
85
star
16

simuvex

[DEPRECATED] A symbolic execution engine for the VEX IR
Python
79
star
17

archr

Target-centric program analysis.
Python
72
star
18

angr-platforms

A collection of extensions to angr to handle new platforms
Python
66
star
19

binaries

A repository with binaries for angr tests and examples.
C
56
star
20

acsac-course

Python
47
star
21

fidget

A tool to add simple inline patches to a binary to rearrange its stack frames, and other things!
Python
45
star
22

pysoot

Python bindings for Shimple/Jimple IR from Soot.
Python
41
star
23

angr-targets

This repository contains the currently implemented angr concrete targets.
Python
32
star
24

ailment

AIL: The angr Intermediate Language.
Python
29
star
25

angr-examples

Example scripts using angr
Python
27
star
26

secdev-course

Python
20
star
27

identifier

[DEPRECATED] Using angr and prebuilt testcases to identify functions in statically-linked binaries.
9
star
28

wheels

Wheels for speeding up builds and helping people out.
7
star
29

angr.github.io

angry website
HTML
6
star
30

nixpkgs

angr related nixpkgs
Nix
4
star
31

flirt_signatures

4
star
32

angr.io

angr.io website source
HTML
3
star
33

syscall-agent

C
2
star
34

ci-settings

Docker image and azure templates for angr's CI
Python
2
star
35

library_docs

1
star
36

azure-runners

Docker stuff for self-hosted azure runners
Shell
1
star