0vercl0k / rp Goto Github PK

rp++ is a fast C++ ROP gadget finder for PE/ELF/Mach-O x86/x64/ARM/ARM64 binaries.

License: MIT License

CMake 1.18% C 1.20% C++ 97.41% Batchfile 0.11% Shell 0.11%

rop return-oriented-programming gadget binary-exploitation rop-gadgets rop-chain exploit-development exploitation-framework

rp's Introduction

rp++: a fast ROP gadget finder for PE/ELF/Mach-O x86/x64/ARM/ARM64 binaries

Overview

rp++ or rp is a C++ ROP gadget finder for PE/ELF/Mach-O executables and x86/x64/ARM/ARM64 architectures.

Finding ROP gadgets

To find ROP gadget you need to specify a file with the --file / -f option and use the --rop / -r option specifying the maximum the number of instructions in the gadget:

You can customize the base address of the module with the --va option (if you pass a base of 0, then you get relative offsets) and you can also use the --raw option to analyze raw code dumps.

Finding pointers

Oftentimes when building ROP chains, you might need to find pointers to integers with specific values. To look for those, you can use the --search-int option like in the below:

Other times, you might need to find pointers to specific strings. To look for those, you can use the --search-hexa option like in the below:

You can also use the --va option to specify your own base address.

Build

You can find shell scripts in src/build for every supported platforms; below is the Linux example:

src/build$ chmod u+x ./build-release.sh && ./build-release.sh
-- The C compiler identification is GNU 9.3.0
-- The CXX compiler identification is GNU 9.3.0
[...]
[16/16] Linking CXX executable rp-lin-x64

Authors

Axel '0vercl0k' Souchet

rp's People

Contributors

Stargazers

Watchers

Forkers

adamcecc mattrwallace intfrr hollylee codenote humeafo haofree maligree claudiouzelac the-darknight tempbottle yegle comealong d4nnyk suto cherry-wb nikaiw flyboy9 ge0 chubbymaggie debug-orz nefski jcarlson23 sigma-random killvxk jcande tisma syjzwjj ant4g0nist mak- bewithjitendrapatel gcorral lb5tr kostyll magicislab codercold idkwim iokto idaviden awailly jduck xfreshx defanlt askk iurnah whb224117 goaaron m4rm0k dummys soh0ro0t ohio813 coffeevapple gitcollect leanmind waterdr0p riusksk wormfox yodamaster mshafiqsb iptablesl ajmartel menahabib alkischristidis mistawes sh1nu11bi gloxec bryant1410 wenhuizhang ganglongguni jijicanyu cnsuhao sergey-pronin wxdublin xp0int arryboom esc0rtd3w stevenchen0x01 kriw brownbelt beyondcy king22c secretnonempty hardsecurity sireof exiahan hybridious skyformat99 mikalv altune sploitamos aliasrobotics vmayoral jeffli678 1004556495 lukw00heck peterg75 sbambach y0d4a seabreg hotelzululima

rp's Issues

feature request: support for avr

Hi, avr arch are heavily used in IoT, and libcs are not sanitized. Wondering if this tool could search through hex sketches of firmwares to identify ROP vulnerabilities for programmers.

Add option to display the hexbytes and don't display them by default

There is a memory leak found when use address sanitizer.

==29830==ERROR: LeakSanitizer: detected memory leaks

Direct leak of 528 byte(s) in 1 object(s) allocated from:
#0 0x7f6b18423602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
#1 0x4cdc75 in arg_end (/home/mfc_fuzz/rp/bin/rp-lin-x64+0x4cdc75)
#2 0x48f605 in main /home/mfc_fuzz/rp/src/main.cpp:44
#3 0x7f6b17a4982f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

Direct leak of 152 byte(s) in 1 object(s) allocated from:
#0 0x7f6b18423602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
#1 0x4ce2f5 in arg_filen (/home/mfc_fuzz/rp/bin/rp-lin-x64+0x4ce2f5)
#2 0x4ce24f in arg_file0 (/home/mfc_fuzz/rp/bin/rp-lin-x64+0x4ce24f)
#3 0x48f4e8 in main /home/mfc_fuzz/rp/src/main.cpp:34
#4 0x7f6b17a4982f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

Direct leak of 120 byte(s) in 1 object(s) allocated from:
#0 0x7f6b18423602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
#1 0x4cf15d in arg_strn (/home/mfc_fuzz/rp/bin/rp-lin-x64+0x4cf15d)
#2 0x4cf0c4 in arg_str0 (/home/mfc_fuzz/rp/bin/rp-lin-x64+0x4cf0c4)
#3 0x48f59e in main /home/mfc_fuzz/rp/src/main.cpp:40
#4 0x7f6b17a4982f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

Direct leak of 120 byte(s) in 1 object(s) allocated from:
#0 0x7f6b18423602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
#1 0x4cf15d in arg_strn (/home/mfc_fuzz/rp/bin/rp-lin-x64+0x4cf15d)
#2 0x4cf0c4 in arg_str0 (/home/mfc_fuzz/rp/bin/rp-lin-x64+0x4cf0c4)
#3 0x48f5be in main /home/mfc_fuzz/rp/src/main.cpp:41
#4 0x7f6b17a4982f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

Direct leak of 120 byte(s) in 1 object(s) allocated from:
#0 0x7f6b18423602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
#1 0x4cf15d in arg_strn (/home/mfc_fuzz/rp/bin/rp-lin-x64+0x4cf15d)
#2 0x4cf0c4 in arg_str0 (/home/mfc_fuzz/rp/bin/rp-lin-x64+0x4cf0c4)
#3 0x48f548 in main /home/mfc_fuzz/rp/src/main.cpp:37
#4 0x7f6b17a4982f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

Direct leak of 116 byte(s) in 1 object(s) allocated from:
#0 0x7f6b18423602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
#1 0x4ceb33 in arg_intn (/home/mfc_fuzz/rp/bin/rp-lin-x64+0x4ceb33)
#2 0x4cea9a in arg_int0 (/home/mfc_fuzz/rp/bin/rp-lin-x64+0x4cea9a)
#3 0x48f508 in main /home/mfc_fuzz/rp/src/main.cpp:35
#4 0x7f6b17a4982f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

Direct leak of 116 byte(s) in 1 object(s) allocated from:
#0 0x7f6b18423602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
#1 0x4ceb33 in arg_intn (/home/mfc_fuzz/rp/bin/rp-lin-x64+0x4ceb33)
#2 0x4cea9a in arg_int0 (/home/mfc_fuzz/rp/bin/rp-lin-x64+0x4cea9a)
#3 0x48f528 in main /home/mfc_fuzz/rp/src/main.cpp:36
#4 0x7f6b17a4982f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

Direct leak of 104 byte(s) in 1 object(s) allocated from:
#0 0x7f6b18423602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
#1 0x4cee17 in arg_litn (/home/mfc_fuzz/rp/bin/rp-lin-x64+0x4cee17)
#2 0x4ced9f in arg_lit0 (/home/mfc_fuzz/rp/bin/rp-lin-x64+0x4ced9f)
#3 0x48f57e in main /home/mfc_fuzz/rp/src/main.cpp:39
#4 0x7f6b17a4982f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

Direct leak of 104 byte(s) in 1 object(s) allocated from:
#0 0x7f6b18423602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
#1 0x4cee17 in arg_litn (/home/mfc_fuzz/rp/bin/rp-lin-x64+0x4cee17)
#2 0x4ced9f in arg_lit0 (/home/mfc_fuzz/rp/bin/rp-lin-x64+0x4ced9f)
#3 0x48f563 in main /home/mfc_fuzz/rp/src/main.cpp:38
#4 0x7f6b17a4982f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

Direct leak of 104 byte(s) in 1 object(s) allocated from:
#0 0x7f6b18423602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
#1 0x4cee17 in arg_litn (/home/mfc_fuzz/rp/bin/rp-lin-x64+0x4cee17)
#2 0x4ced9f in arg_lit0 (/home/mfc_fuzz/rp/bin/rp-lin-x64+0x4ced9f)
#3 0x48f5d9 in main /home/mfc_fuzz/rp/src/main.cpp:42
#4 0x7f6b17a4982f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

Direct leak of 104 byte(s) in 1 object(s) allocated from:
#0 0x7f6b18423602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
#1 0x4cee17 in arg_litn (/home/mfc_fuzz/rp/bin/rp-lin-x64+0x4cee17)
#2 0x4ced9f in arg_lit0 (/home/mfc_fuzz/rp/bin/rp-lin-x64+0x4ced9f)
#3 0x48f5f4 in main /home/mfc_fuzz/rp/src/main.cpp:43
#4 0x7f6b17a4982f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

SUMMARY: AddressSanitizer: 1688 byte(s) leaked in 11 allocation(s).

Make built binary static

For my dude @elvanderb

Clean-up InstructionInformation

Screenshot is broken in README.md

Fix bug in PE parser when sections uses IMAGE_SCN_MEM_EXECUTE

ARM is not actually supported despite claiming to support ARM

The following test uses libc.so from an Android device:

$ ./rp/bin/rp-lin-x64 -f libc.so
Trying to open 'libc.so'..
Loading ELF information..
FileFormat: Elf, Arch: x86

As you can see, whatever ELF code being used here thinks this binary is x86 for some reason...

vdso

Hey,

rp++ is awesome, but I think it should be able to search the vdso for gadgets.

Compile error

Hi, could you provide the instructions to build rp++? I used to compile without errors, but when I pulled the latest commit today, things started going wrong showed as follows:

[  4%] Building CXX object CMakeFiles/rp-lin-x64.dir/src/macho.cpp.o
/usr/bin/c++ -Wall -O2 -static -s -Wl,-z,relro,-z,now -fstack-protector-all -m64 -O3 -DNDEBUG -I/root/tools/rp/./src/inc -I/root/tools/rp/./lib/beaengine/inc -I/root/tools/rp/./lib/argtable2/inc -I/root/tools/rp/./lib/capstone/inc -o CMakeFiles/rp-lin-x64.dir/src/macho.cpp.o -c /root/tools/rp/src/macho.cpp
In file included from /root/tools/rp/./src/inc/toolbox.hpp:28:0,
                 from /root/tools/rp/./src/inc/macho_struct.hpp:24,
                 from /root/tools/rp/./src/inc/macho.hpp:23,
                 from /root/tools/rp/src/macho.cpp:20:
/root/tools/rp/./src/inc/gadget.hpp:70:19: error: ‘shared_ptr’ is not a member of ‘std’
         std::list<std::shared_ptr<Instruction>> get_instructions(void);
                   ^
/root/tools/rp/./src/inc/gadget.hpp:70:19: error: ‘shared_ptr’ is not a member of ‘std’
/root/tools/rp/./src/inc/gadget.hpp:70:70: error: a function call cannot appear in a constant-expression
         std::list<std::shared_ptr<Instruction>> get_instructions(void);
                                                                      ^
/root/tools/rp/./src/inc/gadget.hpp:70:70: error: template argument 1 is invalid
/root/tools/rp/./src/inc/gadget.hpp:70:70: error: template argument 2 is invalid
/root/tools/rp/./src/inc/gadget.hpp:107:14: error: ‘shared_ptr’ in namespace ‘std’ does not name a template type
         std::shared_ptr<Instruction> get_ending_instruction(void);
              ^
/root/tools/rp/./src/inc/gadget.hpp:115:40: error: ‘shared_ptr’ in namespace ‘std’ does not name a template type
             bool operator()(const std::shared_ptr<Gadget> g, const std::shared_ptr<Gadget> d) const
                                        ^
/root/tools/rp/./src/inc/gadget.hpp:115:50: error: expected ‘,’ or ‘...’ before ‘<’ token
             bool operator()(const std::shared_ptr<Gadget> g, const std::shared_ptr<Gadget> d) const
                                                  ^
/root/tools/rp/./src/inc/gadget.hpp:127:19: error: ‘shared_ptr’ is not a member of ‘std’
         std::list<std::shared_ptr<Instruction>> m_instructions; /*!< the list of the different instructions composing the gadget*/
                   ^
/root/tools/rp/./src/inc/gadget.hpp:127:19: error: ‘shared_ptr’ is not a member of ‘std’
/root/tools/rp/./src/inc/gadget.hpp:127:49: error: ‘m_instructions’ was not declared in this scope
         std::list<std::shared_ptr<Instruction>> m_instructions; /*!< the list of the different instructions composing the gadget*/
                                                 ^
/root/tools/rp/./src/inc/gadget.hpp:127:49: error: template argument 1 is invalid
/root/tools/rp/./src/inc/gadget.hpp:127:49: error: template argument 2 is invalid
/root/tools/rp/./src/inc/gadget.hpp: In member function ‘bool Gadget::Sort::operator()(int) const’:
/root/tools/rp/./src/inc/gadget.hpp:117:24: error: ‘g’ was not declared in this scope
                 return g->get_disassembly() < d->get_disassembly();
                        ^
/root/tools/rp/./src/inc/gadget.hpp:117:47: error: ‘d’ was not declared in this scope
                 return g->get_disassembly() < d->get_disassembly();
                                               ^
In file included from /root/tools/rp/./src/inc/macho_struct.hpp:24:0,
                 from /root/tools/rp/./src/inc/macho.hpp:23,
                 from /root/tools/rp/src/macho.cpp:20:
/root/tools/rp/./src/inc/toolbox.hpp: At global scope:
/root/tools/rp/./src/inc/toolbox.hpp:98:40: error: ‘shared_ptr’ is not a member of ‘std’
 void only_unique_gadgets(std::multiset<std::shared_ptr<Gadget>, Gadget::Sort> &list_gadgets, std::set<std::shared_ptr<Gadget>, Gadget::Sort> &unique_gadgets);
                                        ^
/root/tools/rp/./src/inc/toolbox.hpp:98:40: error: ‘shared_ptr’ is not a member of ‘std’
/root/tools/rp/./src/inc/toolbox.hpp:98:62: error: template argument 1 is invalid
 void only_unique_gadgets(std::multiset<std::shared_ptr<Gadget>, Gadget::Sort> &list_gadgets, std::set<std::shared_ptr<Gadget>, Gadget::Sort> &unique_gadgets);
                                                              ^
/root/tools/rp/./src/inc/toolbox.hpp:98:62: error: template argument 2 is invalid
/root/tools/rp/./src/inc/toolbox.hpp:98:62: error: template argument 3 is invalid
/root/tools/rp/./src/inc/toolbox.hpp:98:40: error: ‘shared_ptr’ is not a member of ‘std’
 void only_unique_gadgets(std::multiset<std::shared_ptr<Gadget>, Gadget::Sort> &list_gadgets, std::set<std::shared_ptr<Gadget>, Gadget::Sort> &unique_gadgets);
                                        ^
/root/tools/rp/./src/inc/toolbox.hpp:98:40: error: ‘shared_ptr’ is not a member of ‘std’
/root/tools/rp/./src/inc/toolbox.hpp:98:62: error: template argument 1 is invalid
 void only_unique_gadgets(std::multiset<std::shared_ptr<Gadget>, Gadget::Sort> &list_gadgets, std::set<std::shared_ptr<Gadget>, Gadget::Sort> &unique_gadgets);
                                                              ^
/root/tools/rp/./src/inc/toolbox.hpp:98:62: error: template argument 2 is invalid
/root/tools/rp/./src/inc/toolbox.hpp:98:62: error: template argument 3 is invalid
/root/tools/rp/./src/inc/toolbox.hpp:98:31: error: variable or field ‘only_unique_gadgets’ declared void
 void only_unique_gadgets(std::multiset<std::shared_ptr<Gadget>, Gadget::Sort> &list_gadgets, std::set<std::shared_ptr<Gadget>, Gadget::Sort> &unique_gadgets);
                               ^
/root/tools/rp/./src/inc/toolbox.hpp:98:40: error: ‘shared_ptr’ is not a member of ‘std’
 void only_unique_gadgets(std::multiset<std::shared_ptr<Gadget>, Gadget::Sort> &list_gadgets, std::set<std::shared_ptr<Gadget>, Gadget::Sort> &unique_gadgets);
                                        ^
/root/tools/rp/./src/inc/toolbox.hpp:98:40: error: ‘shared_ptr’ is not a member of ‘std’
/root/tools/rp/./src/inc/toolbox.hpp:98:62: error: template argument 1 is invalid
 void only_unique_gadgets(std::multiset<std::shared_ptr<Gadget>, Gadget::Sort> &list_gadgets, std::set<std::shared_ptr<Gadget>, Gadget::Sort> &unique_gadgets);
                                                              ^
/root/tools/rp/./src/inc/toolbox.hpp:98:62: error: template argument 2 is invalid
/root/tools/rp/./src/inc/toolbox.hpp:98:62: error: template argument 3 is invalid
/root/tools/rp/./src/inc/toolbox.hpp:98:77: error: expected primary-expression before ‘>’ token
 void only_unique_gadgets(std::multiset<std::shared_ptr<Gadget>, Gadget::Sort> &list_gadgets, std::set<std::shared_ptr<Gadget>, Gadget::Sort> &unique_gadgets);
                                                                             ^
/root/tools/rp/./src/inc/toolbox.hpp:98:80: error: ‘list_gadgets’ was not declared in this scope
 void only_unique_gadgets(std::multiset<std::shared_ptr<Gadget>, Gadget::Sort> &list_gadgets, std::set<std::shared_ptr<Gadget>, Gadget::Sort> &unique_gadgets);
                                                                                ^
/root/tools/rp/./src/inc/toolbox.hpp:98:103: error: ‘shared_ptr’ is not a member of ‘std’
 void only_unique_gadgets(std::multiset<std::shared_ptr<Gadget>, Gadget::Sort> &list_gadgets, std::set<std::shared_ptr<Gadget>, Gadget::Sort> &unique_gadgets);
                                                                                                       ^
/root/tools/rp/./src/inc/toolbox.hpp:98:103: error: ‘shared_ptr’ is not a member of ‘std’
/root/tools/rp/./src/inc/toolbox.hpp:98:125: error: template argument 1 is invalid
 void only_unique_gadgets(std::multiset<std::shared_ptr<Gadget>, Gadget::Sort> &list_gadgets, std::set<std::shared_ptr<Gadget>, Gadget::Sort> &unique_gadgets);
                                                                                                                             ^
/root/tools/rp/./src/inc/toolbox.hpp:98:125: error: template argument 2 is invalid
/root/tools/rp/./src/inc/toolbox.hpp:98:125: error: template argument 3 is invalid
/root/tools/rp/./src/inc/toolbox.hpp:98:140: error: expected primary-expression before ‘>’ token
 void only_unique_gadgets(std::multiset<std::shared_ptr<Gadget>, Gadget::Sort> &list_gadgets, std::set<std::shared_ptr<Gadget>, Gadget::Sort> &unique_gadgets);
                                                                                                                                            ^
/root/tools/rp/./src/inc/toolbox.hpp:98:143: error: ‘unique_gadgets’ was not declared in this scope
 void only_unique_gadgets(std::multiset<std::shared_ptr<Gadget>, Gadget::Sort> &list_gadgets, std::set<std::shared_ptr<Gadget>, Gadget::Sort> &unique_gadgets);
                                                                                                                                               ^
In file included from /root/tools/rp/./src/inc/macho.hpp:23:0,
                 from /root/tools/rp/src/macho.cpp:20:
/root/tools/rp/./src/inc/macho_struct.hpp:273:25: error: ‘shared_ptr’ is not a member of ‘std’
     virtual std::vector<std::shared_ptr<Section>> get_executable_section(std::ifstream &file) = 0;
                         ^
/root/tools/rp/./src/inc/macho_struct.hpp:273:25: error: ‘shared_ptr’ is not a member of ‘std’
/root/tools/rp/./src/inc/macho_struct.hpp:273:93: error: a function call cannot appear in a constant-expression
     virtual std::vector<std::shared_ptr<Section>> get_executable_section(std::ifstream &file) = 0;
                                                                                             ^
/root/tools/rp/./src/inc/macho_struct.hpp:273:97: error: an assignment cannot appear in a constant-expression
     virtual std::vector<std::shared_ptr<Section>> get_executable_section(std::ifstream &file) = 0;
                                                                                                 ^
/root/tools/rp/./src/inc/macho_struct.hpp:273:97: error: template argument 1 is invalid
/root/tools/rp/./src/inc/macho_struct.hpp:273:97: error: template argument 2 is invalid
/root/tools/rp/./src/inc/macho_struct.hpp:273:18: error: ‘virtual’ can only be specified for functions
     virtual std::vector<std::shared_ptr<Section>> get_executable_section(std::ifstream &file) = 0;
                  ^
/root/tools/rp/./src/inc/macho_struct.hpp:282:17: error: ‘shared_ptr’ is not a member of ‘std’
     std::vector<std::shared_ptr<RP_SEGMENT_COMMAND<T>>> seg_commands;
                 ^
/root/tools/rp/./src/inc/macho_struct.hpp:282:17: error: ‘shared_ptr’ is not a member of ‘std’
/root/tools/rp/./src/inc/macho_struct.hpp:282:53: error: ‘>>’ should be ‘> >’ within a nested template argument list
     std::vector<std::shared_ptr<RP_SEGMENT_COMMAND<T>>> seg_commands;
                                                     ^
/root/tools/rp/./src/inc/macho_struct.hpp:282:53: error: template argument 1 is invalid
/root/tools/rp/./src/inc/macho_struct.hpp:282:53: error: template argument 2 is invalid
/root/tools/rp/./src/inc/macho_struct.hpp:282:55: error: expected unqualified-id before ‘>’ token
     std::vector<std::shared_ptr<RP_SEGMENT_COMMAND<T>>> seg_commands;
                                                       ^
/root/tools/rp/./src/inc/macho_struct.hpp:283:17: error: ‘shared_ptr’ is not a member of ‘std’
     std::vector<std::shared_ptr<RP_SECTION<T>>> sections;
                 ^
/root/tools/rp/./src/inc/macho_struct.hpp:283:17: error: ‘shared_ptr’ is not a member of ‘std’
/root/tools/rp/./src/inc/macho_struct.hpp:283:45: error: ‘>>’ should be ‘> >’ within a nested template argument list
     std::vector<std::shared_ptr<RP_SECTION<T>>> sections;
                                             ^
/root/tools/rp/./src/inc/macho_struct.hpp:283:45: error: template argument 1 is invalid
/root/tools/rp/./src/inc/macho_struct.hpp:283:45: error: template argument 2 is invalid
/root/tools/rp/./src/inc/macho_struct.hpp:283:47: error: expected unqualified-id before ‘>’ token
     std::vector<std::shared_ptr<RP_SECTION<T>>> sections;
                                               ^
/root/tools/rp/./src/inc/macho_struct.hpp:285:34: error: ‘shared_ptr’ is not a member of ‘std’
     typedef typename std::vector<std::shared_ptr<RP_SECTION<T>>>::const_iterator iter_rp_section;
                                  ^
/root/tools/rp/./src/inc/macho_struct.hpp:285:34: error: ‘shared_ptr’ is not a member of ‘std’
/root/tools/rp/./src/inc/macho_struct.hpp:285:62: error: ‘>>’ should be ‘> >’ within a nested template argument list
     typedef typename std::vector<std::shared_ptr<RP_SECTION<T>>>::const_iterator iter_rp_section;
                                                              ^
/root/tools/rp/./src/inc/macho_struct.hpp:285:62: error: template argument 1 is invalid
/root/tools/rp/./src/inc/macho_struct.hpp:285:62: error: template argument 2 is invalid
/root/tools/rp/./src/inc/macho_struct.hpp:285:64: error: expected identifier before ‘>’ token
     typedef typename std::vector<std::shared_ptr<RP_SECTION<T>>>::const_iterator iter_rp_section;
                                                                ^
/root/tools/rp/./src/inc/macho_struct.hpp:285:64: error: expected unqualified-id before ‘>’ token
/root/tools/rp/./src/inc/macho_struct.hpp:286:34: error: ‘shared_ptr’ is not a member of ‘std’
     typedef typename std::vector<std::shared_ptr<RP_SEGMENT_COMMAND<T>>>::const_iterator iter_rp_segment;
                                  ^
/root/tools/rp/./src/inc/macho_struct.hpp:286:34: error: ‘shared_ptr’ is not a member of ‘std’
/root/tools/rp/./src/inc/macho_struct.hpp:286:70: error: ‘>>’ should be ‘> >’ within a nested template argument list
     typedef typename std::vector<std::shared_ptr<RP_SEGMENT_COMMAND<T>>>::const_iterator iter_rp_segment;
                                                                      ^
/root/tools/rp/./src/inc/macho_struct.hpp:286:70: error: template argument 1 is invalid
/root/tools/rp/./src/inc/macho_struct.hpp:286:70: error: template argument 2 is invalid
/root/tools/rp/./src/inc/macho_struct.hpp:286:72: error: expected identifier before ‘>’ token
     typedef typename std::vector<std::shared_ptr<RP_SEGMENT_COMMAND<T>>>::const_iterator iter_rp_segment;
                                                                        ^
/root/tools/rp/./src/inc/macho_struct.hpp:286:72: error: expected unqualified-id before ‘>’ token
In file included from /root/tools/rp/./src/inc/macho.hpp:23:0,
                 from /root/tools/rp/src/macho.cpp:20:
/root/tools/rp/./src/inc/macho_struct.hpp:358:17: error: ‘shared_ptr’ is not a member of ‘std’
     std::vector<std::shared_ptr<Section>> get_executable_section(std::ifstream &file)
                 ^
/root/tools/rp/./src/inc/macho_struct.hpp:358:17: error: ‘shared_ptr’ is not a member of ‘std’
/root/tools/rp/./src/inc/macho_struct.hpp:358:85: error: a function call cannot appear in a constant-expression
     std::vector<std::shared_ptr<Section>> get_executable_section(std::ifstream &file)
                                                                                     ^
/root/tools/rp/./src/inc/macho_struct.hpp:358:85: error: template argument 1 is invalid
/root/tools/rp/./src/inc/macho_struct.hpp:358:85: error: template argument 2 is invalid
/root/tools/rp/./src/inc/macho_struct.hpp:359:5: error: expected unqualified-id before ‘{’ token
     {
     ^
/root/tools/rp/src/macho.cpp:106:1: error: expected ‘}’ at end of input
 }
 ^
In file included from /root/tools/rp/./src/inc/macho.hpp:23:0,
                 from /root/tools/rp/src/macho.cpp:20:
/root/tools/rp/./src/inc/macho_struct.hpp: In member function ‘void MachoArchLayout<T>::fill_structures(std::ifstream&)’:
/root/tools/rp/./src/inc/macho_struct.hpp:317:21: error: ‘shared_ptr’ is not a member of ‘std’
                     std::shared_ptr<RP_SEGMENT_COMMAND<T>> seg_cmd = std::make_shared<RP_SEGMENT_COMMAND<T>>();
                     ^
/root/tools/rp/./src/inc/macho_struct.hpp:317:57: error: spurious ‘>>’, use ‘>’ to terminate a template argument list
                     std::shared_ptr<RP_SEGMENT_COMMAND<T>> seg_cmd = std::make_shared<RP_SEGMENT_COMMAND<T>>();
                                                         ^
/root/tools/rp/./src/inc/macho_struct.hpp:317:60: error: expected primary-expression before ‘seg_cmd’
                     std::shared_ptr<RP_SEGMENT_COMMAND<T>> seg_cmd = std::make_shared<RP_SEGMENT_COMMAND<T>>();
                                                            ^
/root/tools/rp/./src/inc/macho_struct.hpp:319:38: error: ‘seg_cmd’ was not declared in this scope
                     file.read((char*)seg_cmd.get(), sizeof(RP_SEGMENT_COMMAND<T>));
                                      ^
/root/tools/rp/./src/inc/macho_struct.hpp:320:21: error: ‘seg_commands’ was not declared in this scope
                     seg_commands.push_back(seg_cmd);
                     ^
/root/tools/rp/./src/inc/macho_struct.hpp:322:66: error: there are no arguments to ‘_stricmp’ that depend on a template parameter, so a declaration of ‘_stricmp’ must be available [-fpermissive]
                     if(_stricmp((char*)seg_cmd->segname, "__TEXT") == 0)
                                                                  ^
/root/tools/rp/./src/inc/macho_struct.hpp:322:66: note: (if you use ‘-fpermissive’, G++ will accept your code, but allowing the use of an undeclared name is deprecated)
/root/tools/rp/./src/inc/macho_struct.hpp:333:25: error: ‘shared_ptr’ is not a member of ‘std’
                         std::shared_ptr<RP_SECTION<T>> sect = std::make_shared<RP_SECTION<T>>();
                         ^
/root/tools/rp/./src/inc/macho_struct.hpp:333:53: error: spurious ‘>>’, use ‘>’ to terminate a template argument list
                         std::shared_ptr<RP_SECTION<T>> sect = std::make_shared<RP_SECTION<T>>();
                                                     ^
/root/tools/rp/./src/inc/macho_struct.hpp:333:56: error: expected primary-expression before ‘sect’
                         std::shared_ptr<RP_SECTION<T>> sect = std::make_shared<RP_SECTION<T>>();
                                                        ^
/root/tools/rp/./src/inc/macho_struct.hpp:335:42: error: ‘sect’ was not declared in this scope
                         file.read((char*)sect.get(), sizeof(RP_SECTION<T>));
                                          ^
/root/tools/rp/./src/inc/macho_struct.hpp:336:25: error: ‘sections’ was not declared in this scope
                         sections.push_back(sect);
                         ^
In file included from /root/tools/rp/./src/inc/macho.hpp:23:0,
                 from /root/tools/rp/src/macho.cpp:20:
/root/tools/rp/./src/inc/macho_struct.hpp: At global scope:
/root/tools/rp/./src/inc/macho_struct.hpp:356:5: error: expected unqualified-id at end of input
     }
     ^
CMakeFiles/rp-lin-x64.dir/build.make:57: recipe for target 'CMakeFiles/rp-lin-x64.dir/src/macho.cpp.o' failed
make[2]: *** [CMakeFiles/rp-lin-x64.dir/src/macho.cpp.o] Error 1
CMakeFiles/Makefile2:63: recipe for target 'CMakeFiles/rp-lin-x64.dir/all' failed
make[1]: *** [CMakeFiles/rp-lin-x64.dir/all] Error 2
Makefile:75: recipe for target 'all' failed
make: *** [all] Error 2
:( rp # /usr/bin/c++ -std=c++0x -Wall -O2 -static -s -Wl,-z,relro,-z,now -fstack-protector-all -m64 -O3 -DNDEBUG -I/root/tools/rp/./src/inc -I/root/tools/rp/./lib/beaengine/inc -I/root/tools/rp/./lib/argtable2/inc -I/root/tools/rp/./lib/capstone/inc -o CMakeFiles/rp-lin-x64.dir/src/macho.cpp.o -c /root/tools/rp/src/macho.cpp
In file included from /root/tools/rp/./src/inc/macho.hpp:23:0,
                 from /root/tools/rp/src/macho.cpp:20:
/root/tools/rp/./src/inc/macho_struct.hpp: In member function ‘void MachoArchLayout<T>::fill_structures(std::ifstream&)’:
/root/tools/rp/./src/inc/macho_struct.hpp:322:66: error: there are no arguments to ‘_stricmp’ that depend on a template parameter, so a declaration of ‘_stricmp’ must be available [-fpermissive]
                     if(_stricmp((char*)seg_cmd->segname, "__TEXT") == 0)
                                                                  ^
/root/tools/rp/./src/inc/macho_struct.hpp:322:66: note: (if you use ‘-fpermissive’, G++ will accept your code, but allowing the use of an undeclared name is deprecated)
/root/tools/rp/./src/inc/macho_struct.hpp: In instantiation of ‘void MachoArchLayout<T>::fill_structures(std::ifstream&) [with T = unsigned int; std::ifstream = std::basic_ifstream<char>]’:
/root/tools/rp/src/macho.cpp:106:1:   required from here
/root/tools/rp/./src/inc/macho_struct.hpp:322:66: error: ‘_stricmp’ was not declared in this scope
In file included from /root/tools/rp/./src/inc/macho.hpp:23:0,
                 from /root/tools/rp/src/macho.cpp:20:
/root/tools/rp/./src/inc/macho_struct.hpp: In instantiation of ‘std::vector<std::shared_ptr<Section> > MachoArchLayout<T>::get_executable_section(std::ifstream&) [with T = unsigned int; std::ifstream = std::basic_ifstream<char>]’:
/root/tools/rp/src/macho.cpp:106:1:   required from here
/root/tools/rp/./src/inc/macho_struct.hpp:371:17: error: cannot bind packed field ‘(& it.__gnu_cxx::__normal_iterator<_Iterator, _Container>::operator*<const std::shared_ptr<RP_SECTION<unsigned int> >*, std::vector<std::shared_ptr<RP_SECTION<unsigned int> >, std::allocator<std::shared_ptr<RP_SECTION<unsigned int> > > > >())->std::shared_ptr<RP_SECTION<unsigned int> >::<anonymous>.std::__shared_ptr<_Tp, _Lp>::operator-><RP_SECTION<unsigned int>, (__gnu_cxx::_Lock_policy)2u>()->RP_SECTION<unsigned int>::offset’ to ‘unsigned int&’
                 );
                 ^
In file included from /root/tools/rp/./src/inc/macho.hpp:23:0,
                 from /root/tools/rp/src/macho.cpp:20:
/root/tools/rp/./src/inc/macho_struct.hpp: In instantiation of ‘void MachoArchLayout<T>::fill_structures(std::ifstream&) [with T = long long unsigned int; std::ifstream = std::basic_ifstream<char>]’:
/root/tools/rp/src/macho.cpp:106:1:   required from here
/root/tools/rp/./src/inc/macho_struct.hpp:322:66: error: ‘_stricmp’ was not declared in this scope
                     if(_stricmp((char*)seg_cmd->segname, "__TEXT") == 0)
                                                                  ^
In file included from /root/tools/rp/./src/inc/macho.hpp:23:0,
                 from /root/tools/rp/src/macho.cpp:20:
/root/tools/rp/./src/inc/macho_struct.hpp: In instantiation of ‘std::vector<std::shared_ptr<Section> > MachoArchLayout<T>::get_executable_section(std::ifstream&) [with T = long long unsigned int; std::ifstream = std::basic_ifstream<char>]’:
/root/tools/rp/src/macho.cpp:106:1:   required from here
/root/tools/rp/./src/inc/macho_struct.hpp:371:17: error: cannot bind packed field ‘(& it.__gnu_cxx::__normal_iterator<_Iterator, _Container>::operator*<const std::shared_ptr<RP_SECTION<long long unsigned int> >*, std::vector<std::shared_ptr<RP_SECTION<long long unsigned int> >, std::allocator<std::shared_ptr<RP_SECTION<long long unsigned int> > > > >())->std::shared_ptr<RP_SECTION<long long unsigned int> >::<anonymous>.std::__shared_ptr<_Tp, _Lp>::operator-><RP_SECTION<long long unsigned int>, (__gnu_cxx::_Lock_policy)2u>()->RP_SECTION<long long unsigned int>::offset’ to ‘unsigned int&’
                 );
                 ^

Thanks.

Feature Request - Show output without coloring

this makes it difficult to use the results inside of a pipe.

For example

Currently I need to add sed 's/\x1b\[[0-9;]*m//g' before I can use it

./rp++ -f <program> -r 3 --unique | cut -d: -f1 | perl -ne 'print if $_ =~ /0x/'\
 | sed 's/\x1b\[[0-9;]*m//g' |xargs -I% r2 -a x86 -b 32 -q -c 's %;pd 2' <program>

Re-add --rva option

Previous versions of this tool allowed specifying an RVA. Would it be possible to re-add that command?

Leverage capstone instruction group for ARM32

Build doesn't actually work on x64 Linux

Compiling complains about ../lib/XXX missing (beaengine, argtable2).

Changing "../lib" to "./lib" in CMakeLists.txt fixes the problem for me.

Specify architecture manually

Some binaries fail to load with "Cannot determine the executable format used".

We should be able to specify manually the correct architecture for cases when it is detected incorrectly, or fails to detect at all.

lock instructions should be banned

When looking for gadgets, lock prefixed instructions are not filtered (or even marked).

SIGILL occurs then, breaking the ropchain.

python -c 'import sys; sys.stdout.write("f04889cec3".decode("hex"))' > bin
ndisasm -b64 bin
00000000  F04889CE          lock mov rsi,rcx
00000004  C3                ret
rp-lin-x64 --raw=x64 -f bin -r 1
0x00000000: mov rsi, rcx ; ret  ;  (1 found)

Feature Request - Raw Bytes w/ results

Could you create an option that would show the raw byte values corresponding with the gadget instructions found? Would lessen some tedium of doing it manually.

help with getting the 32-bit version for windows OS

I can not find any good information how to compile the binary against windows 32-bit. Can you please provide some info about this? Thanks for your help!

Investigate `ldm {..pc}`

.section .text
.global _start
.arm
_start:
	mov r0, r0
	adr r0, gadget+1
	bx r0
	.byte 0x00, 0x00
.thumb
gadget:
	.byte 0xe8, 0x94, 0xeb, 0xff
	.byte 0xff, 0xeb, 0x94, 0xe8

ldm.w r4, {r0, r1, r2, r3, r4, r5, r6, r7, r8, sb, fp, sp, lr, pc}
per ARM TrustZone: pivoting to the secure world

consider final version 2 release

hey, i would like to update the rp package, therefor i would like to ask if you could consider tagging a 2 release?
cheers

Build instructions are inaccurate

These instructions don't seem to work:

# unix => cd build/ && cmake .. && make

First of all, "build" doesn't exist because git cannot store empty directories. Second, running "cmake .." puts the makefiles in .. too. So something more accurate would be:

# mkdir build && cd $_ && cmake .. && cd .. && make

ROP gadget not ending in RET instruction

It seems rp++ is pulling out a few ROP gadgets which do not end in RET instruction. Precisely, is such a gadget as below a valid one and by design?

0x08048740: adc edi, dword [ebx+0x080498D8] ; nop ; sub ebx, 0x04 ; call eax ; (1 found)

mis-reported duplicates

Syscall gadgets can be misreported as duplicates. Example output (first run with --unique, second without):

> ./rp-lin-x64 --unique -r2 -f test.elf
Trying to open 'test.elf'..
Loading ELF information..
FileFormat: Elf, Arch: x64

Wait a few seconds, rp++ is looking for gadgets (2 threads max)..
A total of 7 gadgets found.
You decided to keep only the unique ones, 3 unique gadgets found.
0x00401004: ret  ;  \xc3 (1 found)
0x00401000: syscall  ;  \x45\xf0\x0f\x05 (3 found)
0x00401000: syscall  ; ret  ;  \x45\xf0\x0f\x05\xc3 (3 found)

> ./rp-lin-x64 -r2 -f test.elf
Trying to open 'test.elf'..
Loading ELF information..
FileFormat: Elf, Arch: x64

Wait a few seconds, rp++ is looking for gadgets (2 threads max)..
A total of 7 gadgets found.
0x00401000: syscall  ;  \x45\xf0\x0f\x05 (1 found)
0x00401001: syscall  ;  \xf0\x0f\x05 (1 found)
0x00401002: syscall  ;  \x0f\x05 (1 found)
0x00401004: ret  ;  \xc3 (1 found)
0x00401000: syscall  ; ret  ;  \x45\xf0\x0f\x05\xc3 (1 found)
0x00401001: syscall  ; ret  ;  \xf0\x0f\x05\xc3 (1 found)
0x00401002: syscall  ; ret  ;  \x0f\x05\xc3 (1 found)

However, these syscalls are not all the same. See these disassembly results from pwntools:

> ipython3
Python 3.8.10 (default, Sep 28 2021, 16:10:42) 
Type 'copyright', 'credits' or 'license' for more information
IPython 7.13.0 -- An enhanced Interactive Python. Type '?' for help.

In [1]: import pwn                                                                                      

In [2]: pwn.disasm(b'\x0f\x05')                                                                         
Out[2]: '   0:   0f 05                   syscall'

In [3]: pwn.disasm(b'\xf0\x0f\x05')                                                                     
Out[3]: '   0:   f0 0f 05                lock syscall'

In [4]: pwn.disasm(b'\x45\xf0\x0f\x05')                                                                 
Out[4]: '   0:   45                      inc    ebp\n   1:   f0 0f 05                lock syscall'

And in practice, only the smaller gadget at 0x401002 works for me as a syscall.

I suspect the disassembly just needs to be tweaked somehow to fix.

Recommend Projects

React

A declarative, efficient, and flexible JavaScript library for building user interfaces.
Vue.js

🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript

TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
TensorFlow

An Open Source Machine Learning Framework for Everyone
Django

The Web framework for perfectionists with deadlines.
Laravel

A PHP framework for web artisans
D3

Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

javascript

JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
web

Some thing interesting about web. New door for the world.
server

A server is a program made to process requests and deliver data to clients.
Machine learning

Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Visualization

Some thing interesting about visualization, use data art
Game

Some thing interesting about game, make everyone happy.

Recommend Org

Facebook

We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft

Open source projects and samples from Microsoft.
Google

Google ❤️ Open Source for everyone.
Alibaba

Alibaba Open Source for everyone
D3

Data-Driven Documents codes.
Tencent

China tencent open source team.