Merge pull request #176 from JonathanSalwan/fix-raw-mode

Fix specifying --thumb option with --rawMode arm
JonathanSalwan · Mar 11, 2022 · 2799019 · 2799019
2 parents 0703adf + f2573c5
commit 2799019
Show file tree

Hide file tree

Showing 5 changed files with 99 additions and 40 deletions.
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
@@ -11,8 +11,8 @@ jobs:
 
     steps:
     - uses: actions/checkout@v2
-    - name: Python code style linter
-      uses: wemake-services/wemake-python-styleguide@0.14.1
+      # - name: Python code style linter
+      # - uses: wemake-services/wemake-python-styleguide@0.16.0
     - name: Build
       run: |
           python2 -m pip install --upgrade setuptools wheel

diff --git a/README.md b/README.md
@@ -46,41 +46,83 @@ Usage
                         [--rawEndian <endian>] [--re <re>] [--offset <hexaddr>]
                         [--ropchain] [--thumb] [--console] [--norop] [--nojop]
                         [--callPreceded] [--nosys] [--multibr] [--all] [--noinstr]
-                        [--dump] [--silent] [--align ALIGN]
+                        [--dump] [--silent] [--align ALIGN] [--mipsrop <rtype>]
+
+    description:
+      ROPgadget lets you search your gadgets on a binary. It supports several
+      file formats and architectures and uses the Capstone disassembler for
+      the search engine.
+
+    formats supported:
+      - ELF
+      - PE
+      - Mach-O
+      - Raw
+
+    architectures supported:
+      - x86
+      - x86-64
+      - ARM
+      - ARM64
+      - MIPS
+      - PowerPC
+      - Sparc
 
     optional arguments:
-        -h, --help           show this help message and exit
-        -v, --version        Display the ROPgadget's version
-        -c, --checkUpdate    Checks if a new version is available
-        --binary <binary>    Specify a binary filename to analyze
-        --opcode <opcodes>   Search opcode in executable segment
-        --string <string>    Search string in readable segment
-        --memstr <string>    Search each byte in all readable segment
-        --depth <nbyte>      Depth for search engine (default 10)
-        --only <key>         Only show specific instructions
-        --filter <key>       Suppress specific mnemonics
-        --range <start-end>  Search between two addresses (0x...-0x...)
-        --badbytes <byte>    Rejects specific bytes in the gadget's address
-        --rawArch <arch>     Specify an arch for a raw file
-        --rawMode <mode>     Specify a mode for a raw file
-        --rawEndian <endian> Specify an endianness for a raw file
-        --re <re>            Regular expression
-        --offset <hexaddr>   Specify an offset for gadget addresses
-        --ropchain           Enable the ROP chain generation
-        --thumb              Use the thumb mode for the search engine (ARM only)
-        --console            Use an interactive console for search engine
-        --norop              Disable ROP search engine
-        --nojop              Disable JOP search engine
-        --callPreceded       Only show gadgets which are call-preceded
-        --nosys              Disable SYS search engine
-        --multibr            Enable multiple branch gadgets
-        --all                Disables the removal of duplicate gadgets
-        --noinstr            Disable the gadget instructions console printing
-        --dump               Outputs the gadget bytes
-        --silent             Disables printing of gadgets during analysis
-        --align ALIGN        Align gadgets addresses (in bytes)
-        --mipsrop <rtype>    MIPS useful gadgets finder
-                             stackfinder|system|tails|lia0|registers
+      -h, --help            show this help message and exit
+      -v, --version         Display the ROPgadget's version
+      -c, --checkUpdate     Checks if a new version is available
+      --binary <binary>     Specify a binary filename to analyze
+      --opcode <opcodes>    Search opcode in executable segment
+      --string <string>     Search string in readable segment
+      --memstr <string>     Search each byte in all readable segment
+      --depth <nbyte>       Depth for search engine (default 10)
+      --only <key>          Only show specific instructions
+      --filter <key>        Suppress specific mnemonics
+      --range <start-end>   Search between two addresses (0x...-0x...)
+      --badbytes <byte>     Rejects specific bytes in the gadget's address
+      --rawArch <arch>      Specify an arch for a raw file
+                            x86|arm|arm64|sparc|mips|ppc
+      --rawMode <mode>      Specify a mode for a raw file 32|64|arm|thumb
+      --rawEndian <endian>  Specify an endianness for a raw file little|big
+      --re <re>             Regular expression
+      --offset <hexaddr>    Specify an offset for gadget addresses
+      --ropchain            Enable the ROP chain generation
+      --thumb               Use the thumb mode for the search engine (ARM only)
+      --console             Use an interactive console for search engine
+      --norop               Disable ROP search engine
+      --nojop               Disable JOP search engine
+      --callPreceded        Only show gadgets which are call-preceded
+      --nosys               Disable SYS search engine
+      --multibr             Enable multiple branch gadgets
+      --all                 Disables the removal of duplicate gadgets
+      --noinstr             Disable the gadget instructions console printing
+      --dump                Outputs the gadget bytes
+      --silent              Disables printing of gadgets during analysis
+      --align ALIGN         Align gadgets addresses (in bytes)
+      --mipsrop <rtype>     MIPS useful gadgets finder
+                            stackfinder|system|tails|lia0|registers
+
+    examples:
+      ROPgadget.py --binary ./test-suite-binaries/elf-Linux-x86
+      ROPgadget.py --binary ./test-suite-binaries/elf-Linux-x86 --ropchain
+      ROPgadget.py --binary ./test-suite-binaries/elf-Linux-x86 --depth 3
+      ROPgadget.py --binary ./test-suite-binaries/elf-Linux-x86 --string "main"
+      ROPgadget.py --binary ./test-suite-binaries/elf-Linux-x86 --string "m..n"
+      ROPgadget.py --binary ./test-suite-binaries/elf-Linux-x86 --opcode c9c3
+      ROPgadget.py --binary ./test-suite-binaries/elf-Linux-x86 --only "mov|ret"
+      ROPgadget.py --binary ./test-suite-binaries/elf-Linux-x86 --only "mov|pop|xor|ret"
+      ROPgadget.py --binary ./test-suite-binaries/elf-Linux-x86 --filter "xchg|add|sub|cmov.*"
+      ROPgadget.py --binary ./test-suite-binaries/elf-Linux-x86 --norop --nosys
+      ROPgadget.py --binary ./test-suite-binaries/elf-Linux-x86 --range 0x08041000-0x08042000
+      ROPgadget.py --binary ./test-suite-binaries/elf-Linux-x86 --string main --range 0x080c9aaa-0x080c9aba
+      ROPgadget.py --binary ./test-suite-binaries/elf-Linux-x86 --memstr "/bin/sh"
+      ROPgadget.py --binary ./test-suite-binaries/elf-Linux-x86 --console
+      ROPgadget.py --binary ./test-suite-binaries/elf-Linux-x86 --badbytes "00|01-1f|7f|42"
+      ROPgadget.py --binary ./test-suite-binaries/Linux_lib64.so --offset 0xdeadbeef00000000
+      ROPgadget.py --binary ./test-suite-binaries/elf-ARMv7-ls --depth 5
+      ROPgadget.py --binary ./test-suite-binaries/elf-ARM64-bash --depth 5
+      ROPgadget.py --binary ./test-suite-binaries/raw-x86.raw --rawArch=x86 --rawMode=32
 
 How can I contribute ?
 ----------------------

diff --git a/ropgadget/args.py b/ropgadget/args.py
@@ -79,9 +79,9 @@ def __parse(self, arguments, custom_arguments_provided=False):
         parser.add_argument("--filter",             type=str, metavar="<key>",        help="Suppress specific mnemonics")
         parser.add_argument("--range",              type=str, metavar="<start-end>",  default="0x0-0x0", help="Search between two addresses (0x...-0x...)")
         parser.add_argument("--badbytes",           type=str, metavar="<byte>",       help="Rejects specific bytes in the gadget's address")
-        parser.add_argument("--rawArch",            type=str, metavar="<arch>",       help="Specify an arch for a raw file")
-        parser.add_argument("--rawMode",            type=str, metavar="<mode>",       help="Specify a mode for a raw file")
-        parser.add_argument("--rawEndian",          type=str, metavar="<endian>",     help="Specify an endianness for a raw file")
+        parser.add_argument("--rawArch",            type=str, metavar="<arch>",       help="Specify an arch for a raw file x86|arm|arm64|sparc|mips|ppc")
+        parser.add_argument("--rawMode",            type=str, metavar="<mode>",       help="Specify a mode for a raw file 32|64|arm|thumb")
+        parser.add_argument("--rawEndian",          type=str, metavar="<endian>",     help="Specify an endianness for a raw file little|big")
         parser.add_argument("--re",                 type=str, metavar="<re>",         help="Regular expression")
         parser.add_argument("--offset",             type=str, metavar="<hexaddr>",    help="Specify an offset for gadget addresses")
         parser.add_argument("--ropchain",           action="store_true",              help="Enable the ROP chain generation")
@@ -107,6 +107,23 @@ def __parse(self, arguments, custom_arguments_provided=False):
         if self.__args.noinstr and self.__args.re:
             raise ValueError("[Error] --noinstr and --re=<re> can't be used together")
 
+        if self.__args.thumb and self.__args.rawMode and self.__args.rawMode != "thumb":
+            raise ValueError("[Error] --rawMode is conflicting with --thumb")
+
+        if not self.__args.rawArch and self.__args.rawMode:
+            raise ValueError("[Error] Specify --rawArch")
+
+        if not self.__args.rawArch and self.__args.rawEndian:
+            raise ValueError("[Error] Specify --rawArch")
+
+        rawMode = "thumb" if self.__args.thumb else self.__args.rawMode
+
+        if self.__args.rawArch and not rawMode:
+            raise ValueError("[Error] Specify --rawMode")
+
+        if self.__args.rawArch and not self.__args.rawEndian and self.__args.rawArch != "x86":
+            raise ValueError("[Error] Specify --rawEndian")
+
         if self.__args.version:
             self.__printVersion()
             sys.exit(0)

diff --git a/ropgadget/binary.py b/ropgadget/binary.py
@@ -29,11 +29,11 @@ def __init__(self, options):
             print("[Error] Can't open the binary or binary not found")
             return None
 
-        if options.rawArch and options.rawMode:
+        if options.rawArch:
             self.__binary = Raw(
                 self.__rawBinary,
                 options.rawArch,
-                options.rawMode,
+                "thumb" if options.thumb else options.rawMode,
                 options.rawEndian,
             )
         elif self.__rawBinary[:4] == unhexlify(b"7f454c46"):

diff --git a/test-suite-binaries/ref_output.bz2 b/test-suite-binaries/ref_output.bz2