Maijin commented 7 years ago

Enhancement

[ ] Rop gadget classification Classify them in those categories (See merged PR here - radareorg/radare2#5448 radareorg/radare2#5481 radareorg/radare2#5515 radareorg/radare2#5531 )
- [ ] NOP
- [ ] JUMP EIP = AddrReg + Offset
- [ ] MoveReg OutReg = InReg
- [ ] LoadConst OutReg = Value
- [ ] Arithmetic OutReg = InReg1 InReg2
- [ ] LoadMem OutReg = [AddrReg + Offset]
- [ ] StoreMem [AddrReg + Offset] = InReg
- [ ] ArithmeticLoad OutReg = OutReg [AddrReg + Offset]
- [ ] ArithmeticStore [AddrReg + Offset] = [AddrReg + Offset] InReg
[ ] Enhance SDB ROP storage - https://github.com/radare/radare2/issues/5162
[ ] Rop search improvement - https://github.com/radare/radare2/issues/4284
[ ] ROP Search using ESIL - https://github.com/radare/radare2/issues/2612
[ ] Auto ropper https://github.com/radare/radare2/issues/1708
[ ] Primitive detecting (pivot, leak, write-what-where, etc.) https://github.com/radare/radare2/issues/1708

Building a complete ROPChain

[ ] Identify gadget semantically (likely with ESIL)
- [ ] move a register A into a register B
- [ ] move a register A into an offset B
- [ ] syscall
- [ ] set a register A to zero
- [ ] increment a register A
[ ] Borrow code from RopGadget to generate the ropchain.
Sources
mona.py
ROPGadget

XVilka commented 5 years ago

This tool also looks good https://github.com/Boyan-MILANOV/ropgenerator

ret2libc commented 4 years ago

This issue has been moved from radareorg/radare2 to radareorg/ideas as we are trying to clean our backlog and this issue has probably been created a long while ago. This is an effort to help contributors understand what are the actionable items they can work on, prioritize issues better and help users find active/duplicated issues more easily. If this is not an enhancement/improvement/general idea but a bug, feel free to ask for re-transfer to main repo. Thanks for your understanding and contribution with this issue.

radareorg / ideas

META - ROP #154

Related

Enhancement

Building a complete ROPChain

Sources