forked from oblivia-simplex/roper
Return Oriented Programme Evolution with ROPER
License
gitcollect/roper
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Folders and files
| Name | Name | Last commit message | Last commit date | |
|---|---|---|---|---|
Repository files navigation
NOTE: Under development. Not yet ready for actual use.
____ ___ ____ _____ ____
| _ \ / _ \| _ \| ____| _ \
| |_) | | | | |_) | _| | |_) |
| _ <| |_| | __/| |___| _ <
|_| \_\\___/|_| |_____|_| \_\
A GENETIC ROP-CHAIN DEVELOPMENT TOOL
///////////////////////////////////////////////////////////////////
\\ `-. ``-`..` //
\\ .+`...-o- .`.` //
\\ ``` ``.-` h:-` ./h-`...` //
\\ `..---:--+:- .-:. `h- +m`+. `.+..`.- //
\\ --.:://:-.-``:` +-.,`: .-- :-.s+`. ``` //
\\ .``` `/ `: .Ns. ~_~ .o. `---/..::` //
\\ `s .- //o` :o: +y. `.+o/.o.` //
\\ h:`/ .://`_____+:.:+` `.-` o` //
\\ `y- -` :.`-:./:+:`+```sm/` `:`// //
\\ `:.-+. -h``../oyy:::`` `/.s. +s-/ //
\\ ```:y- om.`-``-+//. `.: .h++` :++s //
\\ `. -o` .;o:+- ...-:/..o`/s.`/-..``---:y. ``````//
\\ `-. `.. -.` -.y`'y\/\/\/y`o.:`s`.:....y//-``..``..``.-.//
\\ .+``.. `h+:`oy`:{ }-`-dysds+---..-..://-:--..--//
\\ .h-:-` .yh:/dMh.` :/\/\/\/\- `sdy-.--.-`.--:/:-`` //
\\ y/:s `-+/-hy/hs..`:`/;;;/:.` .``/s+`.``/s//-` `///
\\ m:.:-` `:---s+.``/.:.`...::-+``` o..+:+o:/o-` `-/.//
\\ /...``.-+++o/.`..`/: .``.`` `-```s+`/mN:...``.```.``...`.:oo-//
\\ ``....-//:...`.-+h+//``. . -s-./+/ :+-.--..----:-:/:--/o. //
\\ ``..``+y..--s:ydyd:`` oy+::.- ``:/oo/o/:/:-.`.-..:---` //
\\ ``-` .s:o//+/.o+ss+s- `` .`````/ .o+ds`::.--..``` ``-/.-:`//
\\ -.``/:ys/:--./hm/.`.` `-::+:` `ho..+s` - -`://
\\ .s .o+--/+./yo/hy..-` `-+--.://. ` -mydh` ..``-//
\\ /: -.`/s/.sy-` oNy/+o/-..--.```````.+hhy.``` `- .`//
\\ /y``-hs:-/- sd:--.`.--`````` `-`.``..`````.`` `. .` //
\\ .N` .so/-``...`` `.--/::`--. `...-. +md` `..`.``.`. .```` //
\\ +/-` ``.- `./oyy/ys-```-: /..` . +dd `.. ``````.` //
\\ .+s++/++:```/mmmy+m-` . --`` .`o+o- ` `` //
\\ :o--. .ddmdymo: ` -- ` `:-.o: //
\\ .dh.:` .dydNMNd`. `` . :` ` +o //
\\ :d/--...ymdhhmd:````` `` ` ` ` o+mN+ //
\\ `/+.``````````````....` ` /dohmN- //
\\ `.odyo/oy+:--.-`....- ` ` `:ss. //
\\ -NMMy+Nhy...:`:-/moo` .h- `` `:s:` //
\\ hMMMNNhs+ `o:yodmd`- -Nh-`` yd+. `s. //
\\ yhmmNm/. :hysmMMNs: `dNdd: dNmd/..:` //
\\ `/h`` .mmNmyoooyy:..`--/...-` `` //
\\ -N: -Nho: //
\\ -/-.:/s+. //
\\ ` //
'\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
Genetic programming platform for evolving ROP-chain payloads.
This project is still very much under construction. When it's up and
running, the idea is for the programme to be able to:
* dissect a given binary into a collection of ROP gadgets;
* request a machine-state pattern from the user (the one she desires her
ROP-chain attack to bring about) -- this could be a matter of having
the machine perform a syscall to execve "/bin/sh", for example;
* generate a randomized population of chains from these gadgets;
then, until a suitable payload evolves...
* randomly select four of these chains from the population, and run them
in a virtual environment that mimics the target architecture
(currently, I'm working on building the amd64 environment);
* send these chains to one of an array of hatchsock servers, running on
qemu instances. These servers will receive the machine code, execute
it while ptracing the register state, and transmit a vector representing
the register state back to the genetic apparatus, where we will
* gauge the fitness of each chain in terms of the result of that
comparison;
* kill off the two least fit chains, mate the two most fit, and add
their children back to the general population;
* rinse;
* repeat.
The idea is that the process should, at least in most cases, converge
on a set of viable specimens that can then be used as the payloads in
ROP-chain attacks. For them to be of any use, of course, an attack
vector still needs to be found. (So this utility might pair up nicely
with a good fuzzer, or something.)
The working languages are mostly Common Lisp (for the high-level stuff)
and C (for the low-down dirty stuff).
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
very much under development at this point. If you want to see what
the genetic component will look like, you can take a look at the
genlin repository. There will be some similarities to that (which
I wrote earlier this year). Right now, I'm working on getting all
the low-level razzmatazz to play nice. Expect to see a rudimentary
genetic system up and running by the end of April, though, and
refinements to come over the summer.
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
(nb: if using :iolib for sockets, install fixlibposix-dev first)
For a fuller explanation of what this programme does so far
(and note that it's still on the drawing board), check out the
files in the doc directory.
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
About
Return Oriented Programme Evolution with ROPER
Resources
License
Stars
Watchers
Forks
Releases
No releases published
Packages 0
No packages published
Languages
- C 80.4%
- Haskell 15.9%
- Makefile 2.5%
- Other 1.2%