CyberCheatsheets

ROPgadget Cheat Sheet

Classic ROP gadget finder with --ropchain auto-generation for simple execve/sh chains.

Exploitation & Payloadsgadgetsret2libcropUpdated 2026-06-02

Overview

ROPgadget extracts gadgets from ELF/Mach-O binaries and can suggest basic ROP chains. Widely used in CTF writeups; complements manual pwntools ROP class.

Authorized testing only. Use only on systems, networks, and accounts you own or have explicit written permission to test. Unauthorized access is illegal.

Install

pip install ropgadget

or

sudo apt install -y python3-ropgadget
ROPgadget --version

Essential commands

List all gadgets

ROPgadget --binary ./vuln

Search specific instruction sequence

ROPgadget --binary ./vuln --only "pop|ret"

With libc

ROPgadget --binary ./vuln --library libc.so.6

Auto ropchain (simple cases)

ROPgadget --binary ./vuln --ropchain

Common workflows

Find pop rdi (x64) —

ROPgadget --binary ./vuln | grep "pop rdi"
ROPgadget --binary ./vuln --only "pop rdi"

Filter bad characters —

ROPgadget --binary ./vuln --badbytes "000a0d"

Memory segments / strings —

ROPgadget --binary ./vuln --string
ROPgadget --binary ./vuln --section .data

ret2csu (__libc_csu_init) —

ROPgadget --binary ./vuln | grep "pop rbx"

Full exploit prep pipeline —

checksec ./vuln
ROPgadget --binary ./vuln --only "pop|syscall|ret" > gadgets.txt

Flags reference

--binary

Target executable

--library

Extra shared object

--only "regex"

Filter gadget lines

--filter "regex"

Exclude matches

--badbytes

Hex bytes to avoid (no 0x prefix)

--ropchain

Attempt automatic chain

--depth N

Max gadget length

--nojop

Skip JOP gadgets

--all

Include misaligned / unusual

Tips

  • Output can be huge — always pipe to grep or use --only.
  • --ropchain rarely works on real targets; use for learning or simple ELF challenges.
  • Match architecture: sudo apt install python3-capstone if disassembly fails.
  • For PIE binaries, add leaked base to every gadget address offline.

References

Chuletas relacionadas