2019 UPDATE: This software is pretty bad. It was a tool I created while learning and it sucks a lot. If you’re here looking for a tool I wouldn’t recommend to use this. If you’re here to learn some history then go ahead!
I’ve done a post about Return Orientated Programming (ROP) before where I described basic operation of a ROP chain. The public domain of pentest security tools involving ROP is largely orientated around intel architecture x86. Now I have my own contribution to the security world.
This rapidly changing world has seen a surge in mobile technologies (think your iphones, android, tablets etc) which utilize ARM architecture and thus can be somewhat more difficult to use ROP tools based on x86 which has a much more deep usage of stack, whilst ARM is registers. I saw this as a potential problem, ROP itself isn’t the most well documented exploitation technique and this concerns me as it is incredibly powerful. It is true that ASLR is a very strong technique against ROP and you can take some comfort from that; however I feel its nothing more than obscurity. Once you give away any detail of the implementation that can be used as an anchor for referencing code, ASLR is useless. I believe that this basic fact is not respected enough; maybe because writing rop script is incredibly tedious and editing every code point could be too cumbersome for detailed testing against systems.
Here I present my tool, roptool. It’s a tool that will take a script language and a list of gadgets and provide a binary stack layout with data references. You might ask, “davee why are you releasing a tool that will aid hackers hacking stuff? omg ur a baddie”, but my response would probably be a laugh. If you think somebody doing bad would not already have tools, or even the time to do tedious work then you’re living in a dream. I will spare you all from the whole “not every hacker is evil” agenda, as that is well discussed elsewhere but this will be very helpful to pentesters who can help improve security and other (non)-professional hackers that can strengthen their arguments to companies and organisations when they find issues that would otherwise be overlooked without a proof-of-concept. It’s a double-edged sword, but I am confident this will bring more good than bad.
As a homebrew developer too, I can appreciate why somebody would want to code on a commercial device like the 3DS or vita. For people familiar with the 3DS, the situation is that people can run their own code: as long as that code is ROP. This is a problem as writing large scale applications with ROP manually is tedious and very unenjoyable (unless you’re a masochist). roptool will help provide tools so homebrew developers can at least get something running that they want. Currently roptool has many restrictions which makes things difficult, but these should be addressed. As always, no piracy; this should be obvious now.
So, without further talking, here is the source code: https://bitbucket.org/DaveeFTW/roptool
All work is in the dev branch.
At time of posting the readme doesn’t contain anything useful, but I intend to improve this will information on the rop script and provide examples. I have a bug tracker setup and whilst the source code is open (as usual) I will not be accepting code contributions for the time being. I however will be accepting bug reports which, for now, can be posted in the comment section below or emailed to me.
This software is fairly fragile and may introduce changes from revision to revision until stability is achieved. Please respect that when you create anything using it. In addition I’ll provide examples and the updated readme within a few weeks.