Skip to content
ROPGenerator is a tool that helps you building ROP exploits by finding and chaining gadgets together
Branch: master
Clone or download
Type Name Latest commit message Commit time
Failed to load latest commit information.
ressources Added gifs Apr 12, 2019
ropgenerator Fixed offset handling for writable memory locations Apr 17, 2019
LICENCE.txt Added licence Apr 12, 2019 Update Apr 14, 2019
ROPGenerator Minor changes and adjustments Apr 11, 2019 Change compilation options, reduced basic depth for gadgets search, a… Apr 16, 2019


ROPGenerator is a tool that makes ROP-exploits easy. It automatically extracts and analyses gadgets from binaries and lets you find ROP-chains with semantic queries. The tool supports X86 and X64 architectures, soon to be extended with ARM.

Key features:

  • Effortless: ROPGenerator works out-of-the-box with a smooth Command Line Interface
  • Automatic chaining: ROPGenerator automatically combines gadgets to create complex ROP-chains
  • Semantic queries: ROPGenerator queries are quick and convenient to write : rax=rbx+8, mem(rdi+0x20)=rax, rsi=mem(rbx+16)/2, strcpy(0x1234, "awesome!\x00"), ...
  • Advanced features: ROPGenerator supports ROP-chains involving function calls, syscalls, strings, ...



First install pybind11:

  sudo apt install python3-dev
  sudo apt install cmake
  pip3 install pytest 
  pip3 install pybind11
  git clone && cd pybind11 
  mkdir build && cd build
  cmake ..
  make check -j 4

Then install BARF:

  git clone && cd barf-project
  python3 install --user

You also need the latest ROPgadget release:

  pip install capstone
  git clone && cd ROPgadget
  python install --user 

Finally install and run ROPGenerator:

  git clone && cd ropgenerator
  python3 install --user

Getting started

Load a binary

Find ROP-chains

Use constraints

ROPGenerator support many options for ROP-chains, including:

  • Bad bytes to avoid
  • Registers that shouldn't be clobbered
  • Offset to add to gadget addresses
  • Maximum length
  • Output format (raw, python code, ...)

Call functions

Make syscalls

Alloc-Copy-Execute shellcode

You can save shellcodes in ROPGenerator, then use them with advanced commands, such as ace which automatically delivers the shellcode in memory, makes the memory executable, and jumps to execute it


Boyan MILANOV - bmilanov (at) quarkslab (dot) com


ROPGenerator is provided under the MIT licence.

Special thanks

ROPGenerator uses the following awesome projects:

  • BARF : Binary Analysis and Reverse Engineering plateform
  • LIEF : Binary Parsing and Instrumentation library
  • ROPgadget : Gadget extractor
  • prompt-toolkit : Python CLI interface library
You can’t perform that action at this time.