Practical Support for Half-Automated Program Exploitation

PSHAPE (working title: Inspector Gadget) can be downloaded here.
We're still in the process of refactoring and testing the code, once this is finished, the tool will be put on GitHub.

PSHAPE has been accepted at  the 12th International Workshop on Security and Trust Management (STM), co-located with ESORICS.

Information about the binaries we used in our experiments:

 Filename   File Version  
 chrome.exe 50.0.2661.94 1a84ac19bf1d65595a9b6a93fec853dbbffc6dbb
 firefox.exe 42298bd91eff05a40f07ea069c64cac7baec2e74
 iexplore.exe 11.0.9600.18283 e55b59e3e9530c5e6947c46f937f6ba88dd2eb19
 jfxwebkit.dll b5e78dbd988fab42ebf782b4e2da9593ec34070d
 mshtml.dll 11.0.9600.18283 5408c7e1d618df681268b3d495f0a5d683431edb
 apache2 2.4.10 a178459d9222eef2388e7c84aaa1883d4f1f1155
 chromium 50.0.2661.75 20e33917182c1911ca31e70664ad4d43d290d04d
 nginx 1.40.0 79e8343383c26e6f764d6e78a9e1b969a2c13699
 openssl 1.0.1k-3 078d33df9c216996364d308117e835c4ae239d63


1) pyvex:
# pip install pyvex

2) capstone:
# apt-get install python-capstone

3) z3
git clone
$ python scripts/ --python
./configure --prefix=$HOME/mylibs/
$ cd build
$ make
# sudo make install

4) pefile
git clone build install

5) pyelftools
# apt-get install python-pyelftools

Note: you may have to update PYTHONPATH by adding /path/to/z3.git/build/

6) dill
# pip install dill


PSHAPE produces four files:
filename.pkl is a blob containing all discovered gadgets. It can be read by PSHAPE, so gadget discovery has to be done only once.
filename_all_gadgets is a textfile containing all gadgets, even the ones PSHAPE cannot analyse properly due to jumps etc.
filename_gadgets is a textfile containing gadgets PSHAPE analyzed and uses for autochaining.
filename_summary is a textfile containing a summary of the analysis.


python <parameters>
-b path and name of the binary (we support ELF and PE for now)
-maxlen maximum length of gadgets (in instructions)
-minlen minimum length of gadgets (in instructions)
-arg number of registers to initialize by the auto-chainer (Linux: 2 to 6; Windows: 2 to 4)
-p number of threads (greatly enhances gadget discovery and summaries! If you have a multicore CPU, use this)
-spm show effects on memory in output files
-a architecture (default is x86-64, x86 is experimental and only works for gadget discovery, not chaining)

Usage Examples

python -b /usr/bin/comm -maxlen 10 -arg 3
This finds all gadgets that contain up to 10 instructions in file "comm" stored in /usr/bin and creates a chain to initialize rdi, rsi, and rcx.

python -b /usr/bin/comm.pkl -arg 4
Uses the file generated in the previous step (comm.pkl), so gadget discovery is skipped and a chain to initialize rdi, rsi, rcx, and rdx is generated.