I'll be blunt: I think MSFrop is more of the honorable mention when we're comparing ROP tools. It's great that the Metasploit Framework has the sophistication to serve as a solid one-stop-shop for hacking, and knowing that we can study gadgets in a binary without leaving the MSF console is handy. But my favorite dedicated tool is the Python-coded ROPgadget. It's a breeze to install on our Kali box with Git:

# git clone https://github.com/JonathanSalwan/ROPgadget.git
# cd ROPgadget/
# ./ROPgadget.py --help

Let's take a look at the options available to us, leaving out a couple of processor-specific commands:

• --binary specifies our target, which can be ELF, PE, Mach object format, and raw.
• --opcode searches for the defined opcodes in the executable segments of the binary, while --string searches for a given string in readable segments of the binary. One use for --string is to look at specific functions, such as main().
• --memstr is your lifeline for borrowing characters from your target binary. Suppose you want to copy the ASCII characters sh into the buffer without injecting them. You'd pass the --memstr "sh" argument and ROPgadget will search for x73 and x68 in memory:

• --depth means the same thing here as it does in MSFrop. It's how many bytes backwards we'll be searching for gadgets once a RET is found.
• --only and --filter are the instruction filters. --only will hide everything but the specified instructions; --filter will show everything but the specified instructions.
• --range specifies a range of memory addresses to limit our gadget search. Without this option, the entire binary will be searched. 
• --badbytes means exactly what you think it means, my weary shellcoder. Just when you thought that by borrowing code you could escape the trouble of bytes that shatter both our shellcode and our dreams, experienced ROP engineers will run into this occasionally. It really doesn't matter where the bytes are coming from; the break happens during execution. There's another factor to keep in mind, too: the actual exploit code itself. In this chapter, we'll be working with Python to generate our payload. We'll be using the powerful struct module to pack binary data into strings that are then handled like any ordinary string variable by Python. Remember --badbytes when you're sitting there with a broken script; it might be what you're looking for.
• --rawArch and --rawMode are for defining 32-bit and 64-bit architectures and modes.
• --re takes a regular expression (for example, x35).
• --offset takes a hex value as an offset for calculating gadget addresses.
• --ropchain is a wonderful coup de grace option that generates the Python exploit code for us. It isn't as easy as throwing it into a .py file and executing it; we need to know exactly how it's being passed to the vulnerable program.
• --console is for interactive gadget hunting. It brings up essentially a Terminal window within ROPgadget for conducting specific searches. We'll take a look at it later.
• --norop, --nojop, and --nosys disable the search engines for specific gadget types: return-oriented, jump-oriented, and system call instruction gadgets, respectively. When you're trying to understand the full complement of gadgets available to you, you'll generally want to avoid these options; they're for fine-tuned attacks.
• By default, duplicate gadgets are suppressed; you can use --all to see everything. This is handy for gathering all of the memory addresses associated with your binary's gadgets.
• --dump is basically an objdump -x for your gadgets; this will display the disassembled gadgets and then their raw bytes.

There are several other great ROP programs available, but ROPgadget should get just about any of your projects done. Let's prepare to take it out for a test drive by preparing our vulnerable executable.