One Gadget

When playing ctf pwn challenges we usually needs the one-gadget of execve('/bin/sh', NULL, NULL).

This gem provides such gadget finder, no need to use IDA-pro every time like a fool.

Also provides the command-line tool one_gadget for easy usage.

Note: Supports amd64 and i386!

Note2: still work in progress, the gem version might update frequently :p.

Install

Available on RubyGems.org!

gem install one_gadget

Usage

Command Line Tool

one_gadget
# Usage: one_gadget [file] [options]
#     -b, --build-id BuildID           BuildID[sha1] of libc.
#     -f, --[no-]force-file            Force search gadgets in file instead of build id first.
#     -r, --[no-]raw                   Output gadgets offset only, split with one space.
#     -s, --script exploit-script      Run exploit script with all possible gadgets.
#                                      The script will be run as 'exploit-script $offset'.

one_gadget -b 60131540dadc6796cab33388349e6e4e68692053
# offset: 0x4526a
# constraints:
#   [rsp+0x30] == NULL
#
# offset: 0xef6c4
# constraints:
#   [rsp+0x50] == NULL
#
# offset: 0xf0567
# constraints:
#   [rsp+0x70] == NULL
#
# offset: 0xf5b10
# constraints:
#   [rbp-0xf8] == NULL
#   rcx == NULL

one_gadget /lib/i386-linux-gnu/libc.so.6
# offset: 0x3ac69
# constraints:
#   esi is the address of `rw-p` area of libc
#   [esp+0x34] == NULL
#
# offset: 0x5fbbe
# constraints:
#   esi is the address of `rw-p` area of libc
#   eax == NULL
#
# offset: 0x12036c
# constraints:
#   esi is the address of `rw-p` area of libc
#   eax == NULL

Combine with exploit script

Pass your exploit script as one_gadget's arguments, it can try all gadgets one by one, so you don't need to try every possible gadgets manually.

one_gadget ./spec/data/libc-2.19.so -s 'echo "offset ->"'

Directly use in script

require 'one_gadget'
OneGadget.gadgets(file: '/lib/x86_64-linux-gnu/libc.so.6')
# => [283242, 980676, 984423, 1006352]

Screenshots

Search gadgets from file

Fetch gadgets from database