one_gadget 1.0.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 469c960b795a87ce7f7e02b91c46b2f8e75f4a7d
+  data.tar.gz: c05c6387725951eaee40a2733f33909aa7d81daa
+SHA512:
+  metadata.gz: fa08575754ee8a545db7cc1f60ba307670eadcb2df17750d0504b4a6ac8eb55897bdb2b77aeff6e0ceb207fbe6e15a58b975bee6aed0411b0bfd10beabe00b63
+  data.tar.gz: 92e091b662abf384bd4cc791a27d9478e3bd17c8b9c6fe7f75aa314479b8e50738ba40da8ec40c554fbb166a05e071147999911bd63f6cc21b3445b4a902fb76

data/README.md

@@ -0,0 +1,72 @@
+[![Build Status](https://travis-ci.org/david942j/one_gadget.svg?branch=master)](https://travis-ci.org/david942j/one_gadget)
+[![Code Climate](https://codeclimate.com/github/david942j/one_gadget/badges/gpa.svg)](https://codeclimate.com/github/david942j/one_gadget)
+[![Issue Count](https://codeclimate.com/github/david942j/one_gadget/badges/issue_count.svg)](https://codeclimate.com/github/david942j/one_gadget)
+[![Test Coverage](https://codeclimate.com/github/david942j/one_gadget/badges/coverage.svg)](https://codeclimate.com/github/david942j/one_gadget/coverage)
+[![Inline docs](https://inch-ci.org/github/david942j/one_gadget.svg?branch=master)](https://inch-ci.org/github/david942j/one_gadget)
+[![MIT License](https://img.shields.io/badge/license-MIT-blue.svg)](http://choosealicense.com/licenses/mit/)
+
+## One Gadget
+
+When playing ctf pwn challenges we usually needs the one-gadget of `execve('/bin/sh', NULL, NULL)`.
+
+This gem provides such gadget finder, no need to use IDA-pro every time like a fool.
+
+Also provides the command-line tool `one_gadget` for easy usage.
+
+Note: only supports x86-64 now.
+
+## Install
+
+I'll push to rubygems.org..
+
+## Usage
+
+### Command Line Tool
+
+```bash
+one_gadget
+# Usage: one_gadget [file] [options]
+#     -b, --build-id BuildID           BuildID[sha1] of libc
+#     -r, --[no-]raw                   Output gadgets offset only, split with one space
+#     -s, --script exploit-script      Run exploit script with all possible gadgets
+#                                      The script will be run as 'exploit-script $offset'.
+
+one_gadget -b 60131540dadc6796cab33388349e6e4e68692053
+# offset: 0x4526a
+# constraints:
+#   [rsp+0x30] == NULL
+#
+# offset: 0xef6c4
+# constraints:
+#   [rsp+0x50] == NULL
+#
+# offset: 0xf0567
+# constraints:
+#   [rsp+0x70] == NULL
+```
+
+#### Combine with exploit script
+Pass your exploit script as `one_gadget`'s arguments, it can
+try all gadgets one by one, so you don't need to try every possible gadgets manually.
+
+```bash
+one_gadget ./spec/data/libc-2.19.so -s 'echo "offset ->"'
+```
+
+![--script](https://github.com/david942j/one_gadget/blob/master/examples/script.png?raw=true)
+
+### Directly use in script
+```ruby
+require 'one_gadget'
+OneGadget.gadgets(file: '/lib/x86_64-linux-gnu/libc.so.6')
+# => [283242, 980676, 984423]
+```
+
+## Screenshots
+
+### Search gadgets from file
+![from file](https://github.com/david942j/one_gadget/blob/master/examples/from_file.png?raw=true)
+
+### Fetch gadgets from database
+![build id](https://github.com/david942j/one_gadget/blob/master/examples/from_build_id.png?raw=true)
+

data/bin/one_gadget

@@ -0,0 +1,54 @@
+#!/usr/bun/env ruby
+require 'one_gadget'
+require 'optionparser'
+
+options = { raw: false }
+usage = 'Usage: one_gadget [file] [options]'
+parser = OptionParser.new do |opts|
+  opts.banner = usage
+
+  opts.on('-b', '--build-id BuildID', 'BuildID[sha1] of libc') do |b|
+    options[:build_id] = b
+  end
+
+  opts.on('-r', '--[no-]raw', 'Output gadgets offset only, split with one space') do |v|
+    options[:raw] = v
+  end
+
+  opts.on('-s', '--script exploit-script', 'Run exploit script with all possible gadgets.',
+          'The script will be run as \'exploit-script $offset\'.') do |script|
+    options[:script] = script
+  end
+end
+parser.parse!
+
+def execute(script, offset)
+  pid = fork do
+    exec([script, offset.to_s].join(' '))
+  end
+  Process.wait pid
+end
+
+if options[:build_id]
+  gadgets = OneGadget.gadgets(build_id: options[:build_id], details: true)
+elsif ARGV[0]
+  gadgets = OneGadget.gadgets(file: ARGV[0], details: true)
+else
+  puts parser.help
+  exit(1)
+end
+
+extend OneGadget::Helper::ClassMethods
+if options[:script]
+  gadgets.map(&:offset).each do |offset|
+    puts "[#{colorize('OneGadget', sev: :reg)}] Trying #{colorize(format('0x%x', offset), sev: :integer)}..."
+    execute(options[:script], offset)
+  end
+  exit(0)
+end
+
+if options[:raw]
+  puts gadgets.map(&:offset).join(' ')
+else
+  puts gadgets.map(&:inspect).join("\n")
+end

data/lib/one_gadget.rb

@@ -0,0 +1,35 @@
+# OneGadget - To find the execve(/bin/sh, 0, 0) in glibc.
+#
+# @author david942j
+module OneGadget
+  class << self
+    # The man entry of gem +one_gadget+.
+    # If want to find gadgets from file, it will search gadgets by its
+    # build id first.
+    #
+    # @param [String] file
+    #   The relative path of libc.so.6.
+    # @param [String] build_id
+    #   The BuildID of target libc.so.6.
+    # @return [Array<OneGadget::Gadget::Gadget>, Array<Integer>]
+    #   The gadgets found.
+    # @example
+    #   OneGadget.gadgets(file: './libc.so.6')
+    #   OneGadget.gadgets(build_id: '60131540dadc6796cab33388349e6e4e68692053')
+    def gadgets(file: nil, build_id: nil, details: false)
+      if build_id
+        OneGadget::Fetcher.from_build_id(build_id, details: details)
+      elsif file
+        file = OneGadget::Helper.abspath(file)
+        build_id = OneGadget::Helper.build_id_of(file)
+        gadgets = OneGadget::Fetcher.from_build_id(build_id, details: details)
+        return gadgets unless gadgets.empty?
+        OneGadget::Fetcher.from_file(file, details: details)
+      end
+    end
+  end
+end
+
+require 'one_gadget/fetcher'
+require 'one_gadget/helper'
+require 'one_gadget/version'

data/lib/one_gadget/abi.rb

@@ -0,0 +1,15 @@
+module OneGadget
+  # define the abi of different architecture.
+  module ABI
+    # Define class methods here.
+    module ClassMethods
+      LINUX_X86_32 = %w(eax ebx ecx edx edi esi ebp esp).freeze
+      LINUX_X86_64 = LINUX_X86_32 + %w(rax rbx rcx rdx rdi rsi rbp rsp) + 7.upto(15).map { |i| "r#{i}" }
+      # Only support x86-64 now.
+      def registers
+        LINUX_X86_64
+      end
+    end
+    extend ClassMethods
+  end
+end

data/lib/one_gadget/builds/libc-2.23-60131540dadc6796cab33388349e6e4e68692053.rb

@@ -0,0 +1,8 @@
+require 'one_gadget/gadget'
+# Ubuntu GLIBC 2.23-0ubuntu5
+# ELF 64-bit LSB shared object, x86-64
+build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 0x4526a, constraints: ['[rsp+0x30] == NULL'])
+OneGadget::Gadget.add(build_id, 0xef6c4, constraints: ['[rsp+0x50] == NULL'])
+OneGadget::Gadget.add(build_id, 0xf0567, constraints: ['[rsp+0x70] == NULL'])
+OneGadget::Gadget.add(build_id, 0xf5b10, constraints: ['[rbp-0xf8] == NULL', 'rcx == NULL'])

data/lib/one_gadget/fetcher.rb

@@ -0,0 +1,75 @@
+require 'one_gadget/helper'
+require 'one_gadget/gadget'
+
+module OneGadget
+  # To find gadgets.
+  module Fetcher
+    # Define class methods here.
+    module ClassMethods
+      # Fetch one-gadget offsets of this build id.
+      # @param [String] build_id The targets' BuildID.
+      # @param [Boolean] details
+      #   If needs to return the gadgets' constraints.
+      # @return [Array<Integer>, Array<OneGadget::Gadget::Gadget>]
+      #   If +details+ is +false+, +Array<Integer>+ is returned, which
+      #   contains offset only.
+      #   Otherwise, array of gadgets is returned.
+      def from_build_id(build_id, details: false)
+        if (build_id =~ /\A#{OneGadget::Helper::BUILD_ID_FORMAT}\Z/).nil?
+          raise ArgumentError, format('invalid BuildID format: %p', build_id)
+        end
+        gadgets = OneGadget::Gadget.builds(build_id)
+        return gadgets if details
+        gadgets.map(&:offset)
+      end
+
+      # Fetch one-gadget offsets from file.
+      # @param [String] file The absolute path of libc file.
+      # @param [Boolean] details
+      #   If needs to return the gadgets' constraints.
+      # @return [Array<Integer>, Array<OneGadget::Gadget::Gadget>]
+      #   If +details+ is +false+, +Array<Integer>+ is returned, which
+      #   contains offset only.
+      #   Otherwise, array of gadgets is returned.
+      def from_file(file, details: false)
+        bin_sh_hex = str_offset(file, '/bin/sh').to_s(16)
+        candidates = `objdump -d -M intel #{file}|egrep '<execve[^+]*>$' -B 10`.split('--').select do |candidate|
+          next false unless candidate.include?(bin_sh_hex)
+          next false unless candidate.lines.last.include?('call') # last line must be +call execve+
+          true
+        end
+        candidates.map! do |candidate|
+          # remove other calls
+          lines = candidate.lines
+          to_rm = lines[0...-1].rindex { |c| c.include?('call') }
+          lines = lines[to_rm + 1..-1] unless to_rm.nil?
+          lines.map! { |s| s.gsub(/#\s+#{bin_sh_hex}\s+<.*>$/, "# #{bin_sh_hex} \"/bin/sh\"") }
+          lines.join
+        end
+        gadgets = candidates.map { |c| convert_to_gadget(c) }
+        return gadgets if details
+        gadgets.map(&:offset)
+      end
+
+      private
+
+      def str_offset(file, str)
+        match = `strings -tx #{file} | grep '#{str}'`.lines.map(&:strip).first
+        return nil if match.nil?
+        # 17c8c3 /bin/sh
+        match.split.first.to_i(16)
+      end
+
+      def convert_to_gadget(assembly)
+        lines = assembly.lines.map(&:strip)
+        offset = lines.first.scan(/^([\da-f]+):/)[0][0].to_i(16)
+        # fetch those might be constraints lines.
+        important_lines = lines.select { |line| ['rsi'].any? { |r| line.include?(r) } }.map do |line|
+          line.split("\t").last.gsub(/\s+/, ' ')
+        end
+        OneGadget::Gadget::Gadget.new(offset, constraints: important_lines)
+      end
+    end
+    extend ClassMethods
+  end
+end

data/lib/one_gadget/gadget.rb

@@ -0,0 +1,77 @@
+require 'one_gadget/abi'
+
+module OneGadget
+  # Module for define gadgets.
+  module Gadget
+    # Information of a gadget.
+    class Gadget
+      # @return [Integer] The gadget's address offset.
+      attr_accessor :offset
+      # @return [Array<String>] The constraints need for this gadget.
+      attr_accessor :constraints
+
+      # Initialize method of {Gadget} instance.
+      # @param [Integer] offset The relative address offset of this gadget.
+      # @option options [Array<String>] :constraints
+      #   The constraints need for this gadget. Defaults to +[]+.
+      # @example
+      #   OneGadget::Gadget::Gadget.new(0x12345, constraints: ['rax == 0'])
+      def initialize(offset, **options)
+        @offset = offset
+        @constraints = options[:constraints] || []
+      end
+
+      # Show gadget in a pretty way.
+      def inspect
+        str = format("#{OneGadget::Helper.colorize('offset', sev: :sym)}: 0x%x\n", offset)
+        unless constraints.empty?
+          str += "#{OneGadget::Helper.colorize('constraints')}:\n  "
+          str += constraints.join("\n  ")
+        end
+        str.gsub!(/0x[\da-f]+/) { |s| OneGadget::Helper.colorize(s, sev: :integer) }
+        OneGadget::ABI.registers.each { |reg| str.gsub!(reg, OneGadget::Helper.colorize(reg, sev: :reg)) }
+        str + "\n"
+      end
+    end
+
+    # Define class methods here.
+    module ClassMethods
+      BUILDS_PATH = File.join(File.dirname(__FILE__), 'builds').freeze
+      BUILDS = Hash.new { |h, k| h[k] = [] }
+      # Get gadgets from pre-defined corpus.
+      # @param [String] build_id Desired build id.
+      # @return [Array<Gadget::Gadget>] Gadgets.
+      def builds(build_id)
+        require_all if BUILDS.empty?
+        return BUILDS[build_id] if BUILDS.key?(build_id)
+        # fetch remote builds
+        table = OneGadget::Helper.remote_builds.find { |c| c.include?(build_id) }
+        return [] if table.nil? # remote doesn't have this one either.
+        # builds found in remote! Ask update gem and download remote gadgets.
+        OneGadget::Helper.ask_update(msg: 'The desired one-gadget can be found in lastest version!')
+        tmp_file = OneGadget::Helper.download_build(table)
+        require tmp_file.path
+        tmp_file.unlink
+        BUILDS[build_id]
+      end
+
+      # Add a gadget, for scripts in builds/ to use.
+      # @param [String] build_id The target's build id.
+      # @param [Integer] offset The relative address offset of this gadget.
+      # @param [Hash] options See {Gadget::Gadget#initialize} for more information.
+      # @return [void]
+      def add(build_id, offset, **options)
+        BUILDS[build_id] << OneGadget::Gadget::Gadget.new(offset, **options)
+      end
+
+      private
+
+      def require_all
+        Dir.glob(File.join(BUILDS_PATH, '**', '*.rb')).each do |dic|
+          require dic
+        end
+      end
+    end
+    extend ClassMethods
+  end
+end

data/lib/one_gadget/helper.rb

@@ -0,0 +1,128 @@
+require 'pathname'
+require 'shellwords'
+require 'net/http'
+require 'openssl'
+require 'tempfile'
+
+module OneGadget
+  # Define some helpful methods here.
+  module Helper
+    BUILD_ID_FORMAT = /[0-9a-f]{40}/
+    # Define class methods here.
+    module ClassMethods
+      # Get absolute path from relative path. Support symlink.
+      # @param [String] path Relative path.
+      # @return [String] Absolute path, with symlink resolved.
+      # @example
+      #   abspath('/lib/x86_64-linux-gnu/libc.so.6')
+      #   #=> '/lib/x86_64-linux-gnu/libc-2.23.so'
+      def abspath(path)
+        Pathname.new(File.expand_path(path)).realpath.to_s
+      end
+
+      # Get the Build ID of target ELF.
+      # @param [String] path Absolute file path.
+      # @return [String] Target build id.
+      # @example
+      #   build_id_of('/lib/x86_64-linux-gnu/libc-2.23.so')
+      #   #=> '60131540dadc6796cab33388349e6e4e68692053'
+      def build_id_of(path)
+        cmd = 'readelf -n ' + ::Shellwords.escape(path)
+        bid = `#{cmd}`.scan(/Build ID: (#{BUILD_ID_FORMAT})$/).first
+        return nil if bid.nil?
+        bid.first
+      end
+
+      # Disable colorize
+      def color_off!
+        @disable_color = true
+      end
+
+      # Enable colorize
+      def color_on!
+        @disable_color = false
+      end
+
+      # Color codes for pretty print
+      COLOR_CODE = {
+        esc_m: "\e[0m",
+        normal_s: "\e[38;5;1m", # red
+        integer: "\e[38;5;12m", # light blue
+        fatal: "\e[38;5;197m", # dark red
+        reg: "\e[38;5;120m", # light green
+        sym: "\e[38;5;229m", # pry like
+      }.freeze
+
+      # Wrapper color codes for pretty inspect.
+      # @param [String] str Contents to colorize.
+      # @option [Symbol] sev Specific which kind of color want to use, valid symbols are defined in +COLOR_CODE+.
+      # @return [String] Wrapper with color codes.
+      def colorize(str, sev: :normal_s)
+        return str if @disable_color
+        cc = COLOR_CODE
+        color = cc.key?(sev) ? cc[sev] : ''
+        "#{color}#{str.sub(cc[:esc_m], color)}#{cc[:esc_m]}"
+      end
+
+      # Fetch the latest release version's tag name.
+      # @return [String] The tag name, in form +vx.x.x+.
+      def latest_tag
+        latest = url_request('https://github.com/david942j/one_gadget/releases').scan(%r{/tree/v([\d.]+)"}).map do |tag|
+          Gem::Version.new(tag.first)
+        end.max.to_s
+        'v' + latest
+      end
+
+      # Get the url which can fetch +filename+ from remote repo.
+      # @param [String] filename
+      # @return [String] The url.
+      def url_of_file(filename)
+        raw_file_url = 'https://raw.githubusercontent.com/david942j/one_gadget/@tag/@file'
+        raw_file_url.gsub('@tag', latest_tag).gsub('@file', filename)
+      end
+
+      # Download the latest version of +file+ in +lib/one_gadget/builds/+ from remote repo.
+      #
+      # @param [String] file The filename desired.
+      # @return [Tempfile] The temp file be created.
+      def download_build(file)
+        temp = Tempfile.new(['gadgets', file + '.rb'])
+        url_request(url_of_file(File.join('lib', 'one_gadget', 'builds', file + '.rb')))
+        temp.write url_request(url_of_file(File.join('lib', 'one_gadget', 'builds', file + '.rb')))
+        temp.close
+        temp
+      end
+
+      # Get the latest builds list from repo.
+      # @return [Array<String>] List of build ids.
+      def remote_builds
+        url_request(url_of_file('builds_list')).lines.map(&:strip)
+      end
+
+      # Get request.
+      # @param [String] url The url.
+      # @return [String] The request response body.
+      def url_request(url)
+        # TODO: add timeout to handle github crashed or in no network environment.
+        uri = URI.parse(url)
+        http = Net::HTTP.new(uri.host, uri.port)
+        http.use_ssl = true
+        http.verify_mode = ::OpenSSL::SSL::VERIFY_NONE
+
+        request = Net::HTTP::Get.new(uri.request_uri)
+
+        response = http.request(request)
+        response.body
+      end
+
+      # Show the message of ask user to update gem.
+      # @return [void]
+      def ask_update(msg: '')
+        name = 'one_gadget'
+        cmd = colorize("gem update #{name}")
+        STDERR.puts msg + "\n" + "Update with: $ #{cmd}"
+      end
+    end
+    extend ClassMethods
+  end
+end

data/lib/one_gadget/version.rb

@@ -0,0 +1,3 @@
+module OneGadget
+  VERSION = '1.0.0'.freeze
+end

data/spec/gadget_spec.rb

@@ -0,0 +1,22 @@
+require 'one_gadget/gadget'
+require 'one_gadget/helper'
+describe OneGadget::Gadget do
+  before(:all) do
+    @build_id = 'fake_id'
+    OneGadget::Helper.color_off! # disable colorize for easy testing.
+    OneGadget::Gadget.add(@build_id, 0x1234, constraints: ['[rsp+0x30] == NULL', 'rax == 0'])
+  end
+
+  after(:all) do
+    OneGadget::Gadget::ClassMethods::BUILDS.delete @build_id
+  end
+
+  it 'inspect' do
+    expect(OneGadget::Gadget.builds(@build_id).map(&:inspect).join).to eq <<-EOS
+offset: 0x1234
+constraints:
+  [rsp+0x30] == NULL
+  rax == 0
+    EOS
+  end
+end

data/spec/helper_spec.rb

@@ -0,0 +1,19 @@
+require 'one_gadget/helper'
+
+describe OneGadget::Helper do
+  before(:all) do
+    OneGadget::Helper.color_on!
+    @libcpath = File.join(File.dirname(__FILE__), 'data', 'libc-2.23.so')
+  end
+  it 'abspath' do
+    expect(OneGadget::Helper.abspath('./spec/data/libc-2.23.so')).to eq @libcpath
+  end
+
+  it 'build_id_of' do
+    expect(OneGadget::Helper.build_id_of(@libcpath)).to eq '60131540dadc6796cab33388349e6e4e68692053'
+  end
+
+  it 'colorize' do
+    expect(OneGadget::Helper.colorize('123', sev: :integer)).to eq "\e[38;5;12m123\e[0m"
+  end
+end

data/spec/one_gadget_spec.rb

@@ -0,0 +1,31 @@
+require 'one_gadget'
+
+describe 'one_gadget' do
+  before(:each) do
+    @build_id = '60131540dadc6796cab33388349e6e4e68692053'
+    @libcpath = File.join(File.dirname(__FILE__), 'data', 'libc-2.19.so')
+  end
+
+  it 'from file' do
+    expect(OneGadget.gadgets(file: @libcpath)).to eq [0x4647c, 0xe5765, 0xe66bd]
+  end
+
+  describe 'from build id' do
+    it 'normal' do
+      # only check not empty because the gadgets might add frequently.
+      expect(OneGadget.gadgets(build_id: @build_id)).not_to be_empty
+    end
+
+    it 'invalid' do
+      expect { OneGadget.gadgets(build_id: '^_^') }.to raise_error(ArgumentError, 'invalid BuildID format: "^_^"')
+    end
+
+    it 'fetch from remote' do
+      entry = OneGadget::Gadget::ClassMethods::BUILDS.delete(@build_id)
+      OneGadget::Gadget::ClassMethods::BUILDS[:a] = 1
+      expect(OneGadget.gadgets(build_id: @build_id)).not_to be_empty
+      OneGadget::Gadget::ClassMethods::BUILDS.delete(:a)
+      OneGadget::Gadget::ClassMethods::BUILDS[@build_id] = entry unless entry.nil?
+    end
+  end
+end

data/spec/spec_helper.rb

@@ -0,0 +1,8 @@
+require 'codeclimate-test-reporter'
+require 'simplecov'
+SimpleCov.formatter = SimpleCov::Formatter::MultiFormatter.new(
+  [SimpleCov::Formatter::HTMLFormatter, CodeClimate::TestReporter::Formatter]
+)
+SimpleCov.start do
+  add_filter '/spec/'
+end

metadata

@@ -0,0 +1,139 @@
+--- !ruby/object:Gem::Specification
+name: one_gadget
+version: !ruby/object:Gem::Version
+  version: 1.0.0
+platform: ruby
+authors:
+- david942j
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2017-02-12 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.5'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.5'
+- !ruby/object:Gem::Dependency
+  name: rubocop
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.46'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.46'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '12.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '12.0'
+- !ruby/object:Gem::Dependency
+  name: simplecov
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.13.0
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.13.0
+- !ruby/object:Gem::Dependency
+  name: codeclimate-test-reporter
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.6'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.6'
+description: |2
+    When playing ctf pwn challenges we usually needs the one-gadget of `execve('/bin/sh', NULL, NULL)`.
+    This gem provides such gadget finder, no need to use IDA-pro every time like a fool.
+    Also provides the command-line tool `one_gadget` for easy usage.
+email:
+- david942j@gmail.com
+executables:
+- one_gadget
+extensions: []
+extra_rdoc_files: []
+files:
+- README.md
+- bin/one_gadget
+- lib/one_gadget.rb
+- lib/one_gadget/abi.rb
+- lib/one_gadget/builds/libc-2.23-60131540dadc6796cab33388349e6e4e68692053.rb
+- lib/one_gadget/fetcher.rb
+- lib/one_gadget/gadget.rb
+- lib/one_gadget/helper.rb
+- lib/one_gadget/version.rb
+- spec/data/libc-2.19.so
+- spec/data/libc-2.23.so
+- spec/gadget_spec.rb
+- spec/helper_spec.rb
+- spec/one_gadget_spec.rb
+- spec/spec_helper.rb
+homepage: https://github.com/david942j/one_gadget
+licenses:
+- MIT
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: 2.1.0
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.5.2
+signing_key: 
+specification_version: 4
+summary: one_gadget
+test_files:
+- spec/data/libc-2.19.so
+- spec/data/libc-2.23.so
+- spec/spec_helper.rb
+- spec/helper_spec.rb
+- spec/one_gadget_spec.rb
+- spec/gadget_spec.rb