one_gadget 1.0.0 → 1.1.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 469c960b795a87ce7f7e02b91c46b2f8e75f4a7d
-  data.tar.gz: c05c6387725951eaee40a2733f33909aa7d81daa
+  metadata.gz: fc34f437cb6bb8562f408c558c9d58f9c6b88658
+  data.tar.gz: 0604cd9f82c3c66500ce54b529255fa3fc323af3
 SHA512:
-  metadata.gz: fa08575754ee8a545db7cc1f60ba307670eadcb2df17750d0504b4a6ac8eb55897bdb2b77aeff6e0ceb207fbe6e15a58b975bee6aed0411b0bfd10beabe00b63
-  data.tar.gz: 92e091b662abf384bd4cc791a27d9478e3bd17c8b9c6fe7f75aa314479b8e50738ba40da8ec40c554fbb166a05e071147999911bd63f6cc21b3445b4a902fb76
+  metadata.gz: 3ff369c093af7bffab44931cf6cac32e8f961f91576e435a48245d5cc7b3c6bec17b3ca5d450f337d86852c5339b010d56dc39e1ddc8e4828894ab12ab317f1e
+  data.tar.gz: 78d0f190661d5275ab4bb29d3063f8dd883fbe8a37422dead64c2b9fc0ad32bfe006dc13a2e52a3130deda3fba3488410bb58b85f4b0853c5d0a7aa0e4aafc45

data/README.md

@@ -13,11 +13,16 @@ This gem provides such gadget finder, no need to use IDA-pro every time like a f
 
 Also provides the command-line tool `one_gadget` for easy usage.
 
-Note: only supports x86-64 now.
+Note: Supports amd64 and i386!
+
+Note2: still work in progress, the gem version might update frequently :p.
 
 ## Install
 
-I'll push to rubygems.org..
+Available on RubyGems.org!
+```bash
+gem install one_gadget
+```
 
 ## Usage
 
@@ -26,9 +31,10 @@ I'll push to rubygems.org..
 ```bash
 one_gadget
 # Usage: one_gadget [file] [options]
-#     -b, --build-id BuildID           BuildID[sha1] of libc
-#     -r, --[no-]raw                   Output gadgets offset only, split with one space
-#     -s, --script exploit-script      Run exploit script with all possible gadgets
+#     -b, --build-id BuildID           BuildID[sha1] of libc.
+#     -f, --[no-]force-file            Force search gadgets in file instead of build id first.
+#     -r, --[no-]raw                   Output gadgets offset only, split with one space.
+#     -s, --script exploit-script      Run exploit script with all possible gadgets.
 #                                      The script will be run as 'exploit-script $offset'.
 
 one_gadget -b 60131540dadc6796cab33388349e6e4e68692053
@@ -43,6 +49,28 @@ one_gadget -b 60131540dadc6796cab33388349e6e4e68692053
 # offset: 0xf0567
 # constraints:
 #   [rsp+0x70] == NULL
+#
+# offset: 0xf5b10
+# constraints:
+#   [rbp-0xf8] == NULL
+#   rcx == NULL
+
+one_gadget /lib/i386-linux-gnu/libc.so.6
+# offset: 0x3ac69
+# constraints:
+#   esi is the address of `rw-p` area of libc
+#   [esp+0x34] == NULL
+#
+# offset: 0x5fbbe
+# constraints:
+#   esi is the address of `rw-p` area of libc
+#   eax == NULL
+#
+# offset: 0x12036c
+# constraints:
+#   esi is the address of `rw-p` area of libc
+#   eax == NULL
+
 ```
 
 #### Combine with exploit script
@@ -59,7 +87,7 @@ one_gadget ./spec/data/libc-2.19.so -s 'echo "offset ->"'
 ```ruby
 require 'one_gadget'
 OneGadget.gadgets(file: '/lib/x86_64-linux-gnu/libc.so.6')
-# => [283242, 980676, 984423]
+# => [283242, 980676, 984423, 1006352]
 ```
 
 ## Screenshots

data/bin/one_gadget

@@ -7,11 +7,15 @@ usage = 'Usage: one_gadget [file] [options]'
 parser = OptionParser.new do |opts|
   opts.banner = usage
 
-  opts.on('-b', '--build-id BuildID', 'BuildID[sha1] of libc') do |b|
+  opts.on('-b', '--build-id BuildID', 'BuildID[sha1] of libc.') do |b|
     options[:build_id] = b
   end
 
-  opts.on('-r', '--[no-]raw', 'Output gadgets offset only, split with one space') do |v|
+  opts.on('-f', '--[no-]force-file', 'Force search gadgets in file instead of build id first.') do |b|
+    options[:force_file] = b
+  end
+
+  opts.on('-r', '--[no-]raw', 'Output gadgets offset only, split with one space.') do |v|
     options[:raw] = v
   end
 
@@ -32,7 +36,7 @@ end
 if options[:build_id]
   gadgets = OneGadget.gadgets(build_id: options[:build_id], details: true)
 elsif ARGV[0]
-  gadgets = OneGadget.gadgets(file: ARGV[0], details: true)
+  gadgets = OneGadget.gadgets(file: ARGV[0], details: true, force_file: options[:force_file])
 else
   puts parser.help
   exit(1)
@@ -41,7 +45,7 @@ end
 extend OneGadget::Helper::ClassMethods
 if options[:script]
   gadgets.map(&:offset).each do |offset|
-    puts "[#{colorize('OneGadget', sev: :reg)}] Trying #{colorize(format('0x%x', offset), sev: :integer)}..."
+    OneGadget::Logger.info("Trying #{colorize(format('0x%x', offset), sev: :integer)}...\n")
     execute(options[:script], offset)
   end
   exit(0)

data/lib/one_gadget.rb

@@ -11,19 +11,26 @@ module OneGadget
     #   The relative path of libc.so.6.
     # @param [String] build_id
     #   The BuildID of target libc.so.6.
+    # @param [Boolean] details
+    #   Return gadget objects or offset only.
+    # @param [Boolean] force_file
+    #   When +file+ is given, {OneGadget} will search gadgets according its
+    #   build id first. +force_file = true+ to disable this feature.
     # @return [Array<OneGadget::Gadget::Gadget>, Array<Integer>]
     #   The gadgets found.
     # @example
     #   OneGadget.gadgets(file: './libc.so.6')
     #   OneGadget.gadgets(build_id: '60131540dadc6796cab33388349e6e4e68692053')
-    def gadgets(file: nil, build_id: nil, details: false)
+    def gadgets(file: nil, build_id: nil, details: false, force_file: false)
       if build_id
         OneGadget::Fetcher.from_build_id(build_id, details: details)
       elsif file
         file = OneGadget::Helper.abspath(file)
-        build_id = OneGadget::Helper.build_id_of(file)
-        gadgets = OneGadget::Fetcher.from_build_id(build_id, details: details)
-        return gadgets unless gadgets.empty?
+        unless force_file
+          build_id = OneGadget::Helper.build_id_of(file)
+          gadgets = OneGadget::Fetcher.from_build_id(build_id, details: details)
+          return gadgets unless gadgets.empty?
+        end
         OneGadget::Fetcher.from_file(file, details: details)
       end
     end
@@ -32,4 +39,5 @@ end
 
 require 'one_gadget/fetcher'
 require 'one_gadget/helper'
+require 'one_gadget/logger'
 require 'one_gadget/version'

data/lib/one_gadget/builds/libc-2.23-926eb99d49cab2e5622af38ab07395f5b32035e9.rb

@@ -0,0 +1,8 @@
+require 'one_gadget/gadget'
+# Ubuntu GLIBC 2.23-0ubuntu5
+# ELF 32-bit LSB shared object, Intel 80386
+build_id = File.basename(__FILE__, '.rb').split('-').last + 'a'
+rw_area_constraint = 'esi is the address of `rw-p` area of libc'
+OneGadget::Gadget.add(build_id, 0x3ac69, constraints: [rw_area_constraint, '[esp+0x34] == NULL'])
+OneGadget::Gadget.add(build_id, 0x5fbbe, constraints: [rw_area_constraint, 'eax == NULL'])
+OneGadget::Gadget.add(build_id, 0x12036c, constraints: [rw_area_constraint, 'eax == NULL'])

data/lib/one_gadget/fetcher.rb

@@ -1,4 +1,6 @@
 require 'one_gadget/helper'
+require 'one_gadget/fetchers/amd64'
+require 'one_gadget/fetchers/i386'
 require 'one_gadget/gadget'
 
 module OneGadget
@@ -32,43 +34,14 @@ module OneGadget
       #   contains offset only.
       #   Otherwise, array of gadgets is returned.
       def from_file(file, details: false)
-        bin_sh_hex = str_offset(file, '/bin/sh').to_s(16)
-        candidates = `objdump -d -M intel #{file}|egrep '<execve[^+]*>$' -B 10`.split('--').select do |candidate|
-          next false unless candidate.include?(bin_sh_hex)
-          next false unless candidate.lines.last.include?('call') # last line must be +call execve+
-          true
-        end
-        candidates.map! do |candidate|
-          # remove other calls
-          lines = candidate.lines
-          to_rm = lines[0...-1].rindex { |c| c.include?('call') }
-          lines = lines[to_rm + 1..-1] unless to_rm.nil?
-          lines.map! { |s| s.gsub(/#\s+#{bin_sh_hex}\s+<.*>$/, "# #{bin_sh_hex} \"/bin/sh\"") }
-          lines.join
-        end
-        gadgets = candidates.map { |c| convert_to_gadget(c) }
+        gadgets = {
+          amd64: OneGadget::Fetcher::Amd64,
+          i386: OneGadget::Fetcher::I386,
+          unknown: OneGadget::Fetcher::Base
+        }[OneGadget::Helper.architecture(file)].new(file).find
         return gadgets if details
         gadgets.map(&:offset)
       end
-
-      private
-
-      def str_offset(file, str)
-        match = `strings -tx #{file} | grep '#{str}'`.lines.map(&:strip).first
-        return nil if match.nil?
-        # 17c8c3 /bin/sh
-        match.split.first.to_i(16)
-      end
-
-      def convert_to_gadget(assembly)
-        lines = assembly.lines.map(&:strip)
-        offset = lines.first.scan(/^([\da-f]+):/)[0][0].to_i(16)
-        # fetch those might be constraints lines.
-        important_lines = lines.select { |line| ['rsi'].any? { |r| line.include?(r) } }.map do |line|
-          line.split("\t").last.gsub(/\s+/, ' ')
-        end
-        OneGadget::Gadget::Gadget.new(offset, constraints: important_lines)
-      end
     end
     extend ClassMethods
   end

data/lib/one_gadget/fetchers/amd64.rb

@@ -0,0 +1,21 @@
+require 'one_gadget/fetchers/base'
+module OneGadget
+  module Fetcher
+    # Fetcher for amd64.
+    class Amd64 < OneGadget::Fetcher::Base
+      def find
+        bin_sh_hex = str_offset('/bin/sh').to_s(16)
+        cands = candidates do |candidate|
+          next false unless candidate.include?(bin_sh_hex) # works in x86-64
+          next false unless candidate.lines.last.include?('execve') # only care execve
+          true
+        end
+        cands.map do |candidate|
+          convert_to_gadget(candidate) do |line|
+            ['rsi'].any? { |r| line.include?(r) }
+          end
+        end
+      end
+    end
+  end
+end

data/lib/one_gadget/fetchers/base.rb

@@ -0,0 +1,64 @@
+require 'shellwords'
+
+module OneGadget
+  module Fetcher
+    # define common methods for gadget fetchers.
+    class Base
+      attr_reader :file
+      # @param [String] file Absolute path of target libc.
+      def initialize(file)
+        @file = ::Shellwords.escape(file)
+      end
+
+      def find; raise NotImplementedError
+      end
+
+      # Fetch candidates that end with call exec*.
+      # @return [Array<String>]
+      #   Each +String+ returned is multi-lines of assembly code.
+      def candidates(&block)
+        cands = `objdump -w -d -M intel #{file}|egrep 'call.*<exec[^+]*>$' -B 20`.split('--').map do |cand|
+          cand.lines.map(&:strip).reject(&:empty?).join("\n")
+        end
+        # remove all calls, jmps
+        cands = slice_prefix(cands, &method(:branch?))
+        cands.select!(&block) if block_given?
+        cands
+      end
+
+      private
+
+      def slice_prefix(cands)
+        cands.map do |cand|
+          lines = cand.lines
+          to_rm = lines[0...-1].rindex { |c| yield(c) }
+          lines = lines[to_rm + 1..-1] unless to_rm.nil?
+          lines.join
+        end
+      end
+
+      # If str contains a branch instruction.
+      def branch?(str)
+        %w(call jmp je jne jl jb ja jg).any? { |f| str.include?(f) }
+      end
+
+      def str_offset(str)
+        match = `strings -tx #{file} -n #{str.size} | grep " #{::Shellwords.escape(str)}"`.lines.map(&:strip).first
+        return nil if match.nil?
+        # 17c8c3 /bin/sh
+        match.split.first.to_i(16)
+      end
+
+      def convert_to_gadget(assembly, &block)
+        lines = assembly.lines
+        offset = lines.first.scan(/^([\da-f]+):/)[0][0].to_i(16)
+        # fetch those might be constraints lines.
+        important_lines = lines.select(&block).map do |line|
+          ar = line.split("\t")
+          "#{ar.first} #{ar.last.gsub(/\s+/, ' ')}"
+        end
+        OneGadget::Gadget::Gadget.new(offset, constraints: important_lines)
+      end
+    end
+  end
+end

data/lib/one_gadget/fetchers/i386.rb

@@ -0,0 +1,54 @@
+require 'one_gadget/fetchers/base'
+module OneGadget
+  module Fetcher
+    # Fetcher for i386.
+    class I386 < OneGadget::Fetcher::Base
+      def find
+        rw_off = rw_offset
+        bin_sh = str_offset('/bin/sh')
+        minus_c = str_offset('-c')
+        rel_sh_hex = (rw_off - bin_sh).to_s(16)
+        rel_minus_c = (rw_off - minus_c).to_s(16)
+        cands = candidates do |candidate|
+          next false unless candidate.include?(rel_sh_hex)
+          true
+        end
+        # remove lines before and with -c appears
+        cands = slice_prefix(cands) do |line|
+          line.include?(rel_minus_c)
+        end
+        # special handle for execl call
+        cands.map! do |cand|
+          lines = cand.lines
+          next cand unless lines.last.include?('execl')
+          # Find the last three +push+, or mov [esp+0x8], .*
+          # Make it call +execl("/bin/sh", "sh", NULL)+.
+          if cand.include?('esp+0x8')
+            to_rm = lines.index { |c| c.include?('esp+0x8') }
+          else
+            push_cnt = 0
+            to_rm = lines.rindex do |c|
+              push_cnt += 1 if c.include?('push')
+              push_cnt >= 3
+            end
+          end
+          lines = lines[to_rm..-1] unless to_rm.nil?
+          lines.join
+        end
+        cands.map do |candidate|
+          convert_to_gadget(candidate) do |_|
+            true
+          end
+        end
+      end
+
+      private
+
+      def rw_offset
+        # How to find this offset correctly..?
+        line = `readelf -d #{file}|grep PLTGOT`
+        line.scan(/0x[\da-f]+/).last.to_i(16) & -0x1000
+      end
+    end
+  end
+end

data/lib/one_gadget/helper.rb

@@ -3,6 +3,7 @@ require 'shellwords'
 require 'net/http'
 require 'openssl'
 require 'tempfile'
+require 'one_gadget/logger'
 
 module OneGadget
   # Define some helpful methods here.
@@ -120,7 +121,18 @@ module OneGadget
       def ask_update(msg: '')
         name = 'one_gadget'
         cmd = colorize("gem update #{name}")
-        STDERR.puts msg + "\n" + "Update with: $ #{cmd}"
+        OneGadget::Logger.info(msg + "\n" + "Update with: $ #{cmd}" + "\n")
+      end
+
+      # Fetch the file archiecture of +file+.
+      # @param [String] The target ELF filename.
+      # @return [String]
+      #   Only supports :amd64, :i386 now.
+      def architecture(file)
+        str = `file #{::Shellwords.escape(file)}`
+        return :amd64 if str.include?('x86-64')
+        return :i386 if str.include?('Intel 80386')
+        :unknown
       end
     end
     extend ClassMethods

data/lib/one_gadget/logger.rb

@@ -0,0 +1,21 @@
+require 'logger'
+require 'one_gadget/helper'
+
+module OneGadget
+  # A logger for internal usage.
+  module Logger
+    @logger = ::Logger.new(STDOUT)
+    @logger.formatter = proc do |_severity, _datetime, _progname, msg|
+      prep = ' ' * 12
+      message = msg.lines.map.with_index do |str, i|
+        next str if i.zero?
+        prep + str
+      end
+      "[#{OneGadget::Helper.colorize('OneGadget', sev: :reg)}] #{message.join}"
+    end
+
+    def self.info(msg)
+      @logger.info(msg)
+    end
+  end
+end

data/lib/one_gadget/version.rb

@@ -1,3 +1,3 @@
 module OneGadget
-  VERSION = '1.0.0'.freeze
+  VERSION = '1.1.0'.freeze
 end

data/spec/helper_spec.rb

@@ -3,10 +3,11 @@ require 'one_gadget/helper'
 describe OneGadget::Helper do
   before(:all) do
     OneGadget::Helper.color_on!
-    @libcpath = File.join(File.dirname(__FILE__), 'data', 'libc-2.23.so')
+    @libcpath = File.join(File.dirname(__FILE__), 'data', 'libc-2.23-60131540dadc6796cab33388349e6e4e68692053.so')
   end
   it 'abspath' do
-    expect(OneGadget::Helper.abspath('./spec/data/libc-2.23.so')).to eq @libcpath
+    expect(OneGadget::Helper.abspath('./spec/data/libc-2.23-60131540dadc6796cab33388349e6e4e68692053.so'))
+      .to eq @libcpath
   end
 
   it 'build_id_of' do
@@ -16,4 +17,9 @@ describe OneGadget::Helper do
   it 'colorize' do
     expect(OneGadget::Helper.colorize('123', sev: :integer)).to eq "\e[38;5;12m123\e[0m"
   end
+
+  it 'architecture' do
+    expect(OneGadget::Helper.architecture(@libcpath)).to be :amd64
+    expect(OneGadget::Helper.architecture(__FILE__)).to be :unknown
+  end
 end

data/spec/{one_gadget_spec.rb → one_gadget_amd64_spec.rb}

@@ -3,7 +3,7 @@ require 'one_gadget'
 describe 'one_gadget' do
   before(:each) do
     @build_id = '60131540dadc6796cab33388349e6e4e68692053'
-    @libcpath = File.join(File.dirname(__FILE__), 'data', 'libc-2.19.so')
+    @libcpath = File.join(File.dirname(__FILE__), 'data', 'libc-2.19-cf699a15caae64f50311fc4655b86dc39a479789.so')
   end
 
   it 'from file' do

data/spec/one_gadget_i386_spec.rb

@@ -0,0 +1,24 @@
+require 'one_gadget'
+
+describe 'one_gadget' do
+  before(:each) do
+    @build_id = '926eb99d49cab2e5622af38ab07395f5b32035e9'
+    @libcpath19 = File.join(File.dirname(__FILE__), 'data', 'libc-2.19-fd51b20e670e9a9f60dc3b06dc9761fb08c9358b.so')
+    @libcpath23 = File.join(File.dirname(__FILE__), 'data', 'libc-2.23-926eb99d49cab2e5622af38ab07395f5b32035e9.so')
+  end
+
+  it 'from file libc-2.19' do
+    expect(OneGadget.gadgets(file: @libcpath19, force_file: true)).to eq [0x3fd27, 0x64c60, 0x1244a6]
+  end
+
+  it 'from file libc-2.23' do
+    expect(OneGadget.gadgets(file: @libcpath23, force_file: true)).to eq [0x3ac69, 0x5fbbe, 0x12036c]
+  end
+
+  describe 'from build id' do
+    it 'normal' do
+      # only check not empty because the gadgets might add frequently.
+      expect(OneGadget.gadgets(build_id: @build_id)).not_to be_empty
+    end
+  end
+end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: one_gadget
 version: !ruby/object:Gem::Version
-  version: 1.0.0
+  version: 1.1.0
 platform: ruby
 authors:
 - david942j
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2017-02-12 00:00:00.000000000 Z
+date: 2017-02-13 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rspec
@@ -81,9 +81,11 @@ dependencies:
       - !ruby/object:Gem::Version
         version: '0.6'
 description: |2
-    When playing ctf pwn challenges we usually needs the one-gadget of `execve('/bin/sh', NULL, NULL)`.
-    This gem provides such gadget finder, no need to use IDA-pro every time like a fool.
-    Also provides the command-line tool `one_gadget` for easy usage.
+    When playing ctf pwn challenges we usually needs the one-gadget of execve('/bin/sh', NULL, NULL).
+
+    This gem provides such gadget finder, no need to use IDA-pro every time like a fool :p.
+
+    Also provides the command-line tool +one_gadget+ for easy usage.
 email:
 - david942j@gmail.com
 executables:
@@ -96,15 +98,23 @@ files:
 - lib/one_gadget.rb
 - lib/one_gadget/abi.rb
 - lib/one_gadget/builds/libc-2.23-60131540dadc6796cab33388349e6e4e68692053.rb
+- lib/one_gadget/builds/libc-2.23-926eb99d49cab2e5622af38ab07395f5b32035e9.rb
 - lib/one_gadget/fetcher.rb
+- lib/one_gadget/fetchers/amd64.rb
+- lib/one_gadget/fetchers/base.rb
+- lib/one_gadget/fetchers/i386.rb
 - lib/one_gadget/gadget.rb
 - lib/one_gadget/helper.rb
+- lib/one_gadget/logger.rb
 - lib/one_gadget/version.rb
-- spec/data/libc-2.19.so
-- spec/data/libc-2.23.so
+- spec/data/libc-2.19-cf699a15caae64f50311fc4655b86dc39a479789.so
+- spec/data/libc-2.19-fd51b20e670e9a9f60dc3b06dc9761fb08c9358b.so
+- spec/data/libc-2.23-60131540dadc6796cab33388349e6e4e68692053.so
+- spec/data/libc-2.23-926eb99d49cab2e5622af38ab07395f5b32035e9.so
 - spec/gadget_spec.rb
 - spec/helper_spec.rb
-- spec/one_gadget_spec.rb
+- spec/one_gadget_amd64_spec.rb
+- spec/one_gadget_i386_spec.rb
 - spec/spec_helper.rb
 homepage: https://github.com/david942j/one_gadget
 licenses:
@@ -131,9 +141,12 @@ signing_key:
 specification_version: 4
 summary: one_gadget
 test_files:
-- spec/data/libc-2.19.so
-- spec/data/libc-2.23.so
+- spec/one_gadget_i386_spec.rb
+- spec/one_gadget_amd64_spec.rb
+- spec/data/libc-2.23-926eb99d49cab2e5622af38ab07395f5b32035e9.so
+- spec/data/libc-2.19-cf699a15caae64f50311fc4655b86dc39a479789.so
+- spec/data/libc-2.23-60131540dadc6796cab33388349e6e4e68692053.so
+- spec/data/libc-2.19-fd51b20e670e9a9f60dc3b06dc9761fb08c9358b.so
 - spec/spec_helper.rb
 - spec/helper_spec.rb
-- spec/one_gadget_spec.rb
 - spec/gadget_spec.rb