one_gadget 1.3.7 → 1.3.8
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/README.md +31 -22
- data/lib/one_gadget.rb +19 -4
- data/lib/one_gadget/fetcher.rb +1 -1
- data/lib/one_gadget/fetchers/amd64.rb +2 -1
- data/lib/one_gadget/fetchers/i386.rb +3 -2
- data/lib/one_gadget/helper.rb +8 -8
- data/lib/one_gadget/logger.rb +1 -0
- data/lib/one_gadget/version.rb +1 -1
- metadata +2 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA1:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: e47c77be5fc1a63c461fad7c0cecc0017540da61
|
|
4
|
+
data.tar.gz: 44c7d81b31fc80f8596a747d93f9aa1793a4518a
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: b85a66bdb6a16879fce76720e7b26afd3a0de0f2fb22a5ff86d0c24de49a440ab1fe6f248ee873f05f3e9427a3a39171183f26c38875a5fea23bfd77e56fdc53
|
|
7
|
+
data.tar.gz: 495b9930e3b6200e29efe0c3b1c7a8d858abdf99503acce96f92175dd3b80b095385ecc34fdc8c29b1fe6c54c65637e77aebf9c19662ac4e7de26608157c0a52
|
data/README.md
CHANGED
|
@@ -11,9 +11,9 @@
|
|
|
11
11
|
When playing ctf pwn challenges we usually need the one-gadget RCE (remote code execution),
|
|
12
12
|
which leads to call `execve('/bin/sh', NULL, NULL)`.
|
|
13
13
|
|
|
14
|
-
This gem provides such gadgets finder, no need to use IDA-pro every time like a fool
|
|
14
|
+
This gem provides such gadgets finder, no need to use objdump or IDA-pro every time like a fool :wink:
|
|
15
15
|
|
|
16
|
-
|
|
16
|
+
To use this tool, just type `one_gadget /path/to/libc` in command line and enjoy the magic :laughing:
|
|
17
17
|
|
|
18
18
|
Note: Supports amd64 and i386!
|
|
19
19
|
|
|
@@ -24,15 +24,17 @@ Available on RubyGems.org!
|
|
|
24
24
|
gem install one_gadget
|
|
25
25
|
```
|
|
26
26
|
|
|
27
|
+
Note: require ruby version >= 2.1.0, you can use `ruby --version` to check.
|
|
28
|
+
|
|
27
29
|
## Implementation
|
|
28
30
|
|
|
29
31
|
OneGadget use simple self-implement symbolic execution to find the constraints of gadgets.
|
|
30
32
|
|
|
31
|
-
The article introducing how I
|
|
33
|
+
The article introducing how I develop this tool can be found [here](https://david942j.blogspot.com/2017/02/project-one-gadget-in-glibc.html).
|
|
32
34
|
|
|
33
35
|
## Usage
|
|
34
36
|
|
|
35
|
-
### Command Line
|
|
37
|
+
### Command Line Interface
|
|
36
38
|
|
|
37
39
|
```bash
|
|
38
40
|
one_gadget
|
|
@@ -42,34 +44,35 @@ one_gadget
|
|
|
42
44
|
# -r, --[no-]raw Output gadgets offset only, split with one space.
|
|
43
45
|
# -s, --script exploit-script Run exploit script with all possible gadgets.
|
|
44
46
|
# The script will be run as 'exploit-script $offset'.
|
|
47
|
+
# --version Current gem version.
|
|
45
48
|
|
|
46
49
|
one_gadget -b 60131540dadc6796cab33388349e6e4e68692053
|
|
47
50
|
# 0x4526a execve("/bin/sh", rsp+0x30, environ)
|
|
48
51
|
# constraints:
|
|
49
52
|
# [rsp+0x30] == NULL
|
|
50
|
-
#
|
|
53
|
+
#
|
|
54
|
+
# 0xcc543 execve("/bin/sh", rcx, r12)
|
|
55
|
+
# constraints:
|
|
56
|
+
# [rcx] == NULL || rcx == NULL
|
|
57
|
+
# [r12] == NULL || r12 == NULL
|
|
58
|
+
#
|
|
59
|
+
# 0xcc618 execve("/bin/sh", rax, r12)
|
|
60
|
+
# constraints:
|
|
61
|
+
# [rax] == NULL || rax == NULL
|
|
62
|
+
# [r12] == NULL || r12 == NULL
|
|
63
|
+
#
|
|
51
64
|
# 0xef6c4 execve("/bin/sh", rsp+0x50, environ)
|
|
52
65
|
# constraints:
|
|
53
66
|
# [rsp+0x50] == NULL
|
|
54
|
-
#
|
|
67
|
+
#
|
|
55
68
|
# 0xf0567 execve("/bin/sh", rsp+0x70, environ)
|
|
56
69
|
# constraints:
|
|
57
70
|
# [rsp+0x70] == NULL
|
|
58
|
-
#
|
|
59
|
-
# 0xcc543 execve("/bin/sh", rcx, r12)
|
|
60
|
-
# constraints:
|
|
61
|
-
# rcx == NULL || [rcx] == NULL
|
|
62
|
-
# r12 == NULL || [r12] == NULL
|
|
63
|
-
#
|
|
64
|
-
# 0xcc618 execve("/bin/sh", rax, r12)
|
|
65
|
-
# constraints:
|
|
66
|
-
# rax == NULL || [rax] == NULL
|
|
67
|
-
# r12 == NULL || [r12] == NULL
|
|
68
|
-
#
|
|
71
|
+
#
|
|
69
72
|
# 0xf5b10 execve("/bin/sh", rcx, [rbp-0xf8])
|
|
70
73
|
# constraints:
|
|
71
|
-
# [
|
|
72
|
-
#
|
|
74
|
+
# [rcx] == NULL || rcx == NULL
|
|
75
|
+
# [[rbp-0xf8]] == NULL || [rbp-0xf8] == NULL
|
|
73
76
|
|
|
74
77
|
one_gadget /lib/i386-linux-gnu/libc.so.6
|
|
75
78
|
# 0x3ac69 execve("/bin/sh", esp+0x34, environ)
|
|
@@ -104,18 +107,19 @@ one_gadget ./spec/data/libc-2.19.so -s 'echo "offset ->"'
|
|
|
104
107
|
require 'one_gadget'
|
|
105
108
|
OneGadget.gadgets(file: '/lib/x86_64-linux-gnu/libc.so.6')
|
|
106
109
|
# => [283242, 980676, 984423, 836931, 837144, 1006352]
|
|
110
|
+
|
|
107
111
|
# or in shorter way
|
|
108
|
-
one_gadget(
|
|
112
|
+
one_gadget('/lib/x86_64-linux-gnu/libc.so.6')
|
|
109
113
|
# => [283242, 980676, 984423, 836931, 837144, 1006352]
|
|
110
114
|
|
|
111
115
|
# from build id
|
|
112
|
-
one_gadget(
|
|
116
|
+
one_gadget('60131540dadc6796cab33388349e6e4e68692053')
|
|
113
117
|
# => [283242, 980676, 984423, 836931, 837144, 1006352]
|
|
114
118
|
```
|
|
115
119
|
|
|
116
120
|
## Screenshots
|
|
117
121
|
|
|
118
|
-
### Search gadgets
|
|
122
|
+
### Search gadgets in libc
|
|
119
123
|
|
|
120
124
|
#### 64 bit
|
|
121
125
|
|
|
@@ -126,3 +130,8 @@ one_gadget(build_id: '60131540dadc6796cab33388349e6e4e68692053')
|
|
|
126
130
|
### Fetch gadgets from database
|
|
127
131
|
|
|
128
132
|
|
|
133
|
+
## Make OneGadget Better
|
|
134
|
+
Any suggestion or feature request is welcome! Feel free to send a pull request.
|
|
135
|
+
|
|
136
|
+
Please let me know if you find any libc that make OneGadget fail to find gadgets.
|
|
137
|
+
And, if you like this work, I'll be happy to be [stared](https://github.com/david942j/one_gadget/stargazers) :grimacing:
|
data/lib/one_gadget.rb
CHANGED
|
@@ -1,6 +1,8 @@
|
|
|
1
1
|
# OneGadget - To find the execve(/bin/sh, 0, 0) in glibc.
|
|
2
2
|
#
|
|
3
3
|
# @author david942j
|
|
4
|
+
|
|
5
|
+
# Main module.
|
|
4
6
|
module OneGadget
|
|
5
7
|
class << self
|
|
6
8
|
# The man entry of gem +one_gadget+.
|
|
@@ -38,12 +40,25 @@ module OneGadget
|
|
|
38
40
|
end
|
|
39
41
|
|
|
40
42
|
# Shorter way to use one gadget.
|
|
41
|
-
# @param [
|
|
42
|
-
#
|
|
43
|
+
# @param [String?] arg
|
|
44
|
+
# Can be either +build_id+ or path to libc.
|
|
45
|
+
# @param [Mixed] options
|
|
46
|
+
# See {OneGadget#gadgets} for ore information.
|
|
43
47
|
# @return [Array<OneGadget::Gadget::Gadget>, Array<Integer>]
|
|
44
48
|
# The gadgets found.
|
|
45
|
-
|
|
46
|
-
|
|
49
|
+
# @example
|
|
50
|
+
# one_gadget('./libc.so.6')
|
|
51
|
+
# one_gadget('cbfa941a8eb7a11e4f90e81b66fcd5a820995d7c')
|
|
52
|
+
# one_gadget('./libc.so.6', details: true)
|
|
53
|
+
def one_gadget(arg = nil, **options)
|
|
54
|
+
unless arg.nil?
|
|
55
|
+
if arg =~ /\A#{OneGadget::Helper::BUILD_ID_FORMAT}\Z/
|
|
56
|
+
options[:build_id] = arg
|
|
57
|
+
else
|
|
58
|
+
options[:file] = arg
|
|
59
|
+
end
|
|
60
|
+
end
|
|
61
|
+
OneGadget.gadgets(**options)
|
|
47
62
|
end
|
|
48
63
|
|
|
49
64
|
require 'one_gadget/fetcher'
|
data/lib/one_gadget/fetcher.rb
CHANGED
data/lib/one_gadget/helper.rb
CHANGED
|
@@ -65,10 +65,8 @@ module OneGadget
|
|
|
65
65
|
# Fetch the latest release version's tag name.
|
|
66
66
|
# @return [String] The tag name, in form +vx.x.x+.
|
|
67
67
|
def latest_tag
|
|
68
|
-
releases_url = 'https://github.com/david942j/one_gadget/releases'
|
|
69
|
-
@latest_tag ||=
|
|
70
|
-
Gem::Version.new(tag.first)
|
|
71
|
-
end.max.to_s
|
|
68
|
+
releases_url = 'https://github.com/david942j/one_gadget/releases/latest'
|
|
69
|
+
@latest_tag ||= url_request(releases_url).split('/').last
|
|
72
70
|
end
|
|
73
71
|
|
|
74
72
|
# Get the url which can fetch +filename+ from remote repo.
|
|
@@ -76,7 +74,7 @@ module OneGadget
|
|
|
76
74
|
# @return [String] The url.
|
|
77
75
|
def url_of_file(filename)
|
|
78
76
|
raw_file_url = 'https://raw.githubusercontent.com/david942j/one_gadget/@tag/@file'
|
|
79
|
-
raw_file_url.
|
|
77
|
+
raw_file_url.sub('@tag', latest_tag).sub('@file', filename)
|
|
80
78
|
end
|
|
81
79
|
|
|
82
80
|
# Download the latest version of +file+ in +lib/one_gadget/builds/+ from remote repo.
|
|
@@ -99,7 +97,9 @@ module OneGadget
|
|
|
99
97
|
|
|
100
98
|
# Get request.
|
|
101
99
|
# @param [String] url The url.
|
|
102
|
-
# @return [String]
|
|
100
|
+
# @return [String]
|
|
101
|
+
# The request response body.
|
|
102
|
+
# If the response is '302 Found', return the location in header.
|
|
103
103
|
def url_request(url)
|
|
104
104
|
uri = URI.parse(url)
|
|
105
105
|
http = Net::HTTP.new(uri.host, uri.port)
|
|
@@ -109,8 +109,8 @@ module OneGadget
|
|
|
109
109
|
request = Net::HTTP::Get.new(uri.request_uri)
|
|
110
110
|
|
|
111
111
|
response = http.request(request)
|
|
112
|
-
raise ArgumentError, "Fail to get response of #{url}" unless response.code
|
|
113
|
-
response.body
|
|
112
|
+
raise ArgumentError, "Fail to get response of #{url}" unless %w(200 302).include?(response.code)
|
|
113
|
+
response.code == '302' ? response['location'] : response.body
|
|
114
114
|
rescue NoMethodError, SocketError, ArgumentError => e
|
|
115
115
|
p e
|
|
116
116
|
nil
|
data/lib/one_gadget/logger.rb
CHANGED
data/lib/one_gadget/version.rb
CHANGED
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: one_gadget
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 1.3.
|
|
4
|
+
version: 1.3.8
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- david942j
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2017-
|
|
11
|
+
date: 2017-05-26 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: elftools
|