one_gadget 1.6.2 → 1.7.0

data/lib/one_gadget/builds/libc-2.26-4ea852c9d6a5084b8b58509b3b3d37d3d8cddb90.rb

@@ -0,0 +1,52 @@
+require 'one_gadget/gadget'
+# https://gitlab.com/libcdb/libcdb/blob/master/libc/libc6_2.26-0ubuntu2_i386/lib/i386-linux-gnu/libc-2.26.so
+# 
+# Intel 80386
+# 
+# GNU C Library (Ubuntu GLIBC 2.26-0ubuntu2) stable release version 2.26, by Roland McGrath et al.
+# Copyright (C) 2017 Free Software Foundation, Inc.
+# This is free software; see the source for copying conditions.
+# There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+# Compiled by GNU CC version 6.4.0 20171010.
+# Available extensions:
+# 	crypt add-on version 2.1 by Michael Glad and others
+# 	GNU Libidn by Simon Josefsson
+# 	Native POSIX Threads Library by Ulrich Drepper et al
+# 	BIND-8.2.3-T5B
+# libc ABIs: UNIQUE IFUNC
+# For bug reporting instructions, please see:
+# <https://bugs.launchpad.net/ubuntu/+source/glibc/+bugs>.
+
+build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 250868,
+                      constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL"],
+                      effect: "execve(\"/bin/sh\", esp+0x34, environ)")
+OneGadget::Gadget.add(build_id, 250870,
+                      constraints: ["esi is the GOT address of libc", "[esp+0x38] == NULL"],
+                      effect: "execve(\"/bin/sh\", esp+0x38, environ)")
+OneGadget::Gadget.add(build_id, 250874,
+                      constraints: ["esi is the GOT address of libc", "[esp+0x3c] == NULL"],
+                      effect: "execve(\"/bin/sh\", esp+0x3c, environ)")
+OneGadget::Gadget.add(build_id, 250881,
+                      constraints: ["esi is the GOT address of libc", "[esp+0x40] == NULL"],
+                      effect: "execve(\"/bin/sh\", esp+0x40, environ)")
+OneGadget::Gadget.add(build_id, 250916,
+                      constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+                      effect: "execve(\"/bin/sh\", eax, [esp])")
+OneGadget::Gadget.add(build_id, 250917,
+                      constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+                      effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
+OneGadget::Gadget.add(build_id, 425551,
+                      constraints: ["edi is the GOT address of libc", "eax == NULL"],
+                      effect: "execl(\"/bin/sh\", eax)")
+OneGadget::Gadget.add(build_id, 425552,
+                      constraints: ["edi is the GOT address of libc", "[esp] == NULL"],
+                      effect: "execl(\"/bin/sh\", [esp])")
+OneGadget::Gadget.add(build_id, 1269749,
+                      constraints: ["esi is the GOT address of libc", "eax == NULL"],
+                      effect: "execl(\"/bin/sh\", eax)")
+OneGadget::Gadget.add(build_id, 1269750,
+                      constraints: ["esi is the GOT address of libc", "[esp] == NULL"],
+                      effect: "execl(\"/bin/sh\", [esp])")
+

data/lib/one_gadget/builds/libc-2.26-6d2b609f0c8e7b338f767b08c5ac712fac809d31.rb

@@ -0,0 +1,49 @@
+require 'one_gadget/gadget'
+# https://gitlab.com/libcdb/libcdb/blob/master/libc/libc6_2.26-0ubuntu2_amd64/lib/x86_64-linux-gnu/libc-2.26.so
+# 
+# Advanced Micro Devices X86-64
+# 
+# GNU C Library (Ubuntu GLIBC 2.26-0ubuntu2) stable release version 2.26, by Roland McGrath et al.
+# Copyright (C) 2017 Free Software Foundation, Inc.
+# This is free software; see the source for copying conditions.
+# There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+# Compiled by GNU CC version 6.4.0 20171010.
+# Available extensions:
+# 	crypt add-on version 2.1 by Michael Glad and others
+# 	GNU Libidn by Simon Josefsson
+# 	Native POSIX Threads Library by Ulrich Drepper et al
+# 	BIND-8.2.3-T5B
+# libc ABIs: UNIQUE IFUNC
+# For bug reporting instructions, please see:
+# <https://bugs.launchpad.net/ubuntu/+source/glibc/+bugs>.
+
+build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 293958,
+                      constraints: ["rax == NULL"],
+                      effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
+OneGadget::Gadget.add(build_id, 294042,
+                      constraints: ["[rsp+0x30] == NULL"],
+                      effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
+OneGadget::Gadget.add(build_id, 890627,
+                      constraints: ["[r13] == NULL || r13 == NULL", "[rbx] == NULL || rbx == NULL"],
+                      effect: "execve(\"/bin/sh\", r13, rbx)")
+OneGadget::Gadget.add(build_id, 891345,
+                      constraints: ["[[rbp-0xa0]] == NULL || [rbp-0xa0] == NULL", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL"],
+                      effect: "execve(\"/bin/sh\", [rbp-0xa0], [rbp-0x70])")
+OneGadget::Gadget.add(build_id, 891352,
+                      constraints: ["[rcx] == NULL || rcx == NULL", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL"],
+                      effect: "execve(\"/bin/sh\", rcx, [rbp-0x70])")
+OneGadget::Gadget.add(build_id, 891356,
+                      constraints: ["[rcx] == NULL || rcx == NULL", "[rdx] == NULL || rdx == NULL"],
+                      effect: "execve(\"/bin/sh\", rcx, rdx)")
+OneGadget::Gadget.add(build_id, 1035374,
+                      constraints: ["[rsp+0x40] == NULL"],
+                      effect: "execve(\"/bin/sh\", rsp+0x40, environ)")
+OneGadget::Gadget.add(build_id, 1035386,
+                      constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+                      effect: "execve(\"/bin/sh\", rsi, [rax])")
+OneGadget::Gadget.add(build_id, 1039134,
+                      constraints: ["[rsp+0x70] == NULL"],
+                      effect: "execve(\"/bin/sh\", rsp+0x70, environ)")
+

data/lib/one_gadget/builds/libc-2.26-fb587bc4429e7d1b0de31a3b9ee8ae78ee797eb0.rb

@@ -0,0 +1,37 @@
+require 'one_gadget/gadget'
+# https://gitlab.com/libcdb/libcdb/blob/master/libc/libc6-amd64_2.26-0ubuntu2.1_i386/lib64/libc-2.26.so
+# 
+# Advanced Micro Devices X86-64
+# 
+# GNU C Library (Ubuntu GLIBC 2.26-0ubuntu2.1) stable release version 2.26, by Roland McGrath et al.
+# Copyright (C) 2017 Free Software Foundation, Inc.
+# This is free software; see the source for copying conditions.
+# There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+# Compiled by GNU CC version 6.4.0 20171010.
+# Available extensions:
+# 	crypt add-on version 2.1 by Michael Glad and others
+# 	GNU Libidn by Simon Josefsson
+# 	Native POSIX Threads Library by Ulrich Drepper et al
+# 	BIND-8.2.3-T5B
+# libc ABIs: UNIQUE IFUNC
+# For bug reporting instructions, please see:
+# <https://bugs.launchpad.net/ubuntu/+source/glibc/+bugs>.
+
+build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 269098,
+                      constraints: ["rax == NULL"],
+                      effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
+OneGadget::Gadget.add(build_id, 269182,
+                      constraints: ["[rsp+0x30] == NULL"],
+                      effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
+OneGadget::Gadget.add(build_id, 799376,
+                      constraints: ["[r12] == NULL || r12 == NULL", "[r13] == NULL || r13 == NULL"],
+                      effect: "execve(\"/bin/sh\", r12, r13)")
+OneGadget::Gadget.add(build_id, 921694,
+                      constraints: ["[rsp+0x70] == NULL"],
+                      effect: "execve(\"/bin/sh\", rsp+0x70, environ)")
+OneGadget::Gadget.add(build_id, 921706,
+                      constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+                      effect: "execve(\"/bin/sh\", rsi, [rax])")
+

data/lib/one_gadget/builds/libc-2.27-0e188ec5f09c187a7a92784d4b97aa251b15a93c.rb

@@ -0,0 +1,47 @@
+require 'one_gadget/gadget'
+# https://gitlab.com/libcdb/libcdb/blob/master/libc/libc6_2.27-3ubuntu1_i386/lib/i386-linux-gnu/libc-2.27.so
+# 
+# Intel 80386
+# 
+# GNU C Library (Ubuntu GLIBC 2.27-3ubuntu1) stable release version 2.27.
+# Copyright (C) 2018 Free Software Foundation, Inc.
+# This is free software; see the source for copying conditions.
+# There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+# Compiled by GNU CC version 7.3.0.
+# libc ABIs: UNIQUE IFUNC
+# For bug reporting instructions, please see:
+# <https://bugs.launchpad.net/ubuntu/+source/glibc/+bugs>.
+
+build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 250067,
+                      constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL"],
+                      effect: "execve(\"/bin/sh\", esp+0x34, environ)")
+OneGadget::Gadget.add(build_id, 250069,
+                      constraints: ["esi is the GOT address of libc", "[esp+0x38] == NULL"],
+                      effect: "execve(\"/bin/sh\", esp+0x38, environ)")
+OneGadget::Gadget.add(build_id, 250073,
+                      constraints: ["esi is the GOT address of libc", "[esp+0x3c] == NULL"],
+                      effect: "execve(\"/bin/sh\", esp+0x3c, environ)")
+OneGadget::Gadget.add(build_id, 250080,
+                      constraints: ["esi is the GOT address of libc", "[esp+0x40] == NULL"],
+                      effect: "execve(\"/bin/sh\", esp+0x40, environ)")
+OneGadget::Gadget.add(build_id, 250115,
+                      constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+                      effect: "execve(\"/bin/sh\", eax, [esp])")
+OneGadget::Gadget.add(build_id, 250116,
+                      constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+                      effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
+OneGadget::Gadget.add(build_id, 424575,
+                      constraints: ["esi is the GOT address of libc", "eax == NULL"],
+                      effect: "execl(\"/bin/sh\", eax)")
+OneGadget::Gadget.add(build_id, 424576,
+                      constraints: ["esi is the GOT address of libc", "[esp] == NULL"],
+                      effect: "execl(\"/bin/sh\", [esp])")
+OneGadget::Gadget.add(build_id, 1277534,
+                      constraints: ["ebx is the GOT address of libc", "eax == NULL"],
+                      effect: "execl(\"/bin/sh\", eax)")
+OneGadget::Gadget.add(build_id, 1277535,
+                      constraints: ["ebx is the GOT address of libc", "[esp] == NULL"],
+                      effect: "execl(\"/bin/sh\", [esp])")
+

data/lib/one_gadget/builds/libc-2.27-53f40c1d2f3739ae017dcdcef1a17314786e3709.rb

@@ -0,0 +1,38 @@
+require 'one_gadget/gadget'
+# spec/data/aarch64-libc-2.27.so
+# 
+# AArch64
+# 
+# GNU C Library (Ubuntu GLIBC 2.27-3ubuntu1) stable release version 2.27.
+# Copyright (C) 2018 Free Software Foundation, Inc.
+# This is free software; see the source for copying conditions.
+# There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+# Compiled by GNU CC version 7.3.0.
+# libc ABIs: UNIQUE
+# For bug reporting instructions, please see:
+# <https://bugs.launchpad.net/ubuntu/+source/glibc/+bugs>.
+
+build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 258396,
+                      constraints: ["writable: x20+0x338", "x3+0x7c0 == NULL"],
+                      effect: "execve(\"/bin/sh\", sp+0x70, environ)")
+OneGadget::Gadget.add(build_id, 258400,
+                      constraints: ["writable: x20+0x338", "x3 == NULL"],
+                      effect: "execve(\"/bin/sh\", sp+0x70, environ)")
+OneGadget::Gadget.add(build_id, 258436,
+                      constraints: ["writable: x19+0x4", "writable: x20+0x338", "[sp+0x70] == NULL"],
+                      effect: "execve(\"/bin/sh\", sp+0x70, environ)")
+OneGadget::Gadget.add(build_id, 258472,
+                      constraints: ["writable: x19+0x4", "writable: x20+0x338", "[x21] == NULL || x21 == NULL"],
+                      effect: "execve(\"/bin/sh\", x21, environ)")
+OneGadget::Gadget.add(build_id, 409212,
+                      constraints: ["x2+0x7c8 == NULL"],
+                      effect: "execl(\"/bin/sh\", \"sh\", x2+0x7c8)")
+OneGadget::Gadget.add(build_id, 409224,
+                      constraints: ["x1+0x7c0 == NULL"],
+                      effect: "execl(\"/bin/sh\", x1+0x7c0)")
+OneGadget::Gadget.add(build_id, 409232,
+                      constraints: ["x1 == NULL"],
+                      effect: "execl(\"/bin/sh\", x1)")
+

data/lib/one_gadget/builds/libc-2.27-9dd0bb57f81671704475d1e5163405f7b4d4b454.rb

@@ -0,0 +1,32 @@
+require 'one_gadget/gadget'
+# https://gitlab.com/libcdb/libcdb/blob/master/libc/libc6-amd64_2.27-3ubuntu1_i386/lib64/libc-2.27.so
+# 
+# Advanced Micro Devices X86-64
+# 
+# GNU C Library (Ubuntu GLIBC 2.27-3ubuntu1) stable release version 2.27.
+# Copyright (C) 2018 Free Software Foundation, Inc.
+# This is free software; see the source for copying conditions.
+# There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+# Compiled by GNU CC version 7.3.0.
+# libc ABIs: UNIQUE IFUNC
+# For bug reporting instructions, please see:
+# <https://bugs.launchpad.net/ubuntu/+source/glibc/+bugs>.
+
+build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 271374,
+                      constraints: ["rax == NULL"],
+                      effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
+OneGadget::Gadget.add(build_id, 271458,
+                      constraints: ["[rsp+0x30] == NULL"],
+                      effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
+OneGadget::Gadget.add(build_id, 806783,
+                      constraints: ["[r13] == NULL || r13 == NULL", "[r12] == NULL || r12 == NULL"],
+                      effect: "execve(\"/bin/sh\", r13, r12)")
+OneGadget::Gadget.add(build_id, 930286,
+                      constraints: ["[rsp+0x60] == NULL"],
+                      effect: "execve(\"/bin/sh\", rsp+0x60, environ)")
+OneGadget::Gadget.add(build_id, 930298,
+                      constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+                      effect: "execve(\"/bin/sh\", rsi, [rax])")
+

data/lib/one_gadget/builds/libc-2.28-44f5a3efb0e5733fa9d97e690cb36cd4c682bcdb.rb

@@ -0,0 +1,41 @@
+require 'one_gadget/gadget'
+# https://gitlab.com/libcdb/libcdb/blob/master/libc/libc6-i386_2.28-0ubuntu1_amd64/lib32/libc-2.28.so
+# 
+# Intel 80386
+# 
+# GNU C Library (Ubuntu GLIBC 2.28-0ubuntu1) stable release version 2.28.
+# Copyright (C) 2018 Free Software Foundation, Inc.
+# This is free software; see the source for copying conditions.
+# There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+# Compiled by GNU CC version 8.2.0.
+# libc ABIs: UNIQUE IFUNC ABSOLUTE
+# For bug reporting instructions, please see:
+# <https://bugs.launchpad.net/ubuntu/+source/glibc/+bugs>.
+
+build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 256230,
+                      constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL"],
+                      effect: "execve(\"/bin/sh\", esp+0x34, environ)")
+OneGadget::Gadget.add(build_id, 256232,
+                      constraints: ["esi is the GOT address of libc", "[esp+0x38] == NULL"],
+                      effect: "execve(\"/bin/sh\", esp+0x38, environ)")
+OneGadget::Gadget.add(build_id, 256236,
+                      constraints: ["esi is the GOT address of libc", "[esp+0x3c] == NULL"],
+                      effect: "execve(\"/bin/sh\", esp+0x3c, environ)")
+OneGadget::Gadget.add(build_id, 256243,
+                      constraints: ["esi is the GOT address of libc", "[esp+0x40] == NULL"],
+                      effect: "execve(\"/bin/sh\", esp+0x40, environ)")
+OneGadget::Gadget.add(build_id, 256278,
+                      constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+                      effect: "execve(\"/bin/sh\", eax, [esp])")
+OneGadget::Gadget.add(build_id, 256279,
+                      constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+                      effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
+OneGadget::Gadget.add(build_id, 429851,
+                      constraints: ["esi is the GOT address of libc", "eax == NULL"],
+                      effect: "execl(\"/bin/sh\", eax)")
+OneGadget::Gadget.add(build_id, 429852,
+                      constraints: ["esi is the GOT address of libc", "[esp] == NULL"],
+                      effect: "execl(\"/bin/sh\", [esp])")
+

data/lib/one_gadget/builds/libc-2.28-5784a31a1c26f6d2157e585205ebb63dd19ff90f.rb

@@ -0,0 +1,41 @@
+require 'one_gadget/gadget'
+# https://gitlab.com/libcdb/libcdb/blob/master/libc/libc6_2.28-0ubuntu1_i386/lib/i386-linux-gnu/libc-2.28.so
+# 
+# Intel 80386
+# 
+# GNU C Library (Ubuntu GLIBC 2.28-0ubuntu1) stable release version 2.28.
+# Copyright (C) 2018 Free Software Foundation, Inc.
+# This is free software; see the source for copying conditions.
+# There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+# Compiled by GNU CC version 8.2.0.
+# libc ABIs: UNIQUE IFUNC ABSOLUTE
+# For bug reporting instructions, please see:
+# <https://bugs.launchpad.net/ubuntu/+source/glibc/+bugs>.
+
+build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 257699,
+                      constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL"],
+                      effect: "execve(\"/bin/sh\", esp+0x34, environ)")
+OneGadget::Gadget.add(build_id, 257701,
+                      constraints: ["esi is the GOT address of libc", "[esp+0x38] == NULL"],
+                      effect: "execve(\"/bin/sh\", esp+0x38, environ)")
+OneGadget::Gadget.add(build_id, 257705,
+                      constraints: ["esi is the GOT address of libc", "[esp+0x3c] == NULL"],
+                      effect: "execve(\"/bin/sh\", esp+0x3c, environ)")
+OneGadget::Gadget.add(build_id, 257712,
+                      constraints: ["esi is the GOT address of libc", "[esp+0x40] == NULL"],
+                      effect: "execve(\"/bin/sh\", esp+0x40, environ)")
+OneGadget::Gadget.add(build_id, 257747,
+                      constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+                      effect: "execve(\"/bin/sh\", eax, [esp])")
+OneGadget::Gadget.add(build_id, 257748,
+                      constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+                      effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
+OneGadget::Gadget.add(build_id, 433019,
+                      constraints: ["esi is the GOT address of libc", "eax == NULL"],
+                      effect: "execl(\"/bin/sh\", eax)")
+OneGadget::Gadget.add(build_id, 433020,
+                      constraints: ["esi is the GOT address of libc", "[esp] == NULL"],
+                      effect: "execl(\"/bin/sh\", [esp])")
+

data/lib/one_gadget/builds/libc-2.28-5b157f49586a3ca84d55837f97ff466767dd3445.rb

@@ -0,0 +1,38 @@
+require 'one_gadget/gadget'
+# https://gitlab.com/libcdb/libcdb/blob/master/libc/libc6_2.28-0ubuntu1_amd64/lib/x86_64-linux-gnu/libc-2.28.so
+# 
+# Advanced Micro Devices X86-64
+# 
+# GNU C Library (Ubuntu GLIBC 2.28-0ubuntu1) stable release version 2.28.
+# Copyright (C) 2018 Free Software Foundation, Inc.
+# This is free software; see the source for copying conditions.
+# There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+# Compiled by GNU CC version 8.2.0.
+# libc ABIs: UNIQUE IFUNC ABSOLUTE
+# For bug reporting instructions, please see:
+# <https://bugs.launchpad.net/ubuntu/+source/glibc/+bugs>.
+
+build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 328070,
+                      constraints: ["rcx == NULL"],
+                      effect: "execve(\"/bin/sh\", rsp+0x40, environ)")
+OneGadget::Gadget.add(build_id, 328163,
+                      constraints: ["[rsp+0x40] == NULL"],
+                      effect: "execve(\"/bin/sh\", rsp+0x40, environ)")
+OneGadget::Gadget.add(build_id, 328175,
+                      constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+                      effect: "execve(\"/bin/sh\", rsi, [rax])")
+OneGadget::Gadget.add(build_id, 914335,
+                      constraints: ["[rcx] == NULL || rcx == NULL", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL"],
+                      effect: "execve(\"/bin/sh\", rcx, [rbp-0x70])")
+OneGadget::Gadget.add(build_id, 914339,
+                      constraints: ["[rcx] == NULL || rcx == NULL", "[rdx] == NULL || rdx == NULL"],
+                      effect: "execve(\"/bin/sh\", rcx, rdx)")
+OneGadget::Gadget.add(build_id, 914342,
+                      constraints: ["[rsi] == NULL || rsi == NULL", "[rdx] == NULL || rdx == NULL"],
+                      effect: "execve(\"/bin/sh\", rsi, rdx)")
+OneGadget::Gadget.add(build_id, 1064784,
+                      constraints: ["[rsp+0x70] == NULL"],
+                      effect: "execve(\"/bin/sh\", rsp+0x70, environ)")
+

data/lib/one_gadget/builds/libc-2.28-6ee9454b96efa9e343f9e8105f2fa4529265ea05.rb

@@ -0,0 +1,38 @@
+require 'one_gadget/gadget'
+# https://gitlab.com/libcdb/libcdb/blob/master/libc/libc6-amd64_2.28-0ubuntu1_i386/lib64/libc-2.28.so
+# 
+# Advanced Micro Devices X86-64
+# 
+# GNU C Library (Ubuntu GLIBC 2.28-0ubuntu1) stable release version 2.28.
+# Copyright (C) 2018 Free Software Foundation, Inc.
+# This is free software; see the source for copying conditions.
+# There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+# Compiled by GNU CC version 8.2.0.
+# libc ABIs: UNIQUE IFUNC ABSOLUTE
+# For bug reporting instructions, please see:
+# <https://bugs.launchpad.net/ubuntu/+source/glibc/+bugs>.
+
+build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 281407,
+                      constraints: ["rax == NULL"],
+                      effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
+OneGadget::Gadget.add(build_id, 281491,
+                      constraints: ["[rsp+0x30] == NULL"],
+                      effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
+OneGadget::Gadget.add(build_id, 281503,
+                      constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+                      effect: "execve(\"/bin/sh\", rsi, [rax])")
+OneGadget::Gadget.add(build_id, 816106,
+                      constraints: ["[r13] == NULL || r13 == NULL", "[r12] == NULL || r12 == NULL"],
+                      effect: "execve(\"/bin/sh\", r13, r12)")
+OneGadget::Gadget.add(build_id, 816109,
+                      constraints: ["[r13] == NULL || r13 == NULL", "[rdx] == NULL || rdx == NULL"],
+                      effect: "execve(\"/bin/sh\", r13, rdx)")
+OneGadget::Gadget.add(build_id, 816112,
+                      constraints: ["[rsi] == NULL || rsi == NULL", "[rdx] == NULL || rdx == NULL"],
+                      effect: "execve(\"/bin/sh\", rsi, rdx)")
+OneGadget::Gadget.add(build_id, 939838,
+                      constraints: ["[rsp+0x60] == NULL"],
+                      effect: "execve(\"/bin/sh\", rsp+0x60, environ)")
+

data/lib/one_gadget/emulators/aarch64.rb

@@ -0,0 +1,176 @@
+require 'one_gadget/abi'
+require 'one_gadget/emulators/instruction'
+require 'one_gadget/emulators/processor'
+
+module OneGadget
+  module Emulators
+    # Emulator of aarch64.
+    class AArch64 < Processor
+      # Instantiate a {AArch64} object.
+      def initialize
+        super(OneGadget::ABI.aarch64, 'sp')
+        # Constant registers
+        %w[xzr wzr].each { |r| @registers[r] = 0 }
+        @pc = 'pc'
+      end
+
+      # @see OneGadget::Emulators::X86#process!
+      def process!(cmd)
+        inst, args = parse(cmd.gsub(/#-?(0x)?[0-9a-f]+/) { |v| v[1..-1] })
+        sym = "inst_#{inst.inst}".to_sym
+        __send__(sym, *args) != :fail
+      end
+
+      # Supported instruction set.
+      # @return [Array<Instruction>] The supported instructions.
+      def instructions
+        [
+          Instruction.new('add', 3..4),
+          Instruction.new('adrp', 2),
+          Instruction.new('bl', 1),
+          Instruction.new('ldr', 2..3),
+          Instruction.new('mov', 2),
+          Instruction.new('stp', 3),
+          Instruction.new('str', 2..3)
+        ]
+      end
+
+      # Return the argument value of calling a function.
+      # @param [Integer] idx
+      # @return [Lambda, Integer]
+      def argument(idx)
+        registers["x#{idx}"]
+      end
+
+      private
+
+      def inst_add(dst, src, op2, mode = 'sxtw')
+        check_register!(dst)
+
+        src = OneGadget::Emulators::Lambda.parse(src, predefined: registers)
+        op2 = OneGadget::Emulators::Lambda.parse(op2, predefined: registers)
+        raise_unsupported('add', dst, src, op2) unless op2.is_a?(Integer) && mode == 'sxtw'
+
+        registers[dst] = src + op2
+      end
+
+      def inst_adrp(dst, imm)
+        check_register!(dst)
+
+        registers[dst] = libc_base + imm.to_i(16)
+      end
+
+      # Handle some valid calls.
+      # For example, +sigprocmask+ will always be a valid call
+      # because it just invokes syscall.
+      def inst_bl(addr)
+        # This is the last call
+        return registers[pc] = addr if %w[execve execl].any? { |n| addr.include?(n) }
+
+        # TODO: handle some registers would be fucked after call
+        checker = {
+          'sigprocmask' => {},
+          '__sigaction' => { 2 => :zero? }
+        }
+        func = checker.keys.find { |n| addr.include?(n) }
+        return if func && checker[func].all? { |idx, sym| check_argument(idx, sym) }
+
+        # unhandled case or checker's condition fails
+        :fail
+      end
+
+      def inst_ldr(dst, src, index = 0)
+        check_register!(dst)
+
+        src_l = OneGadget::Emulators::Lambda.parse(src, predefined: registers)
+        registers[dst] = src_l
+        raise_unsupported('ldr', dst, src, index) unless OneGadget::Helper.integer?(index)
+
+        index = Integer(index)
+        return unless src.end_with?('!') || index.nonzero?
+
+        # Two cases:
+        # 1. pre-index mode, +src+ is [reg, imm]!
+        # 2. post-index mode, +src+ is [reg]
+        lmda = OneGadget::Emulators::Lambda.parse(src)
+        registers[lmda.obj] += lmda.immi + index
+      end
+
+      def inst_mov(dst, src)
+        check_register!(dst)
+
+        src = OneGadget::Emulators::Lambda.parse(src, predefined: registers)
+        registers[dst] = src
+      end
+
+      def inst_stp(reg1, reg2, dst)
+        raise_unsupported('stp', reg1, reg2, dst) unless reg64?(reg1) && reg64?(reg2)
+
+        dst_l = OneGadget::Emulators::Lambda.parse(dst, predefined: registers).ref!
+        raise_unsupported('stp', reg1, reg2, dst) unless dst_l.obj == sp && dst_l.deref_count.zero?
+
+        cur_top = dst_l.evaluate(eval_dict)
+        stack[cur_top] = registers[reg1]
+        stack[cur_top + size_t] = registers[reg2]
+
+        registers[sp] += OneGadget::Emulators::Lambda.parse(dst).immi if dst.end_with?('!')
+      end
+
+      def inst_str(src, dst, index = 0)
+        check_register!(src)
+        raise_unsupported('str', src, dst, index) unless OneGadget::Helper.integer?(index)
+
+        dst_l = OneGadget::Emulators::Lambda.parse(dst, predefined: registers).ref!
+        # Only stores on stack.
+        if dst_l.obj == sp && dst_l.deref_count.zero?
+          cur_top = dst_l.evaluate(eval_dict)
+          stack[cur_top] = registers[src]
+        else
+          # Unlike the stack case, don't know where to save the value.
+          # Simply add a constraint.
+          add_writable(dst_l)
+        end
+
+        index = Integer(index)
+        return unless dst.end_with?('!') || index.nonzero?
+
+        # Two cases:
+        # 1. pre-index mode, +dst+ is [reg, imm]!
+        # 2. post-index mode, +dst+ is [reg]
+        lmda = OneGadget::Emulators::Lambda.parse(dst)
+        registers[lmda.obj] += lmda.immi + index
+      end
+
+      def libc_base
+        @libc_base ||= OneGadget::Emulators::Lambda.new('$base')
+      end
+
+      # Checks if +reg+ is a 64-bit register.
+      def reg64?(reg)
+        register?(reg) && reg.start_with?('x')
+      end
+
+      # Override
+      # def global_var?(obj)
+      #   str = obj.is_a?(OneGadget::Emulators::Lambda) ? obj.obj.to_s : obj.to_s
+      #   # TODO: check if this assumption usually correct
+      #   (%w[x19 x20 x21] << libc_base.obj).any? { |r| str.include?(r) }
+      # end
+
+      def add_writable(lmda)
+        # XXX: Better way is check LOAD segment of the libc ELF.
+        # XXX: Should also checks deref_count, but sometimes [[$base+xx]] is also writable..
+        return if lmda.obj == libc_base.obj
+
+        @constraints << [:writable, lmda]
+      end
+
+      class << self
+        # AArch64 is 64-bit.
+        def bits
+          64
+        end
+      end
+    end
+  end
+end