one_gadget 1.7.4 → 1.8.0

data/lib/one_gadget/builds/libc-2.34-b8037b6260865346802321dd2256b8ad1d857e63.rb

@@ -0,0 +1,68 @@
+require 'one_gadget/gadget'
+# https://gitlab.com/david942j/libcdb/blob/master/libc/libc6_2.34-0ubuntu3_amd64/lib/x86_64-linux-gnu/libc.so.6
+# 
+# Advanced Micro Devices X86-64
+# 
+# GNU C Library (Ubuntu GLIBC 2.34-0ubuntu3) stable release version 2.34.
+# Copyright (C) 2021 Free Software Foundation, Inc.
+# This is free software; see the source for copying conditions.
+# There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+# Compiled by GNU CC version 10.3.0.
+# libc ABIs: UNIQUE IFUNC ABSOLUTE
+# For bug reporting instructions, please see:
+# <https://bugs.launchpad.net/ubuntu/+source/glibc/+bugs>.
+
+build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 346000,
+                      constraints: ["rsp & 0xf == 0", "rcx == NULL", "rbp == NULL || (u16)[rbp] == NULL"],
+                      effect: "posix_spawn(rsp+0xc, \"/bin/sh\", 0, rbp, rsp+0x50, environ)")
+OneGadget::Gadget.add(build_id, 346012,
+                      constraints: ["rsp & 0xf == 0", "(u64)xmm0 == NULL", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rbp == NULL || (u16)[rbp] == NULL"],
+                      effect: "posix_spawn(rsp+0xc, \"/bin/sh\", rdx, rbp, rsp+0x50, environ)")
+OneGadget::Gadget.add(build_id, 346033,
+                      constraints: ["rsp & 0xf == 0", "[r8] == NULL", "[[rax]] == NULL || [rax] == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rbp == NULL || (u16)[rbp] == NULL"],
+                      effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rbp, r8, [rax])")
+OneGadget::Gadget.add(build_id, 346041,
+                      constraints: ["rsp & 0xf == 0", "[r8] == NULL", "[[rax]] == NULL || [rax] == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+                      effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, [rax])")
+OneGadget::Gadget.add(build_id, 543811,
+                      constraints: ["rsp & 0xf == 0", "rcx == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"],
+                      effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", r12, 0, rsp+0x60, environ)")
+OneGadget::Gadget.add(build_id, 543824,
+                      constraints: ["rsp & 0xf == 0", "rcx == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
+                      effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, 0, rsp+0x60, environ)")
+OneGadget::Gadget.add(build_id, 543829,
+                      constraints: ["rsp & 0xf == 0", "(u64)xmm0 == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
+                      effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, 0, rsp+0x60, environ)")
+OneGadget::Gadget.add(build_id, 543834,
+                      constraints: ["rsp & 0xf == 0", "[r8] == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
+                      effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, 0, r8, environ)")
+OneGadget::Gadget.add(build_id, 978124,
+                      constraints: ["[r15] == NULL || r15 == NULL", "[r12] == NULL || r12 == NULL"],
+                      effect: "execve(\"/bin/sh\", r15, r12)")
+OneGadget::Gadget.add(build_id, 978127,
+                      constraints: ["[r15] == NULL || r15 == NULL", "[rdx] == NULL || rdx == NULL"],
+                      effect: "execve(\"/bin/sh\", r15, rdx)")
+OneGadget::Gadget.add(build_id, 978130,
+                      constraints: ["[rsi] == NULL || rsi == NULL", "[rdx] == NULL || rdx == NULL"],
+                      effect: "execve(\"/bin/sh\", rsi, rdx)")
+OneGadget::Gadget.add(build_id, 978613,
+                      constraints: ["writable: rbp-0x78", "[r10] == NULL || r10 == NULL", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL"],
+                      effect: "execve(\"/bin/sh\", r10, [rbp-0x70])")
+OneGadget::Gadget.add(build_id, 978617,
+                      constraints: ["writable: rbp-0x78", "[r10] == NULL || r10 == NULL", "[rdx] == NULL || rdx == NULL"],
+                      effect: "execve(\"/bin/sh\", r10, rdx)")
+OneGadget::Gadget.add(build_id, 1117482,
+                      constraints: ["[rsp+0x70] == NULL", "[[rsp+0xf0]] == NULL || [rsp+0xf0] == NULL", "[rsp+0x38] == NULL || (s32)[[rsp+0x38]+0x4] <= 0"],
+                      effect: "posix_spawn(rsp+0x64, \"/bin/sh\", [rsp+0x38], 0, rsp+0x70, [rsp+0xf0])")
+OneGadget::Gadget.add(build_id, 1117490,
+                      constraints: ["[rsp+0x70] == NULL", "[r9] == NULL || r9 == NULL", "[rsp+0x38] == NULL || (s32)[[rsp+0x38]+0x4] <= 0"],
+                      effect: "posix_spawn(rsp+0x64, \"/bin/sh\", [rsp+0x38], 0, rsp+0x70, r9)")
+OneGadget::Gadget.add(build_id, 1117495,
+                      constraints: ["[rsp+0x70] == NULL", "[r9] == NULL || r9 == NULL", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
+                      effect: "posix_spawn(rsp+0x64, \"/bin/sh\", rdx, 0, rsp+0x70, r9)")
+OneGadget::Gadget.add(build_id, 1117505,
+                      constraints: ["[r8] == NULL", "[r9] == NULL || r9 == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
+                      effect: "posix_spawn(rdi, \"/bin/sh\", rdx, 0, r8, r9)")
+

data/lib/one_gadget/builds/libc-2.34-ba4777827fe1fb729ca35acd99c8013936172a0d.rb

@@ -0,0 +1,50 @@
+require 'one_gadget/gadget'
+# https://gitlab.com/david942j/libcdb/blob/master/libc/libc6-amd64_2.34-0ubuntu3_i386/lib64/libc.so.6
+# 
+# Advanced Micro Devices X86-64
+# 
+# GNU C Library (Ubuntu GLIBC 2.34-0ubuntu3) stable release version 2.34.
+# Copyright (C) 2021 Free Software Foundation, Inc.
+# This is free software; see the source for copying conditions.
+# There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+# Compiled by GNU CC version 10.3.0.
+# libc ABIs: UNIQUE IFUNC ABSOLUTE
+# For bug reporting instructions, please see:
+# <https://bugs.launchpad.net/ubuntu/+source/glibc/+bugs>.
+
+build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 324314,
+                      constraints: ["rax == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+                      effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, rsp+0x50, environ)")
+OneGadget::Gadget.add(build_id, 324336,
+                      constraints: ["[r8] == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+                      effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)")
+OneGadget::Gadget.add(build_id, 506716,
+                      constraints: ["[r8] == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+                      effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", r12, rcx, r8, environ)")
+OneGadget::Gadget.add(build_id, 506731,
+                      constraints: ["[r8] == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+                      effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, rcx, r8, environ)")
+OneGadget::Gadget.add(build_id, 909902,
+                      constraints: ["[r13] == NULL || r13 == NULL", "[r12] == NULL || r12 == NULL"],
+                      effect: "execve(\"/bin/sh\", r13, r12)")
+OneGadget::Gadget.add(build_id, 909905,
+                      constraints: ["[r13] == NULL || r13 == NULL", "[rdx] == NULL || rdx == NULL"],
+                      effect: "execve(\"/bin/sh\", r13, rdx)")
+OneGadget::Gadget.add(build_id, 909908,
+                      constraints: ["[rsi] == NULL || rsi == NULL", "[rdx] == NULL || rdx == NULL"],
+                      effect: "execve(\"/bin/sh\", rsi, rdx)")
+OneGadget::Gadget.add(build_id, 1031210,
+                      constraints: ["[rsp+0x70] == NULL", "[[rsp+0xf0]] == NULL || [rsp+0xf0] == NULL", "[rsp+0x40] == NULL || (s32)[[rsp+0x40]+0x4] <= 0"],
+                      effect: "posix_spawn(rsp+0x64, \"/bin/sh\", [rsp+0x40], 0, rsp+0x70, [rsp+0xf0])")
+OneGadget::Gadget.add(build_id, 1031218,
+                      constraints: ["[rsp+0x70] == NULL", "[r9] == NULL || r9 == NULL", "[rsp+0x40] == NULL || (s32)[[rsp+0x40]+0x4] <= 0"],
+                      effect: "posix_spawn(rsp+0x64, \"/bin/sh\", [rsp+0x40], 0, rsp+0x70, r9)")
+OneGadget::Gadget.add(build_id, 1031223,
+                      constraints: ["[rsp+0x70] == NULL", "[r9] == NULL || r9 == NULL", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
+                      effect: "posix_spawn(rsp+0x64, \"/bin/sh\", rdx, 0, rsp+0x70, r9)")
+OneGadget::Gadget.add(build_id, 1031233,
+                      constraints: ["[r8] == NULL", "[r9] == NULL || r9 == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
+                      effect: "posix_spawn(rdi, \"/bin/sh\", rdx, 0, r8, r9)")
+

data/lib/one_gadget/builds/libc-2.34-f0fc29165cbe6088c0e1adf03b0048fbecbc003a.rb

@@ -0,0 +1,68 @@
+require 'one_gadget/gadget'
+# https://gitlab.com/david942j/libcdb/blob/master/libc/libc6_2.34-0ubuntu3.2_amd64/lib/x86_64-linux-gnu/libc.so.6
+# 
+# Advanced Micro Devices X86-64
+# 
+# GNU C Library (Ubuntu GLIBC 2.34-0ubuntu3.2) stable release version 2.34.
+# Copyright (C) 2021 Free Software Foundation, Inc.
+# This is free software; see the source for copying conditions.
+# There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+# Compiled by GNU CC version 10.3.0.
+# libc ABIs: UNIQUE IFUNC ABSOLUTE
+# For bug reporting instructions, please see:
+# <https://bugs.launchpad.net/ubuntu/+source/glibc/+bugs>.
+
+build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 329616,
+                      constraints: ["rsp & 0xf == 0", "rcx == NULL", "rbp == NULL || (u16)[rbp] == NULL"],
+                      effect: "posix_spawn(rsp+0xc, \"/bin/sh\", 0, rbp, rsp+0x50, environ)")
+OneGadget::Gadget.add(build_id, 329628,
+                      constraints: ["rsp & 0xf == 0", "(u64)xmm0 == NULL", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rbp == NULL || (u16)[rbp] == NULL"],
+                      effect: "posix_spawn(rsp+0xc, \"/bin/sh\", rdx, rbp, rsp+0x50, environ)")
+OneGadget::Gadget.add(build_id, 329649,
+                      constraints: ["rsp & 0xf == 0", "[r8] == NULL", "[[rax]] == NULL || [rax] == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rbp == NULL || (u16)[rbp] == NULL"],
+                      effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rbp, r8, [rax])")
+OneGadget::Gadget.add(build_id, 329657,
+                      constraints: ["rsp & 0xf == 0", "[r8] == NULL", "[[rax]] == NULL || [rax] == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+                      effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, [rax])")
+OneGadget::Gadget.add(build_id, 527459,
+                      constraints: ["rsp & 0xf == 0", "rcx == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"],
+                      effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", r12, 0, rsp+0x60, environ)")
+OneGadget::Gadget.add(build_id, 527472,
+                      constraints: ["rsp & 0xf == 0", "rcx == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
+                      effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, 0, rsp+0x60, environ)")
+OneGadget::Gadget.add(build_id, 527477,
+                      constraints: ["rsp & 0xf == 0", "(u64)xmm0 == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
+                      effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, 0, rsp+0x60, environ)")
+OneGadget::Gadget.add(build_id, 527482,
+                      constraints: ["rsp & 0xf == 0", "[r8] == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
+                      effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, 0, r8, environ)")
+OneGadget::Gadget.add(build_id, 961772,
+                      constraints: ["[r15] == NULL || r15 == NULL", "[r12] == NULL || r12 == NULL"],
+                      effect: "execve(\"/bin/sh\", r15, r12)")
+OneGadget::Gadget.add(build_id, 961775,
+                      constraints: ["[r15] == NULL || r15 == NULL", "[rdx] == NULL || rdx == NULL"],
+                      effect: "execve(\"/bin/sh\", r15, rdx)")
+OneGadget::Gadget.add(build_id, 961778,
+                      constraints: ["[rsi] == NULL || rsi == NULL", "[rdx] == NULL || rdx == NULL"],
+                      effect: "execve(\"/bin/sh\", rsi, rdx)")
+OneGadget::Gadget.add(build_id, 962261,
+                      constraints: ["writable: rbp-0x78", "[r10] == NULL || r10 == NULL", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL"],
+                      effect: "execve(\"/bin/sh\", r10, [rbp-0x70])")
+OneGadget::Gadget.add(build_id, 962265,
+                      constraints: ["writable: rbp-0x78", "[r10] == NULL || r10 == NULL", "[rdx] == NULL || rdx == NULL"],
+                      effect: "execve(\"/bin/sh\", r10, rdx)")
+OneGadget::Gadget.add(build_id, 1101130,
+                      constraints: ["[rsp+0x70] == NULL", "[[rsp+0xf0]] == NULL || [rsp+0xf0] == NULL", "[rsp+0x38] == NULL || (s32)[[rsp+0x38]+0x4] <= 0"],
+                      effect: "posix_spawn(rsp+0x64, \"/bin/sh\", [rsp+0x38], 0, rsp+0x70, [rsp+0xf0])")
+OneGadget::Gadget.add(build_id, 1101138,
+                      constraints: ["[rsp+0x70] == NULL", "[r9] == NULL || r9 == NULL", "[rsp+0x38] == NULL || (s32)[[rsp+0x38]+0x4] <= 0"],
+                      effect: "posix_spawn(rsp+0x64, \"/bin/sh\", [rsp+0x38], 0, rsp+0x70, r9)")
+OneGadget::Gadget.add(build_id, 1101143,
+                      constraints: ["[rsp+0x70] == NULL", "[r9] == NULL || r9 == NULL", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
+                      effect: "posix_spawn(rsp+0x64, \"/bin/sh\", rdx, 0, rsp+0x70, r9)")
+OneGadget::Gadget.add(build_id, 1101153,
+                      constraints: ["[r8] == NULL", "[r9] == NULL || r9 == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
+                      effect: "posix_spawn(rdi, \"/bin/sh\", rdx, 0, r8, r9)")
+

data/lib/one_gadget/builds/libc-2.35-89c3cb85f9e55046776471fed05ec441581d1969.rb

@@ -0,0 +1,62 @@
+require 'one_gadget/gadget'
+# https://gitlab.com/david942j/libcdb/blob/master/libc/libc6_2.35-0ubuntu3_amd64/lib/x86_64-linux-gnu/libc.so.6
+# 
+# Advanced Micro Devices X86-64
+# 
+# GNU C Library (Ubuntu GLIBC 2.35-0ubuntu3) stable release version 2.35.
+# Copyright (C) 2022 Free Software Foundation, Inc.
+# This is free software; see the source for copying conditions.
+# There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+# Compiled by GNU CC version 11.2.0.
+# libc ABIs: UNIQUE IFUNC ABSOLUTE
+# For bug reporting instructions, please see:
+# <https://bugs.launchpad.net/ubuntu/+source/glibc/+bugs>.
+
+build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 330295,
+                      constraints: ["rsp & 0xf == 0", "rcx == NULL", "rbp == NULL || (u16)[rbp] == NULL"],
+                      effect: "posix_spawn(rsp+0x1c, \"/bin/sh\", 0, rbp, rsp+0x60, environ)")
+OneGadget::Gadget.add(build_id, 330307,
+                      constraints: ["rsp & 0xf == 0", "(u64)xmm0 == NULL", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rbp == NULL || (u16)[rbp] == NULL"],
+                      effect: "posix_spawn(rsp+0x1c, \"/bin/sh\", rdx, rbp, rsp+0x60, environ)")
+OneGadget::Gadget.add(build_id, 330328,
+                      constraints: ["rsp & 0xf == 0", "[r8] == NULL", "[[rax]] == NULL || [rax] == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rbp == NULL || (u16)[rbp] == NULL"],
+                      effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rbp, r8, [rax])")
+OneGadget::Gadget.add(build_id, 330336,
+                      constraints: ["rsp & 0xf == 0", "[r8] == NULL", "[[rax]] == NULL || [rax] == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+                      effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, [rax])")
+OneGadget::Gadget.add(build_id, 527427,
+                      constraints: ["rsp & 0xf == 0", "rcx == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"],
+                      effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", r12, 0, rsp+0x60, environ)")
+OneGadget::Gadget.add(build_id, 527440,
+                      constraints: ["rsp & 0xf == 0", "rcx == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
+                      effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, 0, rsp+0x60, environ)")
+OneGadget::Gadget.add(build_id, 527445,
+                      constraints: ["rsp & 0xf == 0", "(u64)xmm0 == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
+                      effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, 0, rsp+0x60, environ)")
+OneGadget::Gadget.add(build_id, 527450,
+                      constraints: ["rsp & 0xf == 0", "[r8] == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
+                      effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, 0, r8, environ)")
+OneGadget::Gadget.add(build_id, 965873,
+                      constraints: ["writable: rbp-0x78", "[r10] == NULL || r10 == NULL", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL"],
+                      effect: "execve(\"/bin/sh\", r10, [rbp-0x70])")
+OneGadget::Gadget.add(build_id, 965877,
+                      constraints: ["writable: rbp-0x78", "[r10] == NULL || r10 == NULL", "[rdx] == NULL || rdx == NULL"],
+                      effect: "execve(\"/bin/sh\", r10, rdx)")
+OneGadget::Gadget.add(build_id, 965880,
+                      constraints: ["writable: rbp-0x78", "[rsi] == NULL || rsi == NULL", "[rdx] == NULL || rdx == NULL"],
+                      effect: "execve(\"/bin/sh\", rsi, rdx)")
+OneGadget::Gadget.add(build_id, 1104834,
+                      constraints: ["[rsp+0x70] == NULL", "[[rsp+0xf0]] == NULL || [rsp+0xf0] == NULL", "[rsp+0x40] == NULL || (s32)[[rsp+0x40]+0x4] <= 0"],
+                      effect: "posix_spawn(rsp+0x64, \"/bin/sh\", [rsp+0x40], 0, rsp+0x70, [rsp+0xf0])")
+OneGadget::Gadget.add(build_id, 1104842,
+                      constraints: ["[rsp+0x70] == NULL", "[r9] == NULL || r9 == NULL", "[rsp+0x40] == NULL || (s32)[[rsp+0x40]+0x4] <= 0"],
+                      effect: "posix_spawn(rsp+0x64, \"/bin/sh\", [rsp+0x40], 0, rsp+0x70, r9)")
+OneGadget::Gadget.add(build_id, 1104847,
+                      constraints: ["[rsp+0x70] == NULL", "[r9] == NULL || r9 == NULL", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
+                      effect: "posix_spawn(rsp+0x64, \"/bin/sh\", rdx, 0, rsp+0x70, r9)")
+OneGadget::Gadget.add(build_id, 1104857,
+                      constraints: ["[r8] == NULL", "[r9] == NULL || r9 == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
+                      effect: "posix_spawn(rdi, \"/bin/sh\", rdx, 0, r8, r9)")
+

data/lib/one_gadget/builds/libc-2.35-ab265082cac9486923c709d48ee5dde080e243ff.rb

@@ -0,0 +1,41 @@
+require 'one_gadget/gadget'
+# https://gitlab.com/david942j/libcdb/blob/master/libc/libc6-amd64_2.35-0ubuntu3_i386/lib64/libc.so.6
+# 
+# Advanced Micro Devices X86-64
+# 
+# GNU C Library (Ubuntu GLIBC 2.35-0ubuntu3) stable release version 2.35.
+# Copyright (C) 2022 Free Software Foundation, Inc.
+# This is free software; see the source for copying conditions.
+# There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+# Compiled by GNU CC version 11.2.0.
+# libc ABIs: UNIQUE IFUNC ABSOLUTE
+# For bug reporting instructions, please see:
+# <https://bugs.launchpad.net/ubuntu/+source/glibc/+bugs>.
+
+build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 307427,
+                      constraints: ["rax == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+                      effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, rsp+0x50, environ)")
+OneGadget::Gadget.add(build_id, 307449,
+                      constraints: ["[r8] == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+                      effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)")
+OneGadget::Gadget.add(build_id, 489356,
+                      constraints: ["[r8] == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+                      effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", r12, rcx, r8, environ)")
+OneGadget::Gadget.add(build_id, 489371,
+                      constraints: ["[r8] == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+                      effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, rcx, r8, environ)")
+OneGadget::Gadget.add(build_id, 1016778,
+                      constraints: ["[rsp+0x70] == NULL", "[[rsp+0xf0]] == NULL || [rsp+0xf0] == NULL", "[rsp+0x38] == NULL || (s32)[[rsp+0x38]+0x4] <= 0"],
+                      effect: "posix_spawn(rsp+0x64, \"/bin/sh\", [rsp+0x38], 0, rsp+0x70, [rsp+0xf0])")
+OneGadget::Gadget.add(build_id, 1016786,
+                      constraints: ["[rsp+0x70] == NULL", "[r9] == NULL || r9 == NULL", "[rsp+0x38] == NULL || (s32)[[rsp+0x38]+0x4] <= 0"],
+                      effect: "posix_spawn(rsp+0x64, \"/bin/sh\", [rsp+0x38], 0, rsp+0x70, r9)")
+OneGadget::Gadget.add(build_id, 1016791,
+                      constraints: ["[rsp+0x70] == NULL", "[r9] == NULL || r9 == NULL", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
+                      effect: "posix_spawn(rsp+0x64, \"/bin/sh\", rdx, 0, rsp+0x70, r9)")
+OneGadget::Gadget.add(build_id, 1016801,
+                      constraints: ["[r8] == NULL", "[r9] == NULL || r9 == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
+                      effect: "posix_spawn(rdi, \"/bin/sh\", rdx, 0, r8, r9)")
+

data/lib/one_gadget/builds/libc-2.35-c376d41cff4473142a97ac1ff1eab433859dc3d4.rb

@@ -0,0 +1,26 @@
+require 'one_gadget/gadget'
+# https://gitlab.com/david942j/libcdb/blob/master/libc/libc6_2.35-0ubuntu3_i386/lib/i386-linux-gnu/libc.so.6
+# 
+# Intel 80386
+# 
+# GNU C Library (Ubuntu GLIBC 2.35-0ubuntu3) stable release version 2.35.
+# Copyright (C) 2022 Free Software Foundation, Inc.
+# This is free software; see the source for copying conditions.
+# There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+# Compiled by GNU CC version 11.2.0.
+# libc ABIs: UNIQUE IFUNC ABSOLUTE
+# For bug reporting instructions, please see:
+# <https://bugs.launchpad.net/ubuntu/+source/glibc/+bugs>.
+
+build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 912899,
+                      constraints: ["ebx is the GOT address of libc", "writable: ebp-0x20", "[[ebp-0x30]] == NULL || [ebp-0x30] == NULL", "[[ebp-0x2c]] == NULL || [ebp-0x2c] == NULL"],
+                      effect: "execve(\"/bin/sh\", [ebp-0x30], [ebp-0x2c])")
+OneGadget::Gadget.add(build_id, 1517633,
+                      constraints: ["esi is the GOT address of libc", "eax == NULL"],
+                      effect: "execl(\"/bin/sh\", eax)")
+OneGadget::Gadget.add(build_id, 1517634,
+                      constraints: ["esi is the GOT address of libc", "[esp] == NULL"],
+                      effect: "execl(\"/bin/sh\", [esp])")
+

data/lib/one_gadget/builds/libc-2.35-dfca8b65dd2d2ca67f70dc7a556a6cfa8ba96ed8.rb

@@ -0,0 +1,26 @@
+require 'one_gadget/gadget'
+# https://gitlab.com/david942j/libcdb/blob/master/libc/libc6-i386_2.35-0ubuntu3_amd64/lib32/libc.so.6
+# 
+# Intel 80386
+# 
+# GNU C Library (Ubuntu GLIBC 2.35-0ubuntu3) stable release version 2.35.
+# Copyright (C) 2022 Free Software Foundation, Inc.
+# This is free software; see the source for copying conditions.
+# There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+# Compiled by GNU CC version 11.2.0.
+# libc ABIs: UNIQUE IFUNC ABSOLUTE
+# For bug reporting instructions, please see:
+# <https://bugs.launchpad.net/ubuntu/+source/glibc/+bugs>.
+
+build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 907139,
+                      constraints: ["ebx is the GOT address of libc", "writable: ebp-0x20", "[[ebp-0x30]] == NULL || [ebp-0x30] == NULL", "[[ebp-0x2c]] == NULL || [ebp-0x2c] == NULL"],
+                      effect: "execve(\"/bin/sh\", [ebp-0x30], [ebp-0x2c])")
+OneGadget::Gadget.add(build_id, 1502977,
+                      constraints: ["esi is the GOT address of libc", "eax == NULL"],
+                      effect: "execl(\"/bin/sh\", eax)")
+OneGadget::Gadget.add(build_id, 1502978,
+                      constraints: ["esi is the GOT address of libc", "[esp] == NULL"],
+                      effect: "execl(\"/bin/sh\", [esp])")
+

data/lib/one_gadget/cli.rb

@@ -120,7 +120,7 @@ module OneGadget
         end
 
         opts.on('-n', '--near FUNCTIONS/FILE', 'Order gadgets by their distance to the given functions'\
-                ' or to the GOT functions of the given file.') do |n|
+                                               ' or to the GOT functions of the given file.') do |n|
           @options[:near] = n
         end
 

data/lib/one_gadget/emulators/aarch64.rb

@@ -49,8 +49,8 @@ module OneGadget
       def inst_add(dst, src, op2, mode = 'sxtw')
         check_register!(dst)
 
-        src = OneGadget::Emulators::Lambda.parse(src, predefined: registers)
-        op2 = OneGadget::Emulators::Lambda.parse(op2, predefined: registers)
+        src = arg_to_lambda(src)
+        op2 = arg_to_lambda(op2)
         raise_unsupported('add', dst, src, op2) unless op2.is_a?(Integer) && mode == 'sxtw'
 
         registers[dst] = src + op2
@@ -84,7 +84,7 @@ module OneGadget
       def inst_ldr(dst, src, index = 0)
         check_register!(dst)
 
-        src_l = OneGadget::Emulators::Lambda.parse(src, predefined: registers)
+        src_l = arg_to_lambda(src)
         registers[dst] = src_l
         raise_unsupported('ldr', dst, src, index) unless OneGadget::Helper.integer?(index)
 
@@ -101,28 +101,27 @@ module OneGadget
       def inst_mov(dst, src)
         check_register!(dst)
 
-        src = OneGadget::Emulators::Lambda.parse(src, predefined: registers)
-        registers[dst] = src
+        registers[dst] = arg_to_lambda(src)
       end
 
       def inst_stp(reg1, reg2, dst)
         raise_unsupported('stp', reg1, reg2, dst) unless reg64?(reg1) && reg64?(reg2)
 
-        dst_l = OneGadget::Emulators::Lambda.parse(dst, predefined: registers).ref!
+        dst_l = arg_to_lambda(dst).ref!
         raise_unsupported('stp', reg1, reg2, dst) unless dst_l.obj == sp && dst_l.deref_count.zero?
 
         cur_top = dst_l.evaluate(eval_dict)
         stack[cur_top] = registers[reg1]
         stack[cur_top + size_t] = registers[reg2]
 
-        registers[sp] += OneGadget::Emulators::Lambda.parse(dst).immi if dst.end_with?('!')
+        registers[sp] += arg_to_lambda(dst).immi if dst.end_with?('!')
       end
 
       def inst_str(src, dst, index = 0)
         check_register!(src)
         raise_unsupported('str', src, dst, index) unless OneGadget::Helper.integer?(index)
 
-        dst_l = OneGadget::Emulators::Lambda.parse(dst, predefined: registers).ref!
+        dst_l = arg_to_lambda(dst).ref!
         # Only stores on stack.
         if dst_l.obj == sp && dst_l.deref_count.zero?
           cur_top = dst_l.evaluate(eval_dict)

data/lib/one_gadget/emulators/amd64.rb

@@ -27,6 +27,9 @@ module OneGadget
         when 0 then registers['rdi']
         when 1 then registers['rsi']
         when 2 then registers['rdx']
+        when 3 then registers['rcx']
+        when 4 then registers['r8']
+        when 5 then registers['r9']
         end
       end
     end

data/lib/one_gadget/emulators/lambda.rb

@@ -46,13 +46,13 @@ module OneGadget
         self.+(-other)
       end
 
-      # Increase dereference count with 1.
+      # Increase dereference count by 1.
       # @return [void]
       def deref!
         @deref_count += 1
       end
 
-      # Decrease dereference count with 1.
+      # Decrease dereference count by 1.
       # @return [self]
       # @raise [Error::InstrutionArgumentError] When this object cannot be referenced anymore.
       def ref!
@@ -105,7 +105,7 @@ module OneGadget
         # @param [Hash{String => Lambda}] predefined
         #   Predefined values.
         # @return [OneGadget::Emulators::Lambda, Integer]
-        #   If +argument+ contains number only, returns the value.
+        #   If +argument+ contains numbers only, returns the value.
         #   Otherwise, returns a {Lambda} object.
         # @example
         #   obj = Lambda.parse('[rsp+0x50]')
@@ -117,9 +117,17 @@ module OneGadget
         #   #=> #<Lambda @obj='x0', @immi=-104, @deref_count=1>
         def parse(argument, predefined: {})
           arg = argument.dup
+          return 0 if arg.empty? || arg == '!'
           return Integer(arg) if OneGadget::Helper.integer?(arg)
+
           # nested []
-          return parse(arg[1...arg.rindex(']')], predefined: predefined).deref if arg[0] == '['
+          if arg[0] == '['
+            ridx = arg.rindex(']')
+            immi = parse(arg[(ridx + 1)..-1])
+            lm = parse(arg[1...ridx], predefined: predefined).deref
+            lm += immi unless immi.zero?
+            return lm
+          end
 
           base, disp = mem_obj(arg)
           obj = predefined[base] || Lambda.new(base)

data/lib/one_gadget/emulators/processor.rb

@@ -47,7 +47,7 @@ module OneGadget
       # @return [Boolean]
       def process(cmd)
         process!(cmd)
-      # rescue OneGadget::Error::UnsupportedError # for debugging
+      # rescue OneGadget::Error::UnsupportedError => e; p e # for debugging
       rescue OneGadget::Error::Error
         false
       end
@@ -115,6 +115,14 @@ module OneGadget
         OneGadget::Emulators::Lambda.new(reg)
       end
 
+      # Fetch the corresponding lambda value of instruction arguments from the current register sets.
+      #
+      # @param [String] arg The instruction argument passed to inst_* functions.
+      # @return [Lambda]
+      def arg_to_lambda(arg)
+        OneGadget::Emulators::Lambda.parse(arg, predefined: registers)
+      end
+
       def raise_unsupported(inst, *args)
         raise OneGadget::Error::UnsupportedInstructionArgumentError, "#{inst} #{args.join(', ')}"
       end

data/lib/one_gadget/emulators/x86.rb

@@ -45,14 +45,15 @@ module OneGadget
           Instruction.new('xor', 2),
           Instruction.new('movq', 2),
           Instruction.new('movaps', 2),
-          Instruction.new('movhps', 2)
+          Instruction.new('movhps', 2),
+          Instruction.new('punpcklqdq', 2)
         ]
       end
 
       private
 
       def inst_mov(dst, src)
-        src = OneGadget::Emulators::Lambda.parse(src, predefined: registers)
+        src = arg_to_lambda(src)
         if register?(dst)
           registers[dst] = src
         else
@@ -60,7 +61,7 @@ module OneGadget
           # TODO(david942j): #120
           return add_writable(dst) unless dst.include?(sp)
 
-          dst = OneGadget::Emulators::Lambda.parse(dst, predefined: registers)
+          dst = arg_to_lambda(dst)
           return if dst.deref_count != 1 # should not happen
 
           dst.ref!
@@ -79,9 +80,17 @@ module OneGadget
         end
       end
 
-      # Move *src to dst[:64]
+      # Move src to dst[:64]
+      # Supported forms:
+      #   movq xmm*, [sp+*]
+      #   movq xmm*, reg64
       def inst_movq(dst, src)
-        # XXX: here we only support `movq xmm*, [sp+*]`
+        if self.class.bits == 64 && xmm_reg?(dst) && src.start_with?('r') && register?(src)
+          dst = arg_to_lambda(dst)
+          src = arg_to_lambda(src)
+          dst[0] = src
+          return
+        end
         dst, src = check_xmm_sp(dst, src) { raise_unsupported('movq', dst, src) }
         off = src.evaluate(eval_dict)
         (64 / self.class.bits).times do |i|
@@ -89,7 +98,7 @@ module OneGadget
         end
       end
 
-      # Move *src to dst[64:128]
+      # Move src to dst[64:128]
       def inst_movhps(dst, src)
         # XXX: here we only support `movhps xmm*, [sp+*]`
         dst, src = check_xmm_sp(dst, src) { raise_unsupported('movhps', dst, src) }
@@ -99,28 +108,41 @@ module OneGadget
         end
       end
 
-      # check if (dst, src) in form (xmm*, [sp+*])
+      # check whether (dst, src) is in form (xmm*, [sp+*])
       def check_xmm_sp(dst, src)
-        return yield unless dst.start_with?('xmm') && register?(dst) && src.include?(sp)
+        return yield unless xmm_reg?(dst) && src.include?(sp)
 
-        dst_lm = OneGadget::Emulators::Lambda.parse(dst, predefined: registers)
-        src_lm = OneGadget::Emulators::Lambda.parse(src, predefined: registers)
+        dst_lm = arg_to_lambda(dst)
+        src_lm = arg_to_lambda(src)
         return yield if src_lm.deref_count != 1
 
         src_lm.ref!
         [dst_lm, src_lm]
       end
 
+      def xmm_reg?(reg)
+        reg.start_with?('xmm') && register?(reg)
+      end
+
+      # dst[64:128] = src[0:64]
+      def inst_punpcklqdq(dst, src)
+        raise_unsupported('punpcklqdq', dst, src) unless xmm_reg?(dst) && xmm_reg?(src)
+
+        dst = arg_to_lambda(dst)
+        src = arg_to_lambda(src)
+        (64 / self.class.bits).times do |i|
+          dst[i + 64 / self.class.bits] = src[i]
+        end
+      end
+
       def inst_lea(dst, src)
         check_register!(dst)
 
-        src = OneGadget::Emulators::Lambda.parse(src, predefined: registers)
-        src.ref!
-        registers[dst] = src
+        registers[dst] = arg_to_lambda(src).ref!
       end
 
       def inst_push(val)
-        val = OneGadget::Emulators::Lambda.parse(val, predefined: registers)
+        val = arg_to_lambda(val)
         registers[sp] -= size_t
         cur_top = registers[sp].evaluate(eval_dict)
         raise Error::InstructionArgumentError, "Corrupted stack pointer: #{cur_top}" unless cur_top.is_a?(Integer)
@@ -141,12 +163,12 @@ module OneGadget
       def inst_add(dst, src)
         check_register!(dst)
 
-        src = OneGadget::Emulators::Lambda.parse(src, predefined: registers)
+        src = arg_to_lambda(src)
         registers[dst] += src
       end
 
       def inst_sub(dst, src)
-        src = OneGadget::Emulators::Lambda.parse(src, predefined: registers)
+        src = arg_to_lambda(src)
         raise Error::UnsupportedInstructionArgumentError, "Unhandled -= of type #{src.class}" unless src.is_a?(Integer)
 
         registers[dst] -= src
@@ -160,7 +182,7 @@ module OneGadget
       # because it just invokes syscall.
       def inst_call(addr)
         # This is the last call
-        return registers[pc] = addr if %w[execve execl].any? { |n| addr.include?(n) }
+        return registers[pc] = addr if %w[execve execl posix_spawn].any? { |n| addr.include?(n) }
 
         # TODO: handle some registers would be fucked after call
         checker = {
@@ -177,7 +199,7 @@ module OneGadget
       end
 
       def add_writable(dst)
-        lmda = OneGadget::Emulators::Lambda.parse(dst, predefined: registers).ref!
+        lmda = arg_to_lambda(dst).ref!
         # pc-relative addresses should be writable
         return if lmda.obj == pc
 
@@ -188,7 +210,8 @@ module OneGadget
         return super unless reg =~ /^xmm\d+$/
 
         Array.new(128 / self.class.bits) do |i|
-          OneGadget::Emulators::Lambda.new("#{reg}__#{i}")
+          cast = "(u#{self.class.bits})"
+          OneGadget::Emulators::Lambda.new(i.zero? ? "#{cast}#{reg}" : "#{cast}(#{reg} >> #{self.class.bits * i})")
         end
       end
     end