one_gadget 1.9.0 → 1.10.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: fc7692c2d1de780ad214a4c259f42a06560c664c9ec9e6db55e01ca5856c3a3b
-  data.tar.gz: ad1d2b9efcc87b69e07e02e3d0a7826174f73b46217e459eeedab881d6d43bf7
+  metadata.gz: 115a1008facd6ff265526eb0be8392bca7cd4eab161b549ead9ab6f34a0050b2
+  data.tar.gz: 56f21220b1a65fe15ac51b682f95ba52fb108084912570f8208f1ef40eafda52
 SHA512:
-  metadata.gz: 7ae80fea1083e6c72672d7b05fc5dbb769c3a53e2974f56f4e8162726dfdf811d677d746ef573c7310fefb382af9eef18a306cdc5431a7c8c1bc877ac4f30f74
-  data.tar.gz: 6deec0fe4bf09d84ff8e8b93bbdecea02ab69861115222a176b8ff4406163ba1255cdf874d50e9d4d2f3d1707a89f831c8c010f9cd7b73ca89134a87c6cc336a
+  metadata.gz: 5c5714e03eda9a982d9d1510ad5f0465e3f11e55155507910df4302e039d92a3a5c35cf5be45c0a8f30709b491fcb301d00e8e9d57638610c1e0042282e87a02
+  data.tar.gz: 21ac5b3a5cc316c92e90741bcec4e5efbdc8d97183c3810eba356216c636a9d4d59c3a62784e2395731d72a3c716fa8c10eec8697f04437e3da2a1c41a292c0c

data/README.md

@@ -64,18 +64,20 @@ $ one_gadget
 
 ```bash
 $ one_gadget /lib/x86_64-linux-gnu/libc.so.6
-# 0x4f2c5 execve("/bin/sh", rsp+0x40, environ)
+# 0xe3afe execve("/bin/sh", r15, r12)
 # constraints:
-#   rsp & 0xf == 0
-#   rcx == NULL
+#   [r15] == NULL || r15 == NULL || r15 is a valid argv
+#   [r12] == NULL || r12 == NULL || r12 is a valid envp
 #
-# 0x4f322 execve("/bin/sh", rsp+0x40, environ)
+# 0xe3b01 execve("/bin/sh", r15, rdx)
 # constraints:
-#   [rsp+0x40] == NULL
+#   [r15] == NULL || r15 == NULL || r15 is a valid argv
+#   [rdx] == NULL || rdx == NULL || rdx is a valid envp
 #
-# 0x10a38c execve("/bin/sh", rsp+0x70, environ)
+# 0xe3b04 execve("/bin/sh", rsi, rdx)
 # constraints:
-#   [rsp+0x70] == NULL
+#   [rsi] == NULL || rsi == NULL || rsi is a valid argv
+#   [rdx] == NULL || rdx == NULL || rdx is a valid envp
 
 ```
 ![x86_64](https://github.com/david942j/one_gadget/blob/master/examples/x86_64.png?raw=true)
@@ -83,21 +85,17 @@ $ one_gadget /lib/x86_64-linux-gnu/libc.so.6
 #### Given BuildID
 ```bash
 $ one_gadget -b aad7dbe330f23ea00ca63daf793b766b51aceb5d
-# 0x45526 execve("/bin/sh", rsp+0x30, environ)
-# constraints:
-#   rax == NULL
-#
 # 0x4557a execve("/bin/sh", rsp+0x30, environ)
 # constraints:
-#   [rsp+0x30] == NULL
+#   [rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv
 #
 # 0xf1651 execve("/bin/sh", rsp+0x40, environ)
 # constraints:
-#   [rsp+0x40] == NULL
+#   [rsp+0x40] == NULL || {[rsp+0x40], [rsp+0x48], [rsp+0x50], [rsp+0x58], ...} is a valid argv
 #
 # 0xf24cb execve("/bin/sh", rsp+0x60, environ)
 # constraints:
-#   [rsp+0x60] == NULL
+#   [rsp+0x60] == NULL || {[rsp+0x60], [rsp+0x68], [rsp+0x70], [rsp+0x78], ...} is a valid argv
 
 ```
 ![build id](https://github.com/david942j/one_gadget/blob/master/examples/from_build_id.png?raw=true)
@@ -120,33 +118,37 @@ Reorder gadgets according to the distance of given functions.
 
 ```bash
 $ one_gadget /lib/x86_64-linux-gnu/libc.so.6 --near exit,mkdir
-# [OneGadget] Gadgets near exit(0x43120):
-# 0x4f2c5 execve("/bin/sh", rsp+0x40, environ)
+# [OneGadget] Gadgets near exit(0x46a40):
+# 0xe3afe execve("/bin/sh", r15, r12)
 # constraints:
-#   rsp & 0xf == 0
-#   rcx == NULL
+#   [r15] == NULL || r15 == NULL || r15 is a valid argv
+#   [r12] == NULL || r12 == NULL || r12 is a valid envp
 #
-# 0x4f322 execve("/bin/sh", rsp+0x40, environ)
+# 0xe3b01 execve("/bin/sh", r15, rdx)
 # constraints:
-#   [rsp+0x40] == NULL
+#   [r15] == NULL || r15 == NULL || r15 is a valid argv
+#   [rdx] == NULL || rdx == NULL || rdx is a valid envp
 #
-# 0x10a38c execve("/bin/sh", rsp+0x70, environ)
+# 0xe3b04 execve("/bin/sh", rsi, rdx)
 # constraints:
-#   [rsp+0x70] == NULL
+#   [rsi] == NULL || rsi == NULL || rsi is a valid argv
+#   [rdx] == NULL || rdx == NULL || rdx is a valid envp
 #
-# [OneGadget] Gadgets near mkdir(0x10fbb0):
-# 0x10a38c execve("/bin/sh", rsp+0x70, environ)
+# [OneGadget] Gadgets near mkdir(0x10de70):
+# 0xe3b04 execve("/bin/sh", rsi, rdx)
 # constraints:
-#   [rsp+0x70] == NULL
+#   [rsi] == NULL || rsi == NULL || rsi is a valid argv
+#   [rdx] == NULL || rdx == NULL || rdx is a valid envp
 #
-# 0x4f322 execve("/bin/sh", rsp+0x40, environ)
+# 0xe3b01 execve("/bin/sh", r15, rdx)
 # constraints:
-#   [rsp+0x40] == NULL
+#   [r15] == NULL || r15 == NULL || r15 is a valid argv
+#   [rdx] == NULL || rdx == NULL || rdx is a valid envp
 #
-# 0x4f2c5 execve("/bin/sh", rsp+0x40, environ)
+# 0xe3afe execve("/bin/sh", r15, r12)
 # constraints:
-#   rsp & 0xf == 0
-#   rcx == NULL
+#   [r15] == NULL || r15 == NULL || r15 is a valid argv
+#   [r12] == NULL || r12 == NULL || r12 is a valid envp
 #
 
 ```
@@ -155,11 +157,11 @@ $ one_gadget /lib/x86_64-linux-gnu/libc.so.6 --near exit,mkdir
 Regular expression is acceptable.
 ```bash
 $ one_gadget /lib/x86_64-linux-gnu/libc.so.6 --near 'write.*' --raw
-# [OneGadget] Gadgets near writev(0x1166a0):
-# 1090444 324386 324293
+# [OneGadget] Gadgets near writev(0x114690):
+# 932612 932609 932606
 #
-# [OneGadget] Gadgets near write(0x110140):
-# 1090444 324386 324293
+# [OneGadget] Gadgets near write(0x10e280):
+# 932612 932609 932606
 #
 
 ```
@@ -167,23 +169,23 @@ $ one_gadget /lib/x86_64-linux-gnu/libc.so.6 --near 'write.*' --raw
 Pass an ELF file as the argument, OneGadget will take all GOT functions for processing.
 ```bash
 $ one_gadget /lib/x86_64-linux-gnu/libc.so.6 --near spec/data/test_near_file.elf --raw
-# [OneGadget] Gadgets near exit(0x43120):
-# 324293 324386 1090444
+# [OneGadget] Gadgets near exit(0x46a40):
+# 932606 932609 932612
 #
-# [OneGadget] Gadgets near puts(0x809c0):
-# 324386 324293 1090444
+# [OneGadget] Gadgets near puts(0x84420):
+# 932606 932609 932612
 #
-# [OneGadget] Gadgets near printf(0x64e80):
-# 324386 324293 1090444
+# [OneGadget] Gadgets near printf(0x61c90):
+# 932606 932609 932612
 #
-# [OneGadget] Gadgets near strlen(0x9dc70):
-# 324386 324293 1090444
+# [OneGadget] Gadgets near strlen(0x9f630):
+# 932606 932609 932612
 #
-# [OneGadget] Gadgets near __cxa_finalize(0x43520):
-# 324293 324386 1090444
+# [OneGadget] Gadgets near __cxa_finalize(0x46f10):
+# 932606 932609 932612
 #
-# [OneGadget] Gadgets near __libc_start_main(0x21ab0):
-# 324293 324386 1090444
+# [OneGadget] Gadgets near __libc_start_main(0x23f90):
+# 932606 932609 932612
 #
 
 ```
@@ -197,89 +199,286 @@ Use option `--level 1` to show all gadgets found instead of only those with high
 
 ```bash
 $ one_gadget /lib/x86_64-linux-gnu/libc.so.6 --level 1
-# 0x4f2c5 execve("/bin/sh", rsp+0x40, environ)
+# 0x51dfb posix_spawn(rsp+0xc, "/bin/sh", 0, rbp, rsp+0x50, environ)
 # constraints:
+#   address rsp+0x60 is writable
 #   rsp & 0xf == 0
-#   rcx == NULL
+#   {"sh", "-c", rbx, NULL} is a valid argv
+#   rbp == NULL || (u16)[rbp] == NULL
 #
-# 0x4f322 execve("/bin/sh", rsp+0x40, environ)
+# 0x51e02 posix_spawn(rsp+0xc, "/bin/sh", 0, rbp, rsp+0x50, environ)
 # constraints:
-#   [rsp+0x40] == NULL
+#   address rsp+0x60 is writable
+#   rsp & 0xf == 0
+#   rax == NULL || {"sh", rax, rbx, NULL} is a valid argv
+#   rbp == NULL || (u16)[rbp] == NULL
 #
-# 0xe569f execve("/bin/sh", r14, r12)
+# 0x51e09 posix_spawn(rsp+0xc, "/bin/sh", 0, rbp, rsp+0x50, environ)
 # constraints:
-#   [r14] == NULL || r14 == NULL
-#   [r12] == NULL || r12 == NULL
+#   address rsp+0x60 is writable
+#   rsp & 0xf == 0
+#   rcx == NULL || {rcx, rax, rbx, NULL} is a valid argv
+#   rbp == NULL || (u16)[rbp] == NULL
 #
-# 0xe5858 execve("/bin/sh", [rbp-0x88], [rbp-0x70])
+# 0x51e10 posix_spawn(rsp+0xc, "/bin/sh", rdx, rbp, rsp+0x50, environ)
 # constraints:
-#   [[rbp-0x88]] == NULL || [rbp-0x88] == NULL
-#   [[rbp-0x70]] == NULL || [rbp-0x70] == NULL
+#   address rsp+0x60 is writable
+#   rsp & 0xf == 0
+#   rcx == NULL || {rcx, (u64)xmm1, rbx, NULL} is a valid argv
+#   rdx == NULL || (s32)[rdx+0x4] <= 0
+#   rbp == NULL || (u16)[rbp] == NULL
 #
-# 0xe585f execve("/bin/sh", r10, [rbp-0x70])
+# 0x51e15 posix_spawn(rsp+0xc, "/bin/sh", rdx, rbp, rsp+0x50, environ)
 # constraints:
-#   [r10] == NULL || r10 == NULL
-#   [[rbp-0x70]] == NULL || [rbp-0x70] == NULL
+#   address rsp+0x60 is writable
+#   rsp & 0xf == 0
+#   (u64)xmm0 == NULL || {(u64)xmm0, (u64)xmm1, rbx, NULL} is a valid argv
+#   rdx == NULL || (s32)[rdx+0x4] <= 0
+#   rbp == NULL || (u16)[rbp] == NULL
 #
-# 0xe5863 execve("/bin/sh", r10, rdx)
+# 0x51e25 posix_spawn(rdi, "/bin/sh", rdx, rbp, rsp+0x50, [rax])
 # constraints:
-#   [r10] == NULL || r10 == NULL
-#   [rdx] == NULL || rdx == NULL
+#   address rsp+0x60 is writable
+#   rsp & 0xf == 0
+#   (u64)xmm0 == NULL || {(u64)xmm0, (u64)(xmm0 >> 64), rbx, NULL} is a valid argv
+#   [[rax]] == NULL || [rax] == NULL || [rax] is a valid envp
+#   rdi == NULL || writable: rdi
+#   rdx == NULL || (s32)[rdx+0x4] <= 0
+#   rbp == NULL || (u16)[rbp] == NULL
 #
-# 0x10a38c execve("/bin/sh", rsp+0x70, environ)
+# 0x51e2a posix_spawn(rdi, "/bin/sh", rdx, rbp, r8, [rax])
 # constraints:
-#   [rsp+0x70] == NULL
+#   address rsp+0x60 is writable
+#   rsp & 0xf == 0
+#   [r8] == NULL || r8 is a valid argv
+#   [[rax]] == NULL || [rax] == NULL || [rax] is a valid envp
+#   rdi == NULL || writable: rdi
+#   rdx == NULL || (s32)[rdx+0x4] <= 0
+#   rbp == NULL || (u16)[rbp] == NULL
 #
-# 0x10a398 execve("/bin/sh", rsi, [rax])
+# 0x51e2d posix_spawn(rdi, "/bin/sh", rdx, rcx, r8, [rax])
 # constraints:
-#   [rsi] == NULL || rsi == NULL
-#   [[rax]] == NULL || [rax] == NULL
-
-```
-
-#### Other Architectures
-
-##### i386
-```bash
-$ one_gadget /lib32/libc.so.6
-# 0x3cbea execve("/bin/sh", esp+0x34, environ)
+#   address rsp+0x60 is writable
+#   rsp & 0xf == 0
+#   [r8] == NULL || r8 is a valid argv
+#   [[rax]] == NULL || [rax] == NULL || [rax] is a valid envp
+#   rdi == NULL || writable: rdi
+#   rdx == NULL || (s32)[rdx+0x4] <= 0
+#   rcx == NULL || (u16)[rcx] == NULL
+#
+# 0x51e32 posix_spawn(rdi, "/bin/sh", rdx, rcx, r8, [rax])
 # constraints:
-#   esi is the GOT address of libc
-#   [esp+0x34] == NULL
+#   address rsp+0x68 is writable
+#   rsp & 0xf == 0
+#   [r8] == NULL || r8 is a valid argv
+#   [[rax]] == NULL || [rax] == NULL || [rax] is a valid envp
+#   rdi == NULL || writable: rdi
+#   rdx == NULL || (s32)[rdx+0x4] <= 0
+#   rcx == NULL || (u16)[rcx] == NULL
 #
-# 0x3cbec execve("/bin/sh", esp+0x38, environ)
+# 0x84135 posix_spawn(rbx+0xe0, "/bin/sh", r12, 0, rsp+0x60, environ)
 # constraints:
-#   esi is the GOT address of libc
-#   [esp+0x38] == NULL
+#   address rsp+0x70 is writable
+#   rsp & 0xf == 0
+#   {"sh", "-c", rbp, NULL} is a valid argv
+#   rbx+0xe0 == NULL || writable: rbx+0xe0
+#   r12 == NULL || (s32)[r12+0x4] <= 0
 #
-# 0x3cbf0 execve("/bin/sh", esp+0x3c, environ)
+# 0x8413c posix_spawn(rbx+0xe0, "/bin/sh", r12, 0, rsp+0x60, environ)
 # constraints:
-#   esi is the GOT address of libc
-#   [esp+0x3c] == NULL
+#   address rsp+0x70 is writable
+#   rsp & 0xf == 0
+#   rax == NULL || {"sh", rax, rbp, NULL} is a valid argv
+#   rbx+0xe0 == NULL || writable: rbx+0xe0
+#   r12 == NULL || (s32)[r12+0x4] <= 0
 #
-# 0x3cbf7 execve("/bin/sh", esp+0x40, environ)
+# 0x84143 posix_spawn(rbx+0xe0, "/bin/sh", r12, 0, rsp+0x60, environ)
 # constraints:
-#   esi is the GOT address of libc
-#   [esp+0x40] == NULL
+#   address rsp+0x70 is writable
+#   rsp & 0xf == 0
+#   rcx == NULL || {rcx, rax, rbp, NULL} is a valid argv
+#   rbx+0xe0 == NULL || writable: rbx+0xe0
+#   r12 == NULL || (s32)[r12+0x4] <= 0
 #
-# 0x6729f execl("/bin/sh", eax)
+# 0x84146 posix_spawn(rbx+0xe0, "/bin/sh", rdx, 0, rsp+0x60, environ)
 # constraints:
-#   esi is the GOT address of libc
-#   eax == NULL
+#   address rsp+0x70 is writable
+#   rsp & 0xf == 0
+#   rcx == NULL || {rcx, rax, rbp, NULL} is a valid argv
+#   rbx+0xe0 == NULL || writable: rbx+0xe0
+#   rdx == NULL || (s32)[rdx+0x4] <= 0
 #
-# 0x672a0 execl("/bin/sh", [esp])
+# 0x8414b posix_spawn(rbx+0xe0, "/bin/sh", rdx, 0, rsp+0x60, environ)
 # constraints:
-#   esi is the GOT address of libc
-#   [esp] == NULL
+#   address rsp+0x78 is writable
+#   rsp & 0xf == 0
+#   rcx == NULL || {rcx, rax, [rsp+0x70], NULL} is a valid argv
+#   rbx+0xe0 == NULL || writable: rbx+0xe0
+#   rdx == NULL || (s32)[rdx+0x4] <= 0
+#
+# 0x84150 posix_spawn(rbx+0xe0, "/bin/sh", rdx, 0, rsp+0x60, environ)
+# constraints:
+#   address rsp+0x78 is writable
+#   rsp & 0xf == 0
+#   rcx == NULL || {rcx, (u64)xmm1, [rsp+0x70], NULL} is a valid argv
+#   rbx+0xe0 == NULL || writable: rbx+0xe0
+#   rdx == NULL || (s32)[rdx+0x4] <= 0
+#
+# 0x8415c posix_spawn(rbx+0xe0, "/bin/sh", rdx, 0, rsp+0x60, [rax])
+# constraints:
+#   address rsp+0x78 is writable
+#   rsp & 0xf == 0
+#   (u64)xmm0 == NULL || {(u64)xmm0, (u64)xmm1, [rsp+0x70], NULL} is a valid argv
+#   [[rax]] == NULL || [rax] == NULL || [rax] is a valid envp
+#   rbx+0xe0 == NULL || writable: rbx+0xe0
+#   rdx == NULL || (s32)[rdx+0x4] <= 0
+#
+# 0x84162 posix_spawn(rbx+0xe0, "/bin/sh", rdx, rcx, rsp+0x60, [rax])
+# constraints:
+#   address rsp+0x78 is writable
+#   rsp & 0xf == 0
+#   (u64)xmm0 == NULL || {(u64)xmm0, (u64)(xmm0 >> 64), [rsp+0x70], NULL} is a valid argv
+#   [[rax]] == NULL || [rax] == NULL || [rax] is a valid envp
+#   rbx+0xe0 == NULL || writable: rbx+0xe0
+#   rdx == NULL || (s32)[rdx+0x4] <= 0
+#   rcx == NULL || (u16)[rcx] == NULL
+#
+# 0x84169 posix_spawn(rdi, "/bin/sh", rdx, rcx, rsp+0x60, [rax])
+# constraints:
+#   address rsp+0x78 is writable
+#   rsp & 0xf == 0
+#   (u64)xmm0 == NULL || {(u64)xmm0, (u64)(xmm0 >> 64), [rsp+0x70], NULL} is a valid argv
+#   [[rax]] == NULL || [rax] == NULL || [rax] is a valid envp
+#   rdi == NULL || writable: rdi
+#   rdx == NULL || (s32)[rdx+0x4] <= 0
+#   rcx == NULL || (u16)[rcx] == NULL
+#
+# 0x84170 posix_spawn(rdi, "/bin/sh", rdx, rcx, r8, [rax])
+# constraints:
+#   address rsp+0x78 is writable
+#   rsp & 0xf == 0
+#   [r8] == NULL || r8 is a valid argv
+#   [[rax]] == NULL || [rax] == NULL || [rax] is a valid envp
+#   rdi == NULL || writable: rdi
+#   rdx == NULL || (s32)[rdx+0x4] <= 0
+#   rcx == NULL || (u16)[rcx] == NULL
+#
+# 0xe3afe execve("/bin/sh", r15, r12)
+# constraints:
+#   [r15] == NULL || r15 == NULL || r15 is a valid argv
+#   [r12] == NULL || r12 == NULL || r12 is a valid envp
+#
+# 0xe3b01 execve("/bin/sh", r15, rdx)
+# constraints:
+#   [r15] == NULL || r15 == NULL || r15 is a valid argv
+#   [rdx] == NULL || rdx == NULL || rdx is a valid envp
+#
+# 0xe3b04 execve("/bin/sh", rsi, rdx)
+# constraints:
+#   [rsi] == NULL || rsi == NULL || rsi is a valid argv
+#   [rdx] == NULL || rdx == NULL || rdx is a valid envp
+#
+# 0xe3cf3 execve("/bin/sh", r10, r12)
+# constraints:
+#   address rbp-0x78 is writable
+#   [r10] == NULL || r10 == NULL || r10 is a valid argv
+#   [r12] == NULL || r12 == NULL || r12 is a valid envp
+#
+# 0xe3cf6 execve("/bin/sh", r10, rdx)
+# constraints:
+#   address rbp-0x78 is writable
+#   [r10] == NULL || r10 == NULL || r10 is a valid argv
+#   [rdx] == NULL || rdx == NULL || rdx is a valid envp
 #
-# 0x13573e execl("/bin/sh", eax)
+# 0xe3d62 execve("/bin/sh", rbp-0x50, r12)
 # constraints:
+#   address rbp-0x48 is writable
+#   r13 == NULL || {"/bin/sh", r13, NULL} is a valid argv
+#   [r12] == NULL || r12 == NULL || r12 is a valid envp
+#
+# 0xe3d69 execve("/bin/sh", rbp-0x50, r12)
+# constraints:
+#   address rbp-0x48 is writable
+#   rax == NULL || {rax, r13, NULL} is a valid argv
+#   [r12] == NULL || r12 == NULL || r12 is a valid envp
+#
+# 0xe3d70 execve("/bin/sh", rbp-0x50, r12)
+# constraints:
+#   address rbp-0x50 is writable
+#   rax == NULL || {rax, [rbp-0x48], NULL} is a valid argv
+#   [r12] == NULL || r12 == NULL || r12 is a valid envp
+#
+# 0xe3da7 execve("/bin/sh", rbp-0x50, r12)
+# constraints:
+#   address rbp-0x50 is writable
+#   [rbp-0x68] == NULL || {"/bin/sh", [rbp-0x68], NULL} is a valid argv
+#   [r12] == NULL || r12 == NULL || r12 is a valid envp
+#
+# 0xe3db1 execve("/bin/sh", rbp-0x50, r12)
+# constraints:
+#   address rbp-0x50 is writable
+#   rax == NULL || {rax, [rbp-0x68], NULL} is a valid argv
+#   [r12] == NULL || r12 == NULL || r12 is a valid envp
+#
+# 0xe3db5 execve("/bin/sh", r10, r12)
+# constraints:
+#   addresses r10+0x10, rbp-0x50 are writable
+#   [r10] == NULL || r10 == NULL || r10 is a valid argv
+#   [r12] == NULL || r12 == NULL || r12 is a valid envp
+#
+# 0xe3dbd execve("/bin/sh", r10, r12)
+# constraints:
+#   addresses r10+0x10, rbp-0x48 are writable
+#   [r10] == NULL || r10 == NULL || r10 is a valid argv
+#   [r12] == NULL || r12 == NULL || r12 is a valid envp
+#
+# 0x1077ca posix_spawn(rsp+0x64, "/bin/sh", [rsp+0x38], 0, rsp+0x70, [rsp+0xf0])
+# constraints:
+#   [rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv
+#   [[rsp+0xf0]] == NULL || [rsp+0xf0] == NULL || [rsp+0xf0] is a valid envp
+#   [rsp+0x38] == NULL || (s32)[[rsp+0x38]+0x4] <= 0
+#
+# 0x1077d2 posix_spawn(rsp+0x64, "/bin/sh", [rsp+0x38], 0, rsp+0x70, r9)
+# constraints:
+#   [rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv
+#   [r9] == NULL || r9 == NULL || r9 is a valid envp
+#   [rsp+0x38] == NULL || (s32)[[rsp+0x38]+0x4] <= 0
+#
+# 0x1077d7 posix_spawn(rsp+0x64, "/bin/sh", rdx, 0, rsp+0x70, r9)
+# constraints:
+#   [rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv
+#   [r9] == NULL || r9 == NULL || r9 is a valid envp
+#   rdx == NULL || (s32)[rdx+0x4] <= 0
+#
+# 0x1077e1 posix_spawn(rdi, "/bin/sh", rdx, 0, r8, r9)
+# constraints:
+#   [r8] == NULL || r8 is a valid argv
+#   [r9] == NULL || r9 == NULL || r9 is a valid envp
+#   rdi == NULL || writable: rdi
+#   rdx == NULL || (s32)[rdx+0x4] <= 0
+
+```
+
+#### Other Architectures
+
+##### i386
+```bash
+$ one_gadget /lib32/libc.so.6
+# 0xc890b execve("/bin/sh", [ebp-0x2c], esi)
+# constraints:
+#   address ebp-0x20 is writable
 #   ebx is the GOT address of libc
+#   [[ebp-0x2c]] == NULL || [ebp-0x2c] == NULL || [ebp-0x2c] is a valid argv
+#   [esi] == NULL || esi == NULL || esi is a valid envp
+#
+# 0x1421b3 execl("/bin/sh", eax)
+# constraints:
+#   ebp is the GOT address of libc
 #   eax == NULL
 #
-# 0x13573f execl("/bin/sh", [esp])
+# 0x1421b4 execl("/bin/sh", [esp])
 # constraints:
-#   ebx is the GOT address of libc
+#   ebp is the GOT address of libc
 #   [esp] == NULL
 
 ```
@@ -324,15 +523,15 @@ $ one_gadget ./spec/data/libc-2.19.so -s 'echo "offset ->"'
 ```ruby
 require 'one_gadget'
 OneGadget.gadgets(file: '/lib/x86_64-linux-gnu/libc.so.6')
-#=> [324293, 324386, 1090444]
+#=> [932606, 932609, 932612]
 
 # or in shorter way
 one_gadget('/lib/x86_64-linux-gnu/libc.so.6', level: 1)
-#=> [324293, 324386, 939679, 940120, 940127, 940131, 1090444, 1090456]
+#=> [335355, 335362, 335369, 335376, 335381, 335397, 335402, 335405, 335410, 540981, 540988, 540995, 540998, 541003, 541008, 541020, 541026, 541033, 541040, 932606, 932609, 932612, 933107, 933110, 933218, 933225, 933232, 933287, 933297, 933301, 933309, 1079242, 1079250, 1079255, 1079265]
 
 # from build id
 one_gadget('b417c0ba7cc5cf06d1d1bed6652cedb9253c60d0')
-#=> [324293, 324386, 1090444]
+#=> [324286, 324293, 324386, 1090444]
 
 ```
 
@@ -343,7 +542,7 @@ def one_gadget(filename):
   return [int(i) for i in subprocess.check_output(['one_gadget', '--raw', filename]).decode().split(' ')]
 
 one_gadget('/lib/x86_64-linux-gnu/libc.so.6')
-#=> [324293, 324386, 1090444]
+#=> [932606, 932609, 932612]
 
 ```
 

data/lib/one_gadget/cli.rb

@@ -12,7 +12,7 @@ module OneGadget
     # Help message.
     USAGE = 'Usage: one_gadget <FILE|-b BuildID> [options]'
     # Default options.
-    DEFAULT_OPTIONS = { raw: false, force_file: false, level: 0, base: 0 }.freeze
+    DEFAULT_OPTIONS = { format: :pretty, force_file: false, level: 0, base: 0 }.freeze
 
     module_function
 
@@ -49,9 +49,9 @@ module OneGadget
       return show(parser.help) && false unless build_id || libc_file
 
       gadgets = if build_id
-                  OneGadget.gadgets(build_id: build_id, details: true, level: level)
+                  OneGadget.gadgets(build_id:, details: true, level:)
                 else # libc_file
-                  OneGadget.gadgets(file: libc_file, details: true, force_file: @options[:force_file], level: level)
+                  OneGadget.gadgets(file: libc_file, details: true, force_file: @options[:force_file], level:)
                 end
       gadgets.each { |g| g.base = @options[:base] }
       handle_gadgets(gadgets, libc_file)
@@ -66,7 +66,7 @@ module OneGadget
       return handle_script(gadgets, @options[:script]) if @options[:script]
       return handle_near(libc_file, gadgets, @options[:near]) if @options[:near]
 
-      display_gadgets(gadgets, @options[:raw])
+      display_gadgets(gadgets, @options[:format])
     end
 
     # Displays libc information given BuildID.
@@ -119,13 +119,18 @@ module OneGadget
           @options[:level] = l
         end
 
-        opts.on('-n', '--near FUNCTIONS/FILE', 'Order gadgets by their distance to the given functions'\
-                                               ' or to the GOT functions of the given file.') do |n|
+        opts.on('-n', '--near FUNCTIONS/FILE', 'Order gadgets by their distance to the given functions ' \
+                                               'or to the GOT functions of the given file.') do |n|
           @options[:near] = n
         end
 
-        opts.on('-r', '--[no-]raw', 'Output gadgets offset only, split with one space.') do |v|
-          @options[:raw] = v
+        opts.on('-o FORMAT', '--output-format FORMAT', %i[pretty raw json],
+                'Output format. FORMAT should be one of <pretty|raw|json>.', 'Default: pretty') do |o|
+          @options[:format] = o
+        end
+
+        opts.on('-r', '--raw', 'Alias of -o raw. Output gadgets offset only, split with one space.') do |_|
+          @options[:format] = :raw
         end
 
         opts.on('-s', '--script exploit-script', 'Run exploit script with all possible gadgets.',
@@ -176,14 +181,19 @@ module OneGadget
 
     # Writes gadgets to stdout.
     # @param [Array<OneGadget::Gadget::Gadget>] gadgets
-    # @param [Boolean] raw
-    #   In raw mode, only the offset of gadgets are printed.
+    # @param [Symbol] format
+    #   :raw - Only the offset of gadgets are printed.
+    #   :pretty - Colorful and human-readable format.
+    #   :json - In JSON format.
     # @return [true]
-    def display_gadgets(gadgets, raw)
-      if raw
+    def display_gadgets(gadgets, format)
+      case format
+      when :raw
         show(gadgets.map(&:value).join(' '))
-      else
+      when :pretty
         show(gadgets.map(&:inspect).join("\n"))
+      when :json
+        show(gadgets.to_json)
       end
     end
 
@@ -199,7 +209,7 @@ module OneGadget
     # @param [String] libc_file
     # @param [Array<OneGadget::Gadget::Gadget>] gadgets
     # @param [String] near
-    #   This can be name of functions or an ELF file.
+    #   Either name of functions or path to an ELF file.
     #   - Use one comma without spaces to specify a list of functions: +printf,scanf,free+.
     #   - Path to an ELF file and take its GOT functions to process: +/bin/ls+
     def handle_near(libc_file, gadgets, near)
@@ -213,10 +223,19 @@ module OneGadget
       function_offsets = OneGadget::Helper.function_offsets(libc_file, functions)
       return error('No functions for processing') if function_offsets.empty?
 
-      function_offsets.each do |function, offset|
-        colored_offset = OneGadget::Helper.colored_hex(offset)
-        OneGadget::Logger.warn("Gadgets near #{OneGadget::Helper.colorize(function)}(#{colored_offset}):")
-        display_gadgets(gadgets.sort_by { |gadget| (gadget.offset - offset).abs }, @options[:raw])
+      collection = function_offsets.map do |function, offset|
+        {
+          near: function,
+          near_offset: offset,
+          gadgets: gadgets.sort_by { |gadget| (gadget.offset - offset).abs }
+        }
+      end
+      return show(collection.to_json) if @options[:format] == :json
+
+      collection.each do |c|
+        colored_offset = OneGadget::Helper.colored_hex(c[:near_offset])
+        OneGadget::Logger.warn("Gadgets near #{OneGadget::Helper.colorize(c[:near])}(#{colored_offset}):")
+        display_gadgets(c[:gadgets], @options[:format])
         show("\n")
       end
       true

data/lib/one_gadget/emulators/aarch64.rb

@@ -18,8 +18,8 @@ module OneGadget
 
       # @see OneGadget::Emulators::X86#process!
       def process!(cmd)
-        inst, args = parse(cmd.gsub(/#-?(0x)?[0-9a-f]+/) { |v| v[1..-1] })
-        sym = "inst_#{inst.inst}".to_sym
+        inst, args = parse(cmd.gsub(/#-?(0x)?[0-9a-f]+/) { |v| v[1..] })
+        sym = :"inst_#{inst.inst}"
         __send__(sym, *args) != :fail
       end
 

data/lib/one_gadget/emulators/instruction.rb

@@ -31,7 +31,7 @@ module OneGadget
         idx = cmd.index(inst)
         cmd = cmd[0...cmd.rindex('//')] if cmd.rindex('//')
         cmd = cmd[0...cmd.rindex('#')] if cmd.rindex('#')
-        args = parse_args(cmd[idx + inst.size..-1])
+        args = parse_args(cmd[idx + inst.size..])
         unless argc.include?(args.size)
           raise OneGadget::Error::InstructionArgumentError, "Incorrect argument number in #{cmd}, expect: #{argc}"
         end

data/lib/one_gadget/emulators/lambda.rb

@@ -43,7 +43,7 @@ module OneGadget
       # @param [Numeric] other Value to substract.
       # @return [Lambda] The result.
       def -(other)
-        self.+(-other)
+        self + -other
       end
 
       # Increase dereference count by 1.
@@ -123,8 +123,8 @@ module OneGadget
           # nested []
           if arg[0] == '['
             ridx = arg.rindex(']')
-            immi = parse(arg[(ridx + 1)..-1])
-            lm = parse(arg[1...ridx], predefined: predefined).deref
+            immi = parse(arg[(ridx + 1)..])
+            lm = parse(arg[1...ridx], predefined:).deref
             lm += immi unless immi.zero?
             return lm
           end

data/lib/one_gadget/emulators/processor.rb

@@ -19,7 +19,7 @@ module OneGadget
       # @param [String] sp
       #   The stack register.
       def initialize(registers, sp)
-        @registers = registers.map { |reg| [reg, to_lambda(reg)] }.to_h
+        @registers = registers.to_h { |reg| [reg, to_lambda(reg)] }
         @sp = sp
         @constraints = []
         @sp_based_stack = Hash.new do |h, k|

data/lib/one_gadget/emulators/x86.rb

@@ -36,7 +36,7 @@ module OneGadget
         # return registers[pc] = args[0] if inst.inst == 'call'
         return true if inst.inst == 'jmp' # believe the fetcher has handled jmp.
 
-        sym = "inst_#{inst.inst}".to_sym
+        sym = :"inst_#{inst.inst}"
         __send__(sym, *args) != :fail
       end
 

data/lib/one_gadget/fetcher.rb

@@ -20,7 +20,7 @@ module OneGadget
       #   +nil+ is returned if cannot find target id in database.
       def from_build_id(build_id, remote: true)
         OneGadget::Helper.verify_build_id!(build_id)
-        OneGadget::Gadget.builds(build_id, remote: remote)
+        OneGadget::Gadget.builds(build_id, remote:)
       end
 
       # Fetch one-gadget offsets from file.

data/lib/one_gadget/fetchers/base.rb

@@ -28,7 +28,7 @@ module OneGadget
           # use processor to find which can lead to a valid one-gadget call.
           gadgets = []
           (lines.size - 2).downto(0) do |i|
-            processor = emulate(lines[i..-1])
+            processor = emulate(lines[i..])
             options = resolve(processor)
             next if options.nil? # impossible to be a gadget
 
@@ -48,7 +48,7 @@ module OneGadget
       #   True for valid.
       # @return [Array<String>]
       #   Each +String+ returned is multi-lines of assembly code.
-      def candidates(&block)
+      def candidates(&)
         call_regexp = "#{call_str}.*<(exec[^+]*|posix_spawn[^+]*)>$"
         cands = []
         `#{@objdump.command}|grep -E '#{call_regexp}' -B 30`.split('--').each do |cand|
@@ -63,7 +63,7 @@ module OneGadget
         end
         # remove all jmps
         cands = slice_prefix(cands, &method(:branch?))
-        cands.select!(&block) if block_given?
+        cands.select!(&) if block_given?
         cands
       end
 
@@ -81,7 +81,8 @@ module OneGadget
         call = processor.registers[processor.pc].to_s
         return resolve_posix_spawn(processor) if call.include?('posix_spawn')
         return resolve_execve(processor) if call.include?('execve')
-        return resolve_execl(processor) if call.include?('execl')
+
+        resolve_execl(processor) if call.include?('execl')
       end
 
       def resolve_execve(processor)
@@ -110,7 +111,7 @@ module OneGadget
           envp = arg2
         end
 
-        { constraints: cons, envp: envp }
+        { constraints: cons, envp: }
       end
 
       def check_argv(processor, arg, allow_null)
@@ -282,7 +283,7 @@ module OneGadget
         cands.map do |cand|
           lines = cand.lines
           to_rm = lines[0...-1].rindex(&block)
-          lines = lines[to_rm + 1..-1] unless to_rm.nil?
+          lines = lines[to_rm + 1..] unless to_rm.nil?
           lines.join
         end
       end

data/lib/one_gadget/gadget.rb

@@ -1,5 +1,7 @@
 # frozen_string_literal: true
 
+require 'json'
+
 require 'one_gadget/abi'
 require 'one_gadget/emulators/lambda'
 require 'one_gadget/error'
@@ -28,13 +30,12 @@ module OneGadget
         @base = 0
         @offset = offset
         @constraints = options[:constraints] || []
-        @effect = options[:effect]
+        @effect = options[:effect] || ''
       end
 
       # Show gadget in a pretty way.
       def inspect
-        str = OneGadget::Helper.hex(value)
-        str += effect ? " #{effect}\n" : "\n"
+        str = "#{OneGadget::Helper.hex(value)} #{effect}\n"
         unless constraints.empty?
           str += "#{OneGadget::Helper.colorize('constraints')}:\n  "
           str += merge_constraints.join("\n  ")
@@ -46,6 +47,21 @@ module OneGadget
         "#{str}\n"
       end
 
+      # @return [Hash]
+      def to_obj
+        {
+          value:,
+          effect:,
+          constraints:
+        }
+      end
+
+      # To have this class can be serialized in JSON.
+      # @return [String]
+      def to_json(*)
+        to_obj.to_json
+      end
+
       # @return [Integer]
       #   Returns +base+ plus +offset+.
       def value
@@ -112,7 +128,7 @@ module OneGadget
         w_cons, normal = constraints.partition { |c| c.start_with?(key) }
         return normal if w_cons.empty?
 
-        w_cons.map! { |c| c[key.size..-1] }
+        w_cons.map! { |c| c[key.size..] }
         ["address#{w_cons.size > 1 ? 'es' : ''} #{w_cons.join(', ')} #{w_cons.size > 1 ? 'are' : 'is'} writable"] +
           normal
       end
@@ -161,7 +177,7 @@ module OneGadget
       def builds_info(build_id)
         raise Error::ArgumentError, "Invalid BuildID #{build_id.inspect}" if build_id =~ /[^0-9a-f]/
 
-        files = Dir.glob(File.join(BUILDS_PATH, "*-#{build_id}*.rb")).sort
+        files = Dir.glob(File.join(BUILDS_PATH, "*-#{build_id}*.rb"))
         return OneGadget::Logger.not_found(build_id) && nil if files.empty?
 
         if files.size > 1
@@ -189,7 +205,7 @@ module OneGadget
       def find_build(id)
         return BUILDS[id] if BUILDS.key?(id)
 
-        Dir.glob(File.join(BUILDS_PATH, "*-#{id}.rb")).sort.each do |dic|
+        Dir.glob(File.join(BUILDS_PATH, "*-#{id}.rb")).each do |dic|
           require dic
         end
         BUILDS[id] if BUILDS.key?(id)

data/lib/one_gadget/helper.rb

@@ -13,7 +13,7 @@ module OneGadget
   # Define some helpful methods here.
   module Helper
     # Format of build-id, 40 hex numbers.
-    BUILD_ID_FORMAT = /[0-9a-f]{40}/.freeze
+    BUILD_ID_FORMAT = /[0-9a-f]{40}/
 
     module_function
 
@@ -35,7 +35,7 @@ module OneGadget
     # @return [Array<String>]
     #   Lines of comments.
     def comments_of_file(file)
-      File.readlines(file).map { |s| s[2..-1].rstrip if s.start_with?('# ') }.compact
+      File.readlines(file).map { |s| s[2..].rstrip if s.start_with?('# ') }.compact
     end
 
     # Get absolute path from relative path. Support symlink.

data/lib/one_gadget/update.rb

@@ -24,14 +24,14 @@ module OneGadget
         FileUtils.touch(cache_file)
         OneGadget::Logger.info("Checking for new versions of OneGadget\n" \
                                "To disable this functionality, do\n$ echo never > #{CACHE_FILE}\n\n")
-        latest = Helper.latest_tag[1..-1] # remove 'v'
+        latest = Helper.latest_tag[1..] # remove 'v'
         if Gem::Version.new(latest) <= Gem::Version.new(OneGadget::VERSION)
           return OneGadget::Logger.info("You have the latest version of OneGadget (#{latest})!\n\n")
         end
 
         # show update message
         msg = format('A newer version of OneGadget is available (%s --> %s).', OneGadget::VERSION, latest)
-        OneGadget::Logger.ask_update(msg: msg)
+        OneGadget::Logger.ask_update(msg:)
       end
 
       private

data/lib/one_gadget/version.rb

@@ -2,5 +2,5 @@
 
 module OneGadget
   # Current gem version.
-  VERSION = '1.9.0'
+  VERSION = '1.10.0'
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: one_gadget
 version: !ruby/object:Gem::Version
-  version: 1.9.0
+  version: 1.10.0
 platform: ruby
 authors:
 - david942j
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2023-11-29 00:00:00.000000000 Z
+date: 2024-10-04 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: elftools
@@ -19,7 +19,7 @@ dependencies:
         version: 1.0.2
     - - "<"
       - !ruby/object:Gem::Version
-        version: 1.2.0
+        version: 1.4.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
@@ -29,7 +29,7 @@ dependencies:
         version: 1.0.2
     - - "<"
       - !ruby/object:Gem::Version
-        version: 1.2.0
+        version: 1.4.0
 - !ruby/object:Gem::Dependency
   name: rake
   requirement: !ruby/object:Gem::Requirement
@@ -1014,14 +1014,14 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: '2.4'
+      version: '3.1'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.1.6
+rubygems_version: 3.5.3
 signing_key: 
 specification_version: 4
 summary: one_gadget