one_gadget 1.2.0 → 1.3.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 25904f1508d192a00e1702d7adb48d52af589ae0
-  data.tar.gz: abe1ec3e6b3f57420326aad5100a3a6d4a260b6b
+  metadata.gz: 3cc62d276055fdb8dc5a968da82d417248f07d4b
+  data.tar.gz: 9b102faa2884dfb094e2c8b4a1df5f32fb7f5eaf
 SHA512:
-  metadata.gz: 0d8593c144d504c00ea3f1e3b80397391012a3414054bdc586c52340830b22b7bb7ec57b054c20d6198ded00b25443dbe42225f2804da504474d531777ba922e
-  data.tar.gz: a06dce9ee9693fe06422000c6d7105ab55655fbdd79b4edcf69dd9f2a618b9b5f4e5c041941f809fa251296825e63e7ae2f4c90a401ac3d20d05dbe37b8138ac
+  metadata.gz: b86e5a6ad42af54af86358385aab99a43d3f04aeb5ce8303c68d0fcb15d3c06c3d916bb477cd067bb5fb504c0c4da1479f68aa56eea7742ff4996d0362c91c0b
+  data.tar.gz: 8a55837472e55ff34c52c74521f7c8358720055ed0aa6f7912563d4c1ad169aba3c6305c2480e43e576adb0df887f3b6fbdf9edba186b83d567b97e2fb9f8f50

data/README.md

@@ -1,5 +1,5 @@
 [![Build Status](https://travis-ci.org/david942j/one_gadget.svg?branch=master)](https://travis-ci.org/david942j/one_gadget)
-![](http://ruby-gem-downloads-badge.herokuapp.com/one_gadget?type=total&color=orange)
+[![Downloads](http://ruby-gem-downloads-badge.herokuapp.com/one_gadget?type=total&color=orange)](https://rubygems.org/gems/one_gadget)
 [![Code Climate](https://codeclimate.com/github/david942j/one_gadget/badges/gpa.svg)](https://codeclimate.com/github/david942j/one_gadget)
 [![Issue Count](https://codeclimate.com/github/david942j/one_gadget/badges/issue_count.svg)](https://codeclimate.com/github/david942j/one_gadget)
 [![Test Coverage](https://codeclimate.com/github/david942j/one_gadget/badges/coverage.svg)](https://codeclimate.com/github/david942j/one_gadget/coverage)
@@ -41,38 +41,43 @@ one_gadget
 #                                      The script will be run as 'exploit-script $offset'.
 
 one_gadget -b 60131540dadc6796cab33388349e6e4e68692053
-# offset: 0x4526a
+# 0x4526a execve("/bin/sh", rsp+0x30, environ)
 # constraints:
 #   [rsp+0x30] == NULL
-#
-# offset: 0xef6c4
+# 
+# 0xef6c4 execve("/bin/sh", rsp+0x50, environ)
 # constraints:
 #   [rsp+0x50] == NULL
-#
-# offset: 0xf0567
+# 
+# 0xf0567 execve("/bin/sh", rsp+0x70, environ)
 # constraints:
 #   [rsp+0x70] == NULL
-#
-# offset: 0xf5b10
+# 
+# 0xcc543 execve("/bin/sh", rcx, r12)
 # constraints:
-#   [rbp-0xf8] == NULL
-#   rcx == NULL
+#   rcx == NULL || [rcx] == NULL
+#   r12 == NULL || [r12] == NULL
+# 
+# 0xf5b10 execve("/bin/sh", rcx, [rbp-0xf8])
+# constraints:
+#   [rbp-0xf8] == NULL || [[rbp-0xf8]] == NULL
+#   rcx == NULL || [rcx] == NULL
 
 one_gadget /lib/i386-linux-gnu/libc.so.6
-# offset: 0x3ac69
+# 0x3ac69 execve("/bin/sh", esp+0x34, environ)
 # constraints:
 #   esi is the address of `rw-p` area of libc
 #   [esp+0x34] == NULL
-#
-# offset: 0x5fbbe
+# 
+# 0x5fbc5 execl("/bin/sh", eax)
 # constraints:
 #   esi is the address of `rw-p` area of libc
 #   eax == NULL
-#
-# offset: 0x12036c
+# 
+# 0x5fbc6 execl("/bin/sh", [esp])
 # constraints:
 #   esi is the address of `rw-p` area of libc
-#   eax == NULL
+#   [esp] == NULL
 
 ```
 
@@ -90,14 +95,19 @@ one_gadget ./spec/data/libc-2.19.so -s 'echo "offset ->"'
 ```ruby
 require 'one_gadget'
 OneGadget.gadgets(file: '/lib/x86_64-linux-gnu/libc.so.6')
-# => [283242, 980676, 984423, 1006352]
+# => [283242, 980676, 984423, 836931, 1006352]
 ```
 
 ## Screenshots
 
 ### Search gadgets from file
+
+#### 64 bit
 ![from file](https://github.com/david942j/one_gadget/blob/master/examples/from_file.png?raw=true)
 
+#### 32 bit
+![from file](https://github.com/david942j/one_gadget/blob/master/examples/from_file_32bit.png?raw=true)
+
 ### Fetch gadgets from database
 ![build id](https://github.com/david942j/one_gadget/blob/master/examples/from_build_id.png?raw=true)
 

data/lib/one_gadget/abi.rb

@@ -5,10 +5,19 @@ module OneGadget
     module ClassMethods
       LINUX_X86_32 = %w(eax ebx ecx edx edi esi ebp esp).freeze
       LINUX_X86_64 = LINUX_X86_32 + %w(rax rbx rcx rdx rdi rsi rbp rsp) + 7.upto(15).map { |i| "r#{i}" }
-      # Only support x86-64 now.
-      def registers
+      # Registers' name in amd64.
+      # @return [Array<String>] List of registers.
+      def amd64
         LINUX_X86_64
       end
+
+      # Registers' name in i386.
+      # @return [Array<String>] List of registers.
+      def i386
+        LINUX_X86_32
+      end
+
+      alias all amd64
     end
     extend ClassMethods
   end

data/lib/one_gadget/builds/libc-2.23-60131540dadc6796cab33388349e6e4e68692053.rb

@@ -2,7 +2,15 @@ require 'one_gadget/gadget'
 # Ubuntu GLIBC 2.23-0ubuntu5
 # ELF 64-bit LSB shared object, x86-64
 build_id = File.basename(__FILE__, '.rb').split('-').last
-OneGadget::Gadget.add(build_id, 0x4526a, constraints: ['[rsp+0x30] == NULL'])
-OneGadget::Gadget.add(build_id, 0xef6c4, constraints: ['[rsp+0x50] == NULL'])
-OneGadget::Gadget.add(build_id, 0xf0567, constraints: ['[rsp+0x70] == NULL'])
-OneGadget::Gadget.add(build_id, 0xf5b10, constraints: ['[rbp-0xf8] == NULL', 'rcx == NULL'])
+OneGadget::Gadget.add(build_id, 0x4526a, constraints: ['[rsp+0x30] == NULL'],
+                                         effect: 'execve("/bin/sh", rsp+0x30, environ)')
+OneGadget::Gadget.add(build_id, 0xef6c4, constraints: ['[rsp+0x50] == NULL'],
+                                         effect: 'execve("/bin/sh", rsp+0x50, environ)')
+OneGadget::Gadget.add(build_id, 0xf0567, constraints: ['[rsp+0x70] == NULL'],
+                                         effect: 'execve("/bin/sh", rsp+0x70, environ)')
+OneGadget::Gadget.add(build_id, 0xcc543, constraints: ['rcx == NULL || [rcx] == NULL',
+                                                       'r12 == NULL || [r12] == NULL'],
+                                         effect: 'execve("/bin/sh", rcx, r12)')
+OneGadget::Gadget.add(build_id, 0xf5b10, constraints: ['[rbp-0xf8] == NULL || [[rbp-0xf8]] == NULL',
+                                                       'rcx == NULL || [rcx] == NULL'],
+                                         effect: 'execve("/bin/sh", rcx, [rbp-0xf8])')

data/lib/one_gadget/builds/libc-2.23-926eb99d49cab2e5622af38ab07395f5b32035e9.rb

@@ -5,4 +5,6 @@ build_id = File.basename(__FILE__, '.rb').split('-').last
 rw_area_constraint = 'esi is the address of `rw-p` area of libc'
 OneGadget::Gadget.add(build_id, 0x3ac69, constraints: [rw_area_constraint, '[esp+0x34] == NULL'])
 OneGadget::Gadget.add(build_id, 0x5fbbe, constraints: [rw_area_constraint, 'eax == NULL'])
+OneGadget::Gadget.add(build_id, 0x5fbbf, constraints: [rw_area_constraint, '[esp] == NULL'])
 OneGadget::Gadget.add(build_id, 0x12036c, constraints: [rw_area_constraint, 'eax == NULL'])
+OneGadget::Gadget.add(build_id, 0x12036d, constraints: [rw_area_constraint, '[esp] == NULL'])

data/lib/one_gadget/emulators/amd64.rb

@@ -1,43 +1,13 @@
-require 'one_gadget/emulators/processor'
-require 'one_gadget/emulators/instruction'
+require 'one_gadget/emulators/x86'
+require 'one_gadget/abi'
 
 module OneGadget
   module Emulators
     # Emulator of amd64 instruction set.
-    class Amd64 < Processor
-      REGISTERS = %w(rax rbx rcx rdx rdi rsi rbp rsp rip) + 7.upto(15).map { |i| "r#{i}" }
-
-      # Instantiate a {Amd64} object.
+    class Amd64 < X86
+      # Instantiate an {Amd64} object.
       def initialize
-        super(REGISTERS)
-      end
-
-      # Process one command.
-      # @param [String] cmd
-      #   One line from result of objdump.
-      # @return [void]
-      def process(cmd)
-        inst, args = parse(cmd)
-        # where should this be defined..?
-        return if inst.inst == 'call' # later
-        case inst.inst
-        when 'mov', 'lea'
-          tar = args[0]
-          src = OneGadget::Emulators::Lambda.parse(args[1], predefined: @registers)
-        end
-        src.ref! if inst.inst == 'lea'
-
-        @registers[tar] = src
-      end
-
-      # Support instruction set.
-      # @return [Array<Instruction>] The support instructions.
-      def instructions
-        [
-          Instruction.new('mov', 2),
-          Instruction.new('lea', 2),
-          Instruction.new('call', 1)
-        ]
+        super(OneGadget::ABI.amd64, 'rsp', 'rip')
       end
     end
   end

data/lib/one_gadget/emulators/i386.rb

@@ -0,0 +1,20 @@
+require 'one_gadget/emulators/x86'
+require 'one_gadget/abi'
+
+module OneGadget
+  module Emulators
+    # Emulator of amd64 instruction set.
+    class I386 < X86
+      class << self
+        def bits
+          32
+        end
+      end
+
+      # Instantiate an {I386} object.
+      def initialize
+        super(OneGadget::ABI.i386, 'esp', 'eip')
+      end
+    end
+  end
+end

data/lib/one_gadget/emulators/lambda.rb

@@ -74,6 +74,17 @@ module OneGadget
         str
       end
 
+      # Eval the value of lambda.
+      # Only support those like +rsp+0x30+.
+      # @param [Hash{String => Integer}] context
+      #   The context.
+      # @return [Integer] Result of evaluation.
+      def evaluate(context)
+        raise ArgumentError, "Can't eval #{self}" if deref_count > 0
+        raise ArgumentError, "Can't eval #{self}" if obj && !context.key?(obj)
+        context[obj] + immi
+      end
+
       class << self
         # Target: parse something like +[rsp+0x50]+ into a {Lambda} object.
         # @param [String] arg
@@ -84,20 +95,21 @@ module OneGadget
         # @example
         #   parse('[rsp+0x50]') #=> #<Lambda @obj='rsp', @immi=80, @deref_count=1>
         def parse(arg, predefined: {})
-          ret = Lambda.new('tmp')
+          deref_count = 0
           if arg[0] == '[' # a little hack because there should nerver something like +[[rsp+1]+2]+ to parse.
             arg = arg[1..-2]
-            ret.deref_count += 1
+            deref_count = 1
           end
           return Integer(arg) if OneGadget::Helper.integer?(arg)
           sign = arg =~ /[+-]/
-          raise ArgumentError, "Not support #{arg}" if sign && !OneGadget::Helper.integer?(arg[sign..-1])
+          val = 0
           if sign
-            ret.immi = Integer(arg[sign..-1])
+            raise ArgumentError, "Not support #{arg}" unless OneGadget::Helper.integer?(arg[sign..-1])
+            val = Integer(arg[sign..-1])
             arg = arg[0, sign]
           end
-          ret.obj = predefined[arg] || arg
-          ret
+          obj = (predefined[arg] || Lambda.new(arg)) + val
+          deref_count.zero? ? obj : obj.deref
         end
       end
     end

data/lib/one_gadget/emulators/processor.rb

@@ -6,10 +6,12 @@ module OneGadget
     # Base class of a processor.
     class Processor
       attr_reader :registers # @return [Hash{String => OneGadget::Emulators::Lambda}] The current registers' state.
+      attr_reader :stack # @return [Hash{Integer => OneGadget::Emulators::Lambda}] The content on stack.
       # Instantiate a {Processor} object.
       # @param [Array<String>] registers Registers that supported in the architecture.
       def initialize(registers)
         @registers = registers.map { |reg| [reg, OneGadget::Emulators::Lambda.new(reg)] }.to_h
+        @stack = {}
       end
 
       # Parse one command into instruction and arguments.

data/lib/one_gadget/emulators/x86.rb

@@ -0,0 +1,111 @@
+require 'one_gadget/emulators/processor'
+require 'one_gadget/emulators/instruction'
+
+module OneGadget
+  module Emulators
+    # Super class for amd64 and i386 processor.
+    class X86 < Processor
+      attr_reader :sp # @return [String] Stack pointer.
+      attr_reader :pc # @return [String] Program counter.
+      # Constructor for a x86 processor.
+      def initialize(registers, sp, pc)
+        super(registers)
+        @sp = sp
+        @pc = pc
+        @stack = Hash.new do |h, k|
+          lmda = OneGadget::Emulators::Lambda.new(sp)
+          lmda.immi = k
+          lmda.deref!
+          h[k] = lmda
+        end
+      end
+
+      # Process one command.
+      # @param [String] cmd
+      #   One line from result of objdump.
+      # @return [void]
+      def process(cmd)
+        inst, args = parse(cmd)
+        return registers[pc] = args[0] if inst.inst == 'call'
+        return if inst.inst == 'jmp' # believe the fetcher has handled jmp.
+        sym = "inst_#{inst.inst}".to_sym
+        send(sym, *args)
+      end
+
+      # Support instruction set.
+      # @return [Array<Instruction>] The support instructions.
+      def instructions
+        [
+          Instruction.new('mov', 2),
+          Instruction.new('lea', 2),
+          Instruction.new('add', 2),
+          Instruction.new('sub', 2),
+          Instruction.new('push', 1),
+          Instruction.new('call', 1),
+          Instruction.new('jmp', 1)
+        ]
+      end
+
+      class << self
+        # 32 or 64.
+        # @return [Integer] 32 or 64.
+        def bits; raise NotImplementedError
+        end
+      end
+
+      private
+
+      def register?(reg)
+        registers.include?(reg)
+      end
+
+      def inst_mov(tar, src)
+        src = OneGadget::Emulators::Lambda.parse(src, predefined: registers)
+        if register?(tar)
+          registers[tar] = src
+        else
+          # Just ignore strange case...
+          return unless tar.include?(sp)
+          tar = OneGadget::Emulators::Lambda.parse(tar, predefined: registers)
+          return if tar.deref_count != 1 # should not happened
+          tar.ref!
+          stack[tar.evaluate(eval_dict)] = src
+        end
+      end
+
+      def inst_lea(tar, src)
+        src = OneGadget::Emulators::Lambda.parse(src, predefined: registers)
+        src.ref!
+        registers[tar] = src
+      end
+
+      def inst_push(val)
+        val = OneGadget::Emulators::Lambda.parse(val, predefined: registers)
+        registers[sp] -= bytes
+        cur_top = registers[sp].evaluate(eval_dict)
+        raise ArgumentError, "Corrupted stack pointer: #{cur_top}" unless cur_top.is_a?(Integer)
+        stack[cur_top] = val
+      end
+
+      def inst_add(tar, src)
+        src = OneGadget::Emulators::Lambda.parse(src, predefined: registers)
+        registers[tar] += src
+      end
+
+      def inst_sub(tar, src)
+        src = OneGadget::Emulators::Lambda.parse(src, predefined: registers)
+        registers[tar] -= src
+      end
+
+      def bytes
+        self.class.bits / 8
+      end
+
+      def eval_dict
+        dict = {}
+        dict[sp] = 0
+        dict
+      end
+    end
+  end
+end

data/lib/one_gadget/fetcher.rb

@@ -39,9 +39,24 @@ module OneGadget
           i386: OneGadget::Fetcher::I386,
           unknown: OneGadget::Fetcher::Base
         }[OneGadget::Helper.architecture(file)].new(file).find
+        gadgets = trim_gadgets(gadgets)
         return gadgets if details
         gadgets.map(&:offset)
       end
+
+      private
+
+      # Unique, remove gadgets with harder constraints.
+      def trim_gadgets(gadgets)
+        gadgets = gadgets.uniq(&:constraints).sort_by { |g| g.constraints.size }
+        res = []
+        gadgets.each_with_index do |g, i|
+          res << g unless i.times.any? do |j|
+            (gadgets[j].constraints - g.constraints).empty?
+          end
+        end
+        res.sort_by!(&:offset)
+      end
     end
     extend ClassMethods
   end

data/lib/one_gadget/fetchers/amd64.rb

@@ -7,32 +7,53 @@ module OneGadget
       # Gadgets for amd64 glibc.
       # @return [Array<OneGadget::Gadget::Gadget>] Gadgets found.
       def find
-        bin_sh_hex = str_offset('/bin/sh').to_s(16)
-        cands = candidates do |candidate|
-          next false unless candidate.include?(bin_sh_hex) # works in x86-64
-          next false unless candidate.lines.last.include?('execve') # only care execve
-          true
-        end
-        cands.map do |candidate|
+        candidates.map do |candidate|
           processor = OneGadget::Emulators::Amd64.new
           candidate.lines.each { |l| processor.process(l) }
           offset = offset_of(candidate)
-          constraints = gen_constraints(processor)
-          next nil if constraints.nil? # impossible be a gadget
-          OneGadget::Gadget::Gadget.new(offset, constraints: constraints)
+          options = resolve(processor)
+          next nil if options.nil? # impossible be a gadget
+          OneGadget::Gadget::Gadget.new(offset, options)
         end.compact
       end
 
       private
 
-      def gen_constraints(processor)
+      def candidates
+        bin_sh_hex = str_offset('/bin/sh').to_s(16)
+        cands = super do |candidate|
+          next false unless candidate.include?(bin_sh_hex) # works in x86-64
+          next false unless candidate.lines.last.include?('execve') # only care execve
+          true
+        end
+        # find gadgets in form:
+        #   lea rdi, '/bin/sh'
+        #   jmp xxx
+        # xxx:
+        #   ...
+        #   call execve
+        cands2 = `#{objdump_cmd}|egrep 'rdi.*# #{bin_sh_hex}' -A 1`.split('--').map do |cand|
+          cand = cand.lines.map(&:strip).reject(&:empty?)
+          next nil unless cand.last.include?('jmp')
+          jmp_addr = cand.last.scan(/jmp\s+([\da-f]+)\s/)[0][0].to_i(16)
+          dump = `#{objdump_cmd(start: jmp_addr, stop: jmp_addr + 100)}|egrep '[0-9a-f]+:'`
+          remain = dump.lines.map(&:strip).reject(&:empty?)
+          remain = remain[0..remain.index { |r| r.match(/call.*<execve[^+]*>/) }]
+          [cand + remain].join("\n")
+        end.compact
+        cands + cands2
+      end
+
+      def resolve(processor)
         # check rdi should always related to rip
         return unless processor.registers['rdi'].to_s.include?('rip')
         # rsi or [rsi] should be zero
-        [
-          should_null(processor.registers['rsi'].to_s),
-          should_null(processor.registers['rdx'].to_s, allow_global: true)
-        ].compact
+        rsi = processor.registers['rsi'].to_s
+        cons = [should_null(rsi)]
+        rdx = processor.registers['rdx'].to_s
+        env_cons = should_null(rdx, allow_global: true)
+        cons << env_cons if env_cons
+        { constraints: cons, effect: %(execve("/bin/sh", #{rsi}, #{env_cons ? rdx : 'environ'})) }
       end
 
       def should_null(str, allow_global: false)

data/lib/one_gadget/fetchers/base.rb

@@ -22,7 +22,7 @@ module OneGadget
       # @return [Array<String>]
       #   Each +String+ returned is multi-lines of assembly code.
       def candidates(&block)
-        cands = `objdump -w -d -M intel #{file}|egrep 'call.*<exec[^+]*>$' -B 20`.split('--').map do |cand|
+        cands = `#{objdump_cmd}|egrep 'call.*<exec[^+]*>$' -B 20`.split('--').map do |cand|
           cand.lines.map(&:strip).reject(&:empty?).join("\n")
         end
         # remove all calls, jmps
@@ -33,6 +33,13 @@ module OneGadget
 
       private
 
+      def objdump_cmd(start: nil, stop: nil)
+        cmd = %(objdump -w -d -M intel "#{file}")
+        cmd.concat(" --start-address #{start}") if start
+        cmd.concat(" --stop-address #{stop}") if stop
+        cmd
+      end
+
       def slice_prefix(cands)
         cands.map do |cand|
           lines = cand.lines
@@ -55,19 +62,7 @@ module OneGadget
       end
 
       def offset_of(assembly)
-        lines = assembly.lines
-        lines.first.scan(/^([\da-f]+):/)[0][0].to_i(16)
-      end
-
-      def convert_to_gadget(assembly, &block)
-        lines = assembly.lines
-        offset = lines.first.scan(/^([\da-f]+):/)[0][0].to_i(16)
-        # fetch those might be constraints lines.
-        important_lines = lines.select(&block).map do |line|
-          ar = line.split("\t")
-          "#{ar.first} #{ar.last.gsub(/\s+/, ' ')}"
-        end
-        OneGadget::Gadget::Gadget.new(offset, constraints: important_lines)
+        assembly.scan(/^([\da-f]+):/)[0][0].to_i(16)
       end
     end
   end

data/lib/one_gadget/fetchers/i386.rb

@@ -1,4 +1,6 @@
 require 'one_gadget/fetchers/base'
+require 'one_gadget/emulators/i386'
+
 module OneGadget
   module Fetcher
     # Fetcher for i386.
@@ -8,49 +10,115 @@ module OneGadget
       def find
         rw_off = rw_offset
         bin_sh = str_offset('/bin/sh')
-        minus_c = str_offset('-c')
         rel_sh_hex = (rw_off - bin_sh).to_s(16)
-        rel_minus_c = (rw_off - minus_c).to_s(16)
         cands = candidates do |candidate|
           next false unless candidate.include?(rel_sh_hex)
           true
         end
-        # remove lines before and with -c appears
-        cands = slice_prefix(cands) do |line|
-          line.include?(rel_minus_c)
-        end
-        # special handle for execl call
-        cands.map! do |cand|
+        cands.map do |cand|
           lines = cand.lines
-          next cand unless lines.last.include?('execl')
-          # Find the last three +push+, or mov [esp+0x8], .*
-          # Make it call +execl("/bin/sh", "sh", NULL)+.
-          if cand.include?('esp+0x8')
-            to_rm = lines.index { |c| c.include?('esp+0x8') }
-          else
-            push_cnt = 0
-            to_rm = lines.rindex do |c|
-              push_cnt += 1 if c.include?('push')
-              push_cnt >= 3
-            end
+          # use processor to find which can lead to a valid one-gadget call.
+          gadgets = []
+          (lines.size - 2).downto(0) do |i|
+            processor = emulate(lines[i..-1])
+            options = resolve(processor, bin_sh: rw_off - bin_sh)
+            next if options.nil?
+            offset = offset_of(lines[i])
+            gadgets << OneGadget::Gadget::Gadget.new(offset, options)
           end
-          lines = lines[to_rm..-1] unless to_rm.nil?
-          lines.join
-        end
-        cands.map do |candidate|
-          convert_to_gadget(candidate) do |_|
-            true
-          end
-        end
+          gadgets
+        end.flatten.compact
       end
 
       private
 
+      def emulate(cmds)
+        cmds.each_with_object(OneGadget::Emulators::I386.new) { |cmd, obj| obj.process(cmd) }
+      end
+
+      # Generating constraints to be a valid gadget.
+      # @param [OneGadget::Emulators::I386] processor The processor after executing the gadget.
+      # @param [Integer] bin_sh The related offset refer to /bin/sh.
+      # @return [Hash{Symbol => Array<String>, String}, NilClass]
+      #   The options to create a {OneGadget::Gadget::Gadget} object.
+      #   Keys might be:
+      #   1. constraints: Array<String> List of constraints.
+      #   2. effect: String Result function call of this gadget.
+      #   If the constraints can never be satisfied, +nil+ is returned.
+      def resolve(processor, bin_sh: 0)
+        call = processor.registers['eip'].to_s
+        cur_top = processor.registers['esp'].evaluate('esp' => 0)
+        arg = processor.stack[cur_top]
+        # arg0 must be /bin/sh
+        return nil unless arg.to_s.include?(bin_sh.to_s(16))
+        rw_base = arg.deref.obj.to_s # this should be esi or ebx..
+        arg1 = processor.stack[cur_top + 4]
+        arg2 = processor.stack[cur_top + 8]
+        options = if call.include?('execve')
+                    resolve_execve(arg1, arg2, rw_base: rw_base)
+                  elsif call.include?('execl')
+                    resolve_execl(arg1, arg2, rw_base: rw_base, sh: bin_sh - 5)
+                  end
+        return nil if options.nil?
+        options[:constraints].unshift("#{rw_base} is the address of `rw-p` area of libc")
+        options
+      end
+
+      # Resolve +call execl+ case.
+      # @param [OneGadget::Emulators::Lambda] arg1
+      #   The second argument.
+      # @param [OneGadget::Emulators::Lambda] arg2
+      #   The third argument.
+      # @param [String] rw_base Usually +ebx+ or +esi+.
+      # @param [Integer] sh The relative offset of string 'sh' appears.
+      # @return [Hash{Symbol => Array<String>, String}]
+      #   Same format as {#resolve}.
+      def resolve_execl(arg1, arg2, rw_base: nil, sh: 0)
+        args = []
+        arg = arg1.to_s
+        if arg.include?(sh.to_s(16))
+          arg = arg2.to_s
+          args << '"sh"'
+        end
+        args << arg
+        return nil if arg.include?(rw_base) || arg.include?('eip') # we don't want base-related constraints
+        # now arg is the constraint.
+        { constraints: ["#{arg} == NULL"], effect: %(execl("/bin/sh", #{args.join(', ')})) }
+      end
+
+      # Resolve +call execve+ case.
+      # @param [OneGadget::Emulators::Lambda] arg1
+      #   The second argument.
+      # @param [OneGadget::Emulators::Lambda] arg2
+      #   The third argument.
+      # @param [String] rw_base Usually +ebx+ or +esi+.
+      # @return [Hash{Symbol => Array<String>, String}]
+      #   Same format as {#resolve}.
+      def resolve_execve(arg1, arg2, rw_base: nil)
+        # arg1 == NULL || [arg1] == NULL
+        # arg2 == NULL or arg2 is environ
+        cons = [should_null(arg1.to_s)]
+        envp = arg2.to_s
+        use_env = true
+        unless envp.include?('[[') && envp.include?(rw_base) # hope this is environ_ptr_0
+          return nil if envp.include?('[') # we don't like this :(
+          cons << should_null(envp)
+          use_env = false
+        end
+        { constraints: cons, effect: %(execve("/bin/sh", #{arg1}, #{use_env ? 'environ' : envp})) }
+      end
+
       def rw_offset
         # How to find this offset correctly..?
         line = `readelf -d #{file}|grep PLTGOT`
         line.scan(/0x[\da-f]+/).last.to_i(16) & -0x1000
       end
+
+      def should_null(str)
+        ret = "[#{str}] == NULL"
+        ret += " || #{str} == NULL" unless str.include?('esp')
+        ret
+      end
     end
   end
 end

data/lib/one_gadget/gadget.rb

@@ -9,6 +9,8 @@ module OneGadget
       attr_accessor :offset
       # @return [Array<String>] The constraints need for this gadget.
       attr_accessor :constraints
+      # @return [String] The final result of this gadget.
+      attr_accessor :effect
 
       # Initialize method of {Gadget} instance.
       # @param [Integer] offset The relative address offset of this gadget.
@@ -19,17 +21,19 @@ module OneGadget
       def initialize(offset, **options)
         @offset = offset
         @constraints = options[:constraints] || []
+        @effect = options[:effect]
       end
 
       # Show gadget in a pretty way.
       def inspect
-        str = format("#{OneGadget::Helper.colorize('offset', sev: :sym)}: 0x%x\n", offset)
+        str = OneGadget::Helper.hex(offset)
+        str += effect ? "\t#{effect}\n" : "\n"
         unless constraints.empty?
           str += "#{OneGadget::Helper.colorize('constraints')}:\n  "
           str += constraints.join("\n  ")
         end
         str.gsub!(/0x[\da-f]+/) { |s| OneGadget::Helper.colorize(s, sev: :integer) }
-        OneGadget::ABI.registers.each { |reg| str.gsub!(reg, OneGadget::Helper.colorize(reg, sev: :reg)) }
+        OneGadget::ABI.all.each { |reg| str.gsub!(reg, OneGadget::Helper.colorize(reg, sev: :reg)) }
         str + "\n"
       end
     end

data/lib/one_gadget/helper.rb

@@ -132,8 +132,8 @@ module OneGadget
       # @return [String]
       #   Only supports :amd64, :i386 now.
       def architecture(file)
-        str = `file #{::Shellwords.escape(file)}`
-        return :amd64 if str.include?('x86-64')
+        str = `readelf -h #{::Shellwords.escape(file)}`
+        return :amd64 if str.include?('X86-64')
         return :i386 if str.include?('Intel 80386')
         :unknown
       end

data/lib/one_gadget/version.rb

@@ -1,3 +1,3 @@
 module OneGadget
-  VERSION = '1.2.0'.freeze
+  VERSION = '1.3.0'.freeze
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: one_gadget
 version: !ruby/object:Gem::Version
-  version: 1.2.0
+  version: 1.3.0
 platform: ruby
 authors:
 - david942j
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2017-02-17 00:00:00.000000000 Z
+date: 2017-02-20 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rspec
@@ -102,9 +102,11 @@ files:
 - lib/one_gadget/builds/libc-2.23-926eb99d49cab2e5622af38ab07395f5b32035e9.rb
 - lib/one_gadget/builds/libc-2.23-edceed30099baad51871c5fc277daf9b74dc726a.rb
 - lib/one_gadget/emulators/amd64.rb
+- lib/one_gadget/emulators/i386.rb
 - lib/one_gadget/emulators/instruction.rb
 - lib/one_gadget/emulators/lambda.rb
 - lib/one_gadget/emulators/processor.rb
+- lib/one_gadget/emulators/x86.rb
 - lib/one_gadget/fetcher.rb
 - lib/one_gadget/fetchers/amd64.rb
 - lib/one_gadget/fetchers/base.rb