one_gadget 1.3.0 → 1.3.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 3cc62d276055fdb8dc5a968da82d417248f07d4b
-  data.tar.gz: 9b102faa2884dfb094e2c8b4a1df5f32fb7f5eaf
+  metadata.gz: ee18c2057ce192dccd5652685097b181099130ea
+  data.tar.gz: 289b4547cb6ce787d3f97198ea91d90cba29f2cf
 SHA512:
-  metadata.gz: b86e5a6ad42af54af86358385aab99a43d3f04aeb5ce8303c68d0fcb15d3c06c3d916bb477cd067bb5fb504c0c4da1479f68aa56eea7742ff4996d0362c91c0b
-  data.tar.gz: 8a55837472e55ff34c52c74521f7c8358720055ed0aa6f7912563d4c1ad169aba3c6305c2480e43e576adb0df887f3b6fbdf9edba186b83d567b97e2fb9f8f50
+  metadata.gz: 75beaaf9a5a2b7c46547086ddc1642d7145eaccc1de87ba6f8ccc142e3f567ff37657650ef40a5fc86f96380738133b19952ab0996ff08f435f4d9c09302e712
+  data.tar.gz: 436a67c199ba743df17989749a21b203e0761357b92e22eece757b4d8c920a625097db0817dbda2fddd2b6928b44142190e5a95ca05e6327b75e23e4041fd7eb

data/README.md

@@ -58,6 +58,11 @@ one_gadget -b 60131540dadc6796cab33388349e6e4e68692053
 #   rcx == NULL || [rcx] == NULL
 #   r12 == NULL || [r12] == NULL
 # 
+# 0xcc618 execve("/bin/sh", rax, r12)
+# constraints:
+#   rax == NULL || [rax] == NULL
+#   r12 == NULL || [r12] == NULL
+# 
 # 0xf5b10 execve("/bin/sh", rcx, [rbp-0xf8])
 # constraints:
 #   [rbp-0xf8] == NULL || [[rbp-0xf8]] == NULL
@@ -95,7 +100,7 @@ one_gadget ./spec/data/libc-2.19.so -s 'echo "offset ->"'
 ```ruby
 require 'one_gadget'
 OneGadget.gadgets(file: '/lib/x86_64-linux-gnu/libc.so.6')
-# => [283242, 980676, 984423, 836931, 1006352]
+# => [283242, 980676, 984423, 836931, 837144, 1006352]
 ```
 
 ## Screenshots

data/lib/one_gadget/builds/libc-2.23-60131540dadc6796cab33388349e6e4e68692053.rb

@@ -11,6 +11,9 @@ OneGadget::Gadget.add(build_id, 0xf0567, constraints: ['[rsp+0x70] == NULL'],
 OneGadget::Gadget.add(build_id, 0xcc543, constraints: ['rcx == NULL || [rcx] == NULL',
                                                        'r12 == NULL || [r12] == NULL'],
                                          effect: 'execve("/bin/sh", rcx, r12)')
+OneGadget::Gadget.add(build_id, 0xcc618, constraints: ['rax == NULL || [rax] == NULL',
+                                                       'r12 == NULL || [r12] == NULL'],
+                                         effect: 'execve("/bin/sh", rax, r12)')
 OneGadget::Gadget.add(build_id, 0xf5b10, constraints: ['[rbp-0xf8] == NULL || [[rbp-0xf8]] == NULL',
                                                        'rcx == NULL || [rcx] == NULL'],
                                          effect: 'execve("/bin/sh", rcx, [rbp-0xf8])')

data/lib/one_gadget/emulators/x86.rb

@@ -21,10 +21,11 @@ module OneGadget
       end
 
       # Process one command.
+      # Will raise exceptions when encounter unhandled instruction.
       # @param [String] cmd
       #   One line from result of objdump.
       # @return [void]
-      def process(cmd)
+      def process!(cmd)
         inst, args = parse(cmd)
         return registers[pc] = args[0] if inst.inst == 'call'
         return if inst.inst == 'jmp' # believe the fetcher has handled jmp.
@@ -32,6 +33,16 @@ module OneGadget
         send(sym, *args)
       end
 
+      # Process one command, without raising any exceptions.
+      # @param [String] cmd
+      #   See {#process!} for more information.
+      # @return [void]
+      def process(cmd)
+        process!(cmd)
+      rescue ArgumentError
+        nil
+      end
+
       # Support instruction set.
       # @return [Array<Instruction>] The support instructions.
       def instructions

data/lib/one_gadget/fetchers/amd64.rb

@@ -28,13 +28,16 @@ module OneGadget
         end
         # find gadgets in form:
         #   lea rdi, '/bin/sh'
+        #   ...
         #   jmp xxx
         # xxx:
         #   ...
         #   call execve
-        cands2 = `#{objdump_cmd}|egrep 'rdi.*# #{bin_sh_hex}' -A 1`.split('--').map do |cand|
+        cands2 = `#{objdump_cmd}|egrep 'rdi.*# #{bin_sh_hex}' -A 3`.split('--').map do |cand|
           cand = cand.lines.map(&:strip).reject(&:empty?)
-          next nil unless cand.last.include?('jmp')
+          jmp_at = cand.index { |c| c.include?('jmp') }
+          next nil if jmp_at.nil?
+          cand = cand[0..jmp_at]
           jmp_addr = cand.last.scan(/jmp\s+([\da-f]+)\s/)[0][0].to_i(16)
           dump = `#{objdump_cmd(start: jmp_addr, stop: jmp_addr + 100)}|egrep '[0-9a-f]+:'`
           remain = dump.lines.map(&:strip).reject(&:empty?)
@@ -45,6 +48,8 @@ module OneGadget
       end
 
       def resolve(processor)
+        # must end with execve
+        return unless processor.registers['rip'].to_s.include?('execve')
         # check rdi should always related to rip
         return unless processor.registers['rdi'].to_s.include?('rip')
         # rsi or [rsi] should be zero

data/lib/one_gadget/version.rb

@@ -1,3 +1,3 @@
 module OneGadget
-  VERSION = '1.3.0'.freeze
+  VERSION = '1.3.1'.freeze
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: one_gadget
 version: !ruby/object:Gem::Version
-  version: 1.3.0
+  version: 1.3.1
 platform: ruby
 authors:
 - david942j
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2017-02-20 00:00:00.000000000 Z
+date: 2017-02-21 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rspec