one_gadget 1.3.7 → 1.3.8
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/README.md +31 -22
- data/lib/one_gadget.rb +19 -4
- data/lib/one_gadget/fetcher.rb +1 -1
- data/lib/one_gadget/fetchers/amd64.rb +2 -1
- data/lib/one_gadget/fetchers/i386.rb +3 -2
- data/lib/one_gadget/helper.rb +8 -8
- data/lib/one_gadget/logger.rb +1 -0
- data/lib/one_gadget/version.rb +1 -1
- metadata +2 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA1:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: e47c77be5fc1a63c461fad7c0cecc0017540da61
|
|
4
|
+
data.tar.gz: 44c7d81b31fc80f8596a747d93f9aa1793a4518a
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: b85a66bdb6a16879fce76720e7b26afd3a0de0f2fb22a5ff86d0c24de49a440ab1fe6f248ee873f05f3e9427a3a39171183f26c38875a5fea23bfd77e56fdc53
|
|
7
|
+
data.tar.gz: 495b9930e3b6200e29efe0c3b1c7a8d858abdf99503acce96f92175dd3b80b095385ecc34fdc8c29b1fe6c54c65637e77aebf9c19662ac4e7de26608157c0a52
|
data/README.md
CHANGED
|
@@ -11,9 +11,9 @@
|
|
|
11
11
|
When playing ctf pwn challenges we usually need the one-gadget RCE (remote code execution),
|
|
12
12
|
which leads to call `execve('/bin/sh', NULL, NULL)`.
|
|
13
13
|
|
|
14
|
-
This gem provides such gadgets finder, no need to use IDA-pro every time like a fool
|
|
14
|
+
This gem provides such gadgets finder, no need to use objdump or IDA-pro every time like a fool :wink:
|
|
15
15
|
|
|
16
|
-
|
|
16
|
+
To use this tool, just type `one_gadget /path/to/libc` in command line and enjoy the magic :laughing:
|
|
17
17
|
|
|
18
18
|
Note: Supports amd64 and i386!
|
|
19
19
|
|
|
@@ -24,15 +24,17 @@ Available on RubyGems.org!
|
|
|
24
24
|
gem install one_gadget
|
|
25
25
|
```
|
|
26
26
|
|
|
27
|
+
Note: require ruby version >= 2.1.0, you can use `ruby --version` to check.
|
|
28
|
+
|
|
27
29
|
## Implementation
|
|
28
30
|
|
|
29
31
|
OneGadget use simple self-implement symbolic execution to find the constraints of gadgets.
|
|
30
32
|
|
|
31
|
-
The article introducing how I
|
|
33
|
+
The article introducing how I develop this tool can be found [here](https://david942j.blogspot.com/2017/02/project-one-gadget-in-glibc.html).
|
|
32
34
|
|
|
33
35
|
## Usage
|
|
34
36
|
|
|
35
|
-
### Command Line
|
|
37
|
+
### Command Line Interface
|
|
36
38
|
|
|
37
39
|
```bash
|
|
38
40
|
one_gadget
|
|
@@ -42,34 +44,35 @@ one_gadget
|
|
|
42
44
|
# -r, --[no-]raw Output gadgets offset only, split with one space.
|
|
43
45
|
# -s, --script exploit-script Run exploit script with all possible gadgets.
|
|
44
46
|
# The script will be run as 'exploit-script $offset'.
|
|
47
|
+
# --version Current gem version.
|
|
45
48
|
|
|
46
49
|
one_gadget -b 60131540dadc6796cab33388349e6e4e68692053
|
|
47
50
|
# 0x4526a execve("/bin/sh", rsp+0x30, environ)
|
|
48
51
|
# constraints:
|
|
49
52
|
# [rsp+0x30] == NULL
|
|
50
|
-
#
|
|
53
|
+
#
|
|
54
|
+
# 0xcc543 execve("/bin/sh", rcx, r12)
|
|
55
|
+
# constraints:
|
|
56
|
+
# [rcx] == NULL || rcx == NULL
|
|
57
|
+
# [r12] == NULL || r12 == NULL
|
|
58
|
+
#
|
|
59
|
+
# 0xcc618 execve("/bin/sh", rax, r12)
|
|
60
|
+
# constraints:
|
|
61
|
+
# [rax] == NULL || rax == NULL
|
|
62
|
+
# [r12] == NULL || r12 == NULL
|
|
63
|
+
#
|
|
51
64
|
# 0xef6c4 execve("/bin/sh", rsp+0x50, environ)
|
|
52
65
|
# constraints:
|
|
53
66
|
# [rsp+0x50] == NULL
|
|
54
|
-
#
|
|
67
|
+
#
|
|
55
68
|
# 0xf0567 execve("/bin/sh", rsp+0x70, environ)
|
|
56
69
|
# constraints:
|
|
57
70
|
# [rsp+0x70] == NULL
|
|
58
|
-
#
|
|
59
|
-
# 0xcc543 execve("/bin/sh", rcx, r12)
|
|
60
|
-
# constraints:
|
|
61
|
-
# rcx == NULL || [rcx] == NULL
|
|
62
|
-
# r12 == NULL || [r12] == NULL
|
|
63
|
-
#
|
|
64
|
-
# 0xcc618 execve("/bin/sh", rax, r12)
|
|
65
|
-
# constraints:
|
|
66
|
-
# rax == NULL || [rax] == NULL
|
|
67
|
-
# r12 == NULL || [r12] == NULL
|
|
68
|
-
#
|
|
71
|
+
#
|
|
69
72
|
# 0xf5b10 execve("/bin/sh", rcx, [rbp-0xf8])
|
|
70
73
|
# constraints:
|
|
71
|
-
# [
|
|
72
|
-
#
|
|
74
|
+
# [rcx] == NULL || rcx == NULL
|
|
75
|
+
# [[rbp-0xf8]] == NULL || [rbp-0xf8] == NULL
|
|
73
76
|
|
|
74
77
|
one_gadget /lib/i386-linux-gnu/libc.so.6
|
|
75
78
|
# 0x3ac69 execve("/bin/sh", esp+0x34, environ)
|
|
@@ -104,18 +107,19 @@ one_gadget ./spec/data/libc-2.19.so -s 'echo "offset ->"'
|
|
|
104
107
|
require 'one_gadget'
|
|
105
108
|
OneGadget.gadgets(file: '/lib/x86_64-linux-gnu/libc.so.6')
|
|
106
109
|
# => [283242, 980676, 984423, 836931, 837144, 1006352]
|
|
110
|
+
|
|
107
111
|
# or in shorter way
|
|
108
|
-
one_gadget(
|
|
112
|
+
one_gadget('/lib/x86_64-linux-gnu/libc.so.6')
|
|
109
113
|
# => [283242, 980676, 984423, 836931, 837144, 1006352]
|
|
110
114
|
|
|
111
115
|
# from build id
|
|
112
|
-
one_gadget(
|
|
116
|
+
one_gadget('60131540dadc6796cab33388349e6e4e68692053')
|
|
113
117
|
# => [283242, 980676, 984423, 836931, 837144, 1006352]
|
|
114
118
|
```
|
|
115
119
|
|
|
116
120
|
## Screenshots
|
|
117
121
|
|
|
118
|
-
### Search gadgets
|
|
122
|
+
### Search gadgets in libc
|
|
119
123
|
|
|
120
124
|
#### 64 bit
|
|
121
125
|
|
|
@@ -126,3 +130,8 @@ one_gadget(build_id: '60131540dadc6796cab33388349e6e4e68692053')
|
|
|
126
130
|
### Fetch gadgets from database
|
|
127
131
|
|
|
128
132
|
|
|
133
|
+
## Make OneGadget Better
|
|
134
|
+
Any suggestion or feature request is welcome! Feel free to send a pull request.
|
|
135
|
+
|
|
136
|
+
Please let me know if you find any libc that make OneGadget fail to find gadgets.
|
|
137
|
+
And, if you like this work, I'll be happy to be [stared](https://github.com/david942j/one_gadget/stargazers) :grimacing:
|
data/lib/one_gadget.rb
CHANGED
|
@@ -1,6 +1,8 @@
|
|
|
1
1
|
# OneGadget - To find the execve(/bin/sh, 0, 0) in glibc.
|
|
2
2
|
#
|
|
3
3
|
# @author david942j
|
|
4
|
+
|
|
5
|
+
# Main module.
|
|
4
6
|
module OneGadget
|
|
5
7
|
class << self
|
|
6
8
|
# The man entry of gem +one_gadget+.
|
|
@@ -38,12 +40,25 @@ module OneGadget
|
|
|
38
40
|
end
|
|
39
41
|
|
|
40
42
|
# Shorter way to use one gadget.
|
|
41
|
-
# @param [
|
|
42
|
-
#
|
|
43
|
+
# @param [String?] arg
|
|
44
|
+
# Can be either +build_id+ or path to libc.
|
|
45
|
+
# @param [Mixed] options
|
|
46
|
+
# See {OneGadget#gadgets} for ore information.
|
|
43
47
|
# @return [Array<OneGadget::Gadget::Gadget>, Array<Integer>]
|
|
44
48
|
# The gadgets found.
|
|
45
|
-
|
|
46
|
-
|
|
49
|
+
# @example
|
|
50
|
+
# one_gadget('./libc.so.6')
|
|
51
|
+
# one_gadget('cbfa941a8eb7a11e4f90e81b66fcd5a820995d7c')
|
|
52
|
+
# one_gadget('./libc.so.6', details: true)
|
|
53
|
+
def one_gadget(arg = nil, **options)
|
|
54
|
+
unless arg.nil?
|
|
55
|
+
if arg =~ /\A#{OneGadget::Helper::BUILD_ID_FORMAT}\Z/
|
|
56
|
+
options[:build_id] = arg
|
|
57
|
+
else
|
|
58
|
+
options[:file] = arg
|
|
59
|
+
end
|
|
60
|
+
end
|
|
61
|
+
OneGadget.gadgets(**options)
|
|
47
62
|
end
|
|
48
63
|
|
|
49
64
|
require 'one_gadget/fetcher'
|
data/lib/one_gadget/fetcher.rb
CHANGED
data/lib/one_gadget/helper.rb
CHANGED
|
@@ -65,10 +65,8 @@ module OneGadget
|
|
|
65
65
|
# Fetch the latest release version's tag name.
|
|
66
66
|
# @return [String] The tag name, in form +vx.x.x+.
|
|
67
67
|
def latest_tag
|
|
68
|
-
releases_url = 'https://github.com/david942j/one_gadget/releases'
|
|
69
|
-
@latest_tag ||=
|
|
70
|
-
Gem::Version.new(tag.first)
|
|
71
|
-
end.max.to_s
|
|
68
|
+
releases_url = 'https://github.com/david942j/one_gadget/releases/latest'
|
|
69
|
+
@latest_tag ||= url_request(releases_url).split('/').last
|
|
72
70
|
end
|
|
73
71
|
|
|
74
72
|
# Get the url which can fetch +filename+ from remote repo.
|
|
@@ -76,7 +74,7 @@ module OneGadget
|
|
|
76
74
|
# @return [String] The url.
|
|
77
75
|
def url_of_file(filename)
|
|
78
76
|
raw_file_url = 'https://raw.githubusercontent.com/david942j/one_gadget/@tag/@file'
|
|
79
|
-
raw_file_url.
|
|
77
|
+
raw_file_url.sub('@tag', latest_tag).sub('@file', filename)
|
|
80
78
|
end
|
|
81
79
|
|
|
82
80
|
# Download the latest version of +file+ in +lib/one_gadget/builds/+ from remote repo.
|
|
@@ -99,7 +97,9 @@ module OneGadget
|
|
|
99
97
|
|
|
100
98
|
# Get request.
|
|
101
99
|
# @param [String] url The url.
|
|
102
|
-
# @return [String]
|
|
100
|
+
# @return [String]
|
|
101
|
+
# The request response body.
|
|
102
|
+
# If the response is '302 Found', return the location in header.
|
|
103
103
|
def url_request(url)
|
|
104
104
|
uri = URI.parse(url)
|
|
105
105
|
http = Net::HTTP.new(uri.host, uri.port)
|
|
@@ -109,8 +109,8 @@ module OneGadget
|
|
|
109
109
|
request = Net::HTTP::Get.new(uri.request_uri)
|
|
110
110
|
|
|
111
111
|
response = http.request(request)
|
|
112
|
-
raise ArgumentError, "Fail to get response of #{url}" unless response.code
|
|
113
|
-
response.body
|
|
112
|
+
raise ArgumentError, "Fail to get response of #{url}" unless %w(200 302).include?(response.code)
|
|
113
|
+
response.code == '302' ? response['location'] : response.body
|
|
114
114
|
rescue NoMethodError, SocketError, ArgumentError => e
|
|
115
115
|
p e
|
|
116
116
|
nil
|
data/lib/one_gadget/logger.rb
CHANGED
data/lib/one_gadget/version.rb
CHANGED
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: one_gadget
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 1.3.
|
|
4
|
+
version: 1.3.8
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- david942j
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2017-
|
|
11
|
+
date: 2017-05-26 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: elftools
|