one_gadget 1.3.7 → 1.3.8

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: 33da33103c5c21696048389d2e3d0bf28518d5c7
4
- data.tar.gz: f9db6d8f8492fb3333e64c32e465117e12b8316f
3
+ metadata.gz: e47c77be5fc1a63c461fad7c0cecc0017540da61
4
+ data.tar.gz: 44c7d81b31fc80f8596a747d93f9aa1793a4518a
5
5
  SHA512:
6
- metadata.gz: 2e6812ce5a3014b3b0decf022ee10091c1c5ef0ece3fcf95b9633ed2c1cfaeb8711022dba8115d7c2ce8fb131da0687e921d5ff4d6fdf5570566a7a187d1be58
7
- data.tar.gz: 25fa9d3d24bc875c1fff2c96d125d650ade69cf5099433e5d8801cab90eeaf942071bcecdc65b0469902de27b88abd3effe726f9e8ed8a604eb9fd9bb64e485e
6
+ metadata.gz: b85a66bdb6a16879fce76720e7b26afd3a0de0f2fb22a5ff86d0c24de49a440ab1fe6f248ee873f05f3e9427a3a39171183f26c38875a5fea23bfd77e56fdc53
7
+ data.tar.gz: 495b9930e3b6200e29efe0c3b1c7a8d858abdf99503acce96f92175dd3b80b095385ecc34fdc8c29b1fe6c54c65637e77aebf9c19662ac4e7de26608157c0a52
data/README.md CHANGED
@@ -11,9 +11,9 @@
11
11
  When playing ctf pwn challenges we usually need the one-gadget RCE (remote code execution),
12
12
  which leads to call `execve('/bin/sh', NULL, NULL)`.
13
13
 
14
- This gem provides such gadgets finder, no need to use IDA-pro every time like a fool.
14
+ This gem provides such gadgets finder, no need to use objdump or IDA-pro every time like a fool :wink:
15
15
 
16
- This work provides the command-line tool `one_gadget` for easy usage.
16
+ To use this tool, just type `one_gadget /path/to/libc` in command line and enjoy the magic :laughing:
17
17
 
18
18
  Note: Supports amd64 and i386!
19
19
 
@@ -24,15 +24,17 @@ Available on RubyGems.org!
24
24
  gem install one_gadget
25
25
  ```
26
26
 
27
+ Note: require ruby version >= 2.1.0, you can use `ruby --version` to check.
28
+
27
29
  ## Implementation
28
30
 
29
31
  OneGadget use simple self-implement symbolic execution to find the constraints of gadgets.
30
32
 
31
- The article introducing how I developed this tool can be found [here](https://david942j.blogspot.com/2017/02/project-one-gadget-in-glibc.html).
33
+ The article introducing how I develop this tool can be found [here](https://david942j.blogspot.com/2017/02/project-one-gadget-in-glibc.html).
32
34
 
33
35
  ## Usage
34
36
 
35
- ### Command Line Tool
37
+ ### Command Line Interface
36
38
 
37
39
  ```bash
38
40
  one_gadget
@@ -42,34 +44,35 @@ one_gadget
42
44
  # -r, --[no-]raw Output gadgets offset only, split with one space.
43
45
  # -s, --script exploit-script Run exploit script with all possible gadgets.
44
46
  # The script will be run as 'exploit-script $offset'.
47
+ # --version Current gem version.
45
48
 
46
49
  one_gadget -b 60131540dadc6796cab33388349e6e4e68692053
47
50
  # 0x4526a execve("/bin/sh", rsp+0x30, environ)
48
51
  # constraints:
49
52
  # [rsp+0x30] == NULL
50
- #
53
+ #
54
+ # 0xcc543 execve("/bin/sh", rcx, r12)
55
+ # constraints:
56
+ # [rcx] == NULL || rcx == NULL
57
+ # [r12] == NULL || r12 == NULL
58
+ #
59
+ # 0xcc618 execve("/bin/sh", rax, r12)
60
+ # constraints:
61
+ # [rax] == NULL || rax == NULL
62
+ # [r12] == NULL || r12 == NULL
63
+ #
51
64
  # 0xef6c4 execve("/bin/sh", rsp+0x50, environ)
52
65
  # constraints:
53
66
  # [rsp+0x50] == NULL
54
- #
67
+ #
55
68
  # 0xf0567 execve("/bin/sh", rsp+0x70, environ)
56
69
  # constraints:
57
70
  # [rsp+0x70] == NULL
58
- #
59
- # 0xcc543 execve("/bin/sh", rcx, r12)
60
- # constraints:
61
- # rcx == NULL || [rcx] == NULL
62
- # r12 == NULL || [r12] == NULL
63
- #
64
- # 0xcc618 execve("/bin/sh", rax, r12)
65
- # constraints:
66
- # rax == NULL || [rax] == NULL
67
- # r12 == NULL || [r12] == NULL
68
- #
71
+ #
69
72
  # 0xf5b10 execve("/bin/sh", rcx, [rbp-0xf8])
70
73
  # constraints:
71
- # [rbp-0xf8] == NULL || [[rbp-0xf8]] == NULL
72
- # rcx == NULL || [rcx] == NULL
74
+ # [rcx] == NULL || rcx == NULL
75
+ # [[rbp-0xf8]] == NULL || [rbp-0xf8] == NULL
73
76
 
74
77
  one_gadget /lib/i386-linux-gnu/libc.so.6
75
78
  # 0x3ac69 execve("/bin/sh", esp+0x34, environ)
@@ -104,18 +107,19 @@ one_gadget ./spec/data/libc-2.19.so -s 'echo "offset ->"'
104
107
  require 'one_gadget'
105
108
  OneGadget.gadgets(file: '/lib/x86_64-linux-gnu/libc.so.6')
106
109
  # => [283242, 980676, 984423, 836931, 837144, 1006352]
110
+
107
111
  # or in shorter way
108
- one_gadget(file: '/lib/x86_64-linux-gnu/libc.so.6')
112
+ one_gadget('/lib/x86_64-linux-gnu/libc.so.6')
109
113
  # => [283242, 980676, 984423, 836931, 837144, 1006352]
110
114
 
111
115
  # from build id
112
- one_gadget(build_id: '60131540dadc6796cab33388349e6e4e68692053')
116
+ one_gadget('60131540dadc6796cab33388349e6e4e68692053')
113
117
  # => [283242, 980676, 984423, 836931, 837144, 1006352]
114
118
  ```
115
119
 
116
120
  ## Screenshots
117
121
 
118
- ### Search gadgets from file
122
+ ### Search gadgets in libc
119
123
 
120
124
  #### 64 bit
121
125
  ![from file](https://github.com/david942j/one_gadget/blob/master/examples/from_file.png?raw=true)
@@ -126,3 +130,8 @@ one_gadget(build_id: '60131540dadc6796cab33388349e6e4e68692053')
126
130
  ### Fetch gadgets from database
127
131
  ![build id](https://github.com/david942j/one_gadget/blob/master/examples/from_build_id.png?raw=true)
128
132
 
133
+ ## Make OneGadget Better
134
+ Any suggestion or feature request is welcome! Feel free to send a pull request.
135
+
136
+ Please let me know if you find any libc that make OneGadget fail to find gadgets.
137
+ And, if you like this work, I'll be happy to be [stared](https://github.com/david942j/one_gadget/stargazers) :grimacing:
@@ -1,6 +1,8 @@
1
1
  # OneGadget - To find the execve(/bin/sh, 0, 0) in glibc.
2
2
  #
3
3
  # @author david942j
4
+
5
+ # Main module.
4
6
  module OneGadget
5
7
  class << self
6
8
  # The man entry of gem +one_gadget+.
@@ -38,12 +40,25 @@ module OneGadget
38
40
  end
39
41
 
40
42
  # Shorter way to use one gadget.
41
- # @param [Mixed] args
42
- # See {OneGadget#gadgets} for more information.
43
+ # @param [String?] arg
44
+ # Can be either +build_id+ or path to libc.
45
+ # @param [Mixed] options
46
+ # See {OneGadget#gadgets} for ore information.
43
47
  # @return [Array<OneGadget::Gadget::Gadget>, Array<Integer>]
44
48
  # The gadgets found.
45
- def one_gadget(*args)
46
- OneGadget.gadgets(*args)
49
+ # @example
50
+ # one_gadget('./libc.so.6')
51
+ # one_gadget('cbfa941a8eb7a11e4f90e81b66fcd5a820995d7c')
52
+ # one_gadget('./libc.so.6', details: true)
53
+ def one_gadget(arg = nil, **options)
54
+ unless arg.nil?
55
+ if arg =~ /\A#{OneGadget::Helper::BUILD_ID_FORMAT}\Z/
56
+ options[:build_id] = arg
57
+ else
58
+ options[:file] = arg
59
+ end
60
+ end
61
+ OneGadget.gadgets(**options)
47
62
  end
48
63
 
49
64
  require 'one_gadget/fetcher'
@@ -1,7 +1,7 @@
1
- require 'one_gadget/helper'
2
1
  require 'one_gadget/fetchers/amd64'
3
2
  require 'one_gadget/fetchers/i386'
4
3
  require 'one_gadget/gadget'
4
+ require 'one_gadget/helper'
5
5
 
6
6
  module OneGadget
7
7
  # To find gadgets.
@@ -1,5 +1,6 @@
1
- require 'one_gadget/fetchers/base'
2
1
  require 'one_gadget/emulators/amd64'
2
+ require 'one_gadget/fetchers/base'
3
+
3
4
  module OneGadget
4
5
  module Fetcher
5
6
  # Fetcher for amd64.
@@ -1,7 +1,8 @@
1
- require 'one_gadget/fetchers/base'
2
- require 'one_gadget/emulators/i386'
3
1
  require 'elftools'
4
2
 
3
+ require 'one_gadget/emulators/i386'
4
+ require 'one_gadget/fetchers/base'
5
+
5
6
  module OneGadget
6
7
  module Fetcher
7
8
  # Fetcher for i386.
@@ -65,10 +65,8 @@ module OneGadget
65
65
  # Fetch the latest release version's tag name.
66
66
  # @return [String] The tag name, in form +vx.x.x+.
67
67
  def latest_tag
68
- releases_url = 'https://github.com/david942j/one_gadget/releases'
69
- @latest_tag ||= 'v' + url_request(releases_url).scan(%r{/tree/v([\d.]+)"}).map do |tag|
70
- Gem::Version.new(tag.first)
71
- end.max.to_s
68
+ releases_url = 'https://github.com/david942j/one_gadget/releases/latest'
69
+ @latest_tag ||= url_request(releases_url).split('/').last
72
70
  end
73
71
 
74
72
  # Get the url which can fetch +filename+ from remote repo.
@@ -76,7 +74,7 @@ module OneGadget
76
74
  # @return [String] The url.
77
75
  def url_of_file(filename)
78
76
  raw_file_url = 'https://raw.githubusercontent.com/david942j/one_gadget/@tag/@file'
79
- raw_file_url.gsub('@tag', latest_tag).gsub('@file', filename)
77
+ raw_file_url.sub('@tag', latest_tag).sub('@file', filename)
80
78
  end
81
79
 
82
80
  # Download the latest version of +file+ in +lib/one_gadget/builds/+ from remote repo.
@@ -99,7 +97,9 @@ module OneGadget
99
97
 
100
98
  # Get request.
101
99
  # @param [String] url The url.
102
- # @return [String] The request response body.
100
+ # @return [String]
101
+ # The request response body.
102
+ # If the response is '302 Found', return the location in header.
103
103
  def url_request(url)
104
104
  uri = URI.parse(url)
105
105
  http = Net::HTTP.new(uri.host, uri.port)
@@ -109,8 +109,8 @@ module OneGadget
109
109
  request = Net::HTTP::Get.new(uri.request_uri)
110
110
 
111
111
  response = http.request(request)
112
- raise ArgumentError, "Fail to get response of #{url}" unless response.code == '200'
113
- response.body
112
+ raise ArgumentError, "Fail to get response of #{url}" unless %w(200 302).include?(response.code)
113
+ response.code == '302' ? response['location'] : response.body
114
114
  rescue NoMethodError, SocketError, ArgumentError => e
115
115
  p e
116
116
  nil
@@ -1,4 +1,5 @@
1
1
  require 'logger'
2
+
2
3
  require 'one_gadget/helper'
3
4
 
4
5
  module OneGadget
@@ -1,4 +1,4 @@
1
1
  module OneGadget
2
2
  # Current gem version.
3
- VERSION = '1.3.7'.freeze
3
+ VERSION = '1.3.8'.freeze
4
4
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: one_gadget
3
3
  version: !ruby/object:Gem::Version
4
- version: 1.3.7
4
+ version: 1.3.8
5
5
  platform: ruby
6
6
  authors:
7
7
  - david942j
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2017-04-04 00:00:00.000000000 Z
11
+ date: 2017-05-26 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: elftools