one_gadget 1.6.2 → 1.7.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 2e26da79b62658e7dd1ce9efcaeda04fbe805b98eb1fecf234948311d70553e3
-  data.tar.gz: 2ed832df9cffecaba987753e1ed9c9ebe8068e410c00da108c1348e80efe6637
+  metadata.gz: cb3e8709a50b2ef22f37f074e9c9d2da21e208bbf71a0679966bd461728adef7
+  data.tar.gz: 98351653ab6b1207acb3e71fc59c6a7de60b5b9de2255f582963e37d40dcf6c4
 SHA512:
-  metadata.gz: 47732f230a683edcb699a21f3891812326b1a7d9b966c13fb3a50c8d07b7ffbb3ce4244d324c0f13907f8b5d64e6a16a824d44946d97f6f131df7cf0b1380b8e
-  data.tar.gz: 0a90f8f323ee47f78314eeb420eec22a36f8954b12806a47d493d8996128abb4ac40c2cb4ec25b236b3723a390391903e5082f1af6751a061645e4dfc442e8e0
+  metadata.gz: 91f45537678c2a257cdba8870d347396e65deb407fc8173a48c6a2475422b6575bf07b624223dbf5c1381935cdd384fc79a1e334d5fa4c8179f084f7b8da4a52
+  data.tar.gz: 3a79932b8b1c304786a486769544bec8ee2f11b8147e7cb694e8d0b2a9391df1dc1fc2fe2f182f46c23ac2ab2ae05c2f128d93f580a83c7f6be567e7d8f1a786

data/README.md

@@ -6,41 +6,38 @@
 [![Inline docs](https://inch-ci.org/github/david942j/one_gadget.svg?branch=master)](https://inch-ci.org/github/david942j/one_gadget)
 [![MIT License](https://img.shields.io/badge/license-MIT-blue.svg)](http://choosealicense.com/licenses/mit/)
 
-## One Gadget
+## OneGadget
 
 When playing ctf pwn challenges we usually need the one-gadget RCE (remote code execution),
 which leads to call `execve('/bin/sh', NULL, NULL)`.
 
 This gem provides such gadgets finder, no need to use objdump or IDA-pro every time like a fool :wink:
 
-To use this tool, just type `one_gadget /path/to/libc` in command line and enjoy the magic :laughing:
+To use this tool, type `one_gadget /path/to/libc` in command line and enjoy the magic :laughing:
 
-Note: Supports amd64 and i386!
-
-## Install
+## Installation
 
 Available on RubyGems.org!
 ```bash
 $ gem install one_gadget
 ```
 
-Note: require ruby version >= 2.1.0, you can use `ruby --version` to check.
+Note: requires ruby version >= 2.1.0, you can use `ruby --version` to check.
+
+## Supported Architectures
+
+- [x] i386
+- [x] amd64 (x86-64)
+- [x] aarch64 (ARMv8)
 
 ## Implementation
 
-OneGadget uses simple self-implement symbolic execution to find the constraints of gadgets to be successful.
+OneGadget uses symbolic execution to find the constraints of gadgets to be successful.
 
-The article introducing how I develop this tool can be found [in my blog](https://david942j.blogspot.com/2017/02/project-one-gadget-in-glibc.html).
+The article introducing how I develop this tool can be found [on my blog](https://david942j.blogspot.com/2017/02/project-one-gadget-in-glibc.html).
 
 ## Usage
 
-Since OneGadget version 1.5.0,
-much more one-gadgets have been found.
-And gadgets become too many to show them all,
-they would be selected automatically according to the difficulty of constraints.
-Therefore, gadgets shown will be less than previous versions (before v1.5.0).
-But you can use option `--level 1` to show all gadgets found.
-
 ### Command Line Interface
 
 ```bash
@@ -58,117 +55,169 @@ $ one_gadget
 #         --info BuildID               Show version information given BuildID.
 #         --version                    Current gem version.
 
-$ one_gadget -b 60131540dadc6796cab33388349e6e4e68692053
-# 0x45216	execve("/bin/sh", rsp+0x30, environ)
+```
+
+```bash
+$ one_gadget /lib/x86_64-linux-gnu/libc.so.6
+# 0x4f2c5 execve("/bin/sh", rsp+0x40, environ)
+# constraints:
+#   rcx == NULL
+#
+# 0x4f322 execve("/bin/sh", rsp+0x40, environ)
+# constraints:
+#   [rsp+0x40] == NULL
+#
+# 0x10a38c execve("/bin/sh", rsp+0x70, environ)
+# constraints:
+#   [rsp+0x70] == NULL
+
+```
+![x86_64](https://github.com/david942j/one_gadget/blob/master/examples/x86_64.png?raw=true)
+
+#### Given BuildID
+```bash
+$ one_gadget -b aad7dbe330f23ea00ca63daf793b766b51aceb5d
+# 0x45526 execve("/bin/sh", rsp+0x30, environ)
 # constraints:
 #   rax == NULL
 #
-# 0x4526a	execve("/bin/sh", rsp+0x30, environ)
+# 0x4557a execve("/bin/sh", rsp+0x30, environ)
 # constraints:
 #   [rsp+0x30] == NULL
 #
-# 0xef6c4	execve("/bin/sh", rsp+0x50, environ)
+# 0xf1651 execve("/bin/sh", rsp+0x40, environ)
 # constraints:
-#   [rsp+0x50] == NULL
+#   [rsp+0x40] == NULL
 #
-# 0xf0567	execve("/bin/sh", rsp+0x70, environ)
+# 0xf24cb execve("/bin/sh", rsp+0x60, environ)
 # constraints:
-#   [rsp+0x70] == NULL
+#   [rsp+0x60] == NULL
 
-$ one_gadget /lib32/libc.so.6
-# 0x3a7cc	execve("/bin/sh", esp+0x28, environ)
+```
+![build id](https://github.com/david942j/one_gadget/blob/master/examples/from_build_id.png?raw=true)
+
+#### Show All Gadgets
+
+Sometimes `one_gadget` finds too many gadgets to show them in one screen,
+by default gadgets would be filtered automatically *according to the difficulty of constraints*.
+
+Use option `--level 1` to show all gadgets found instead of only those with higher probabilities.
+
+```bash
+$ one_gadget /lib/x86_64-linux-gnu/libc.so.6 --level 1
+# 0x4f2c5 execve("/bin/sh", rsp+0x40, environ)
 # constraints:
-#   esi is the GOT address of libc
-#   [esp+0x28] == NULL
+#   rcx == NULL
 #
-# 0x3a7ce	execve("/bin/sh", esp+0x2c, environ)
+# 0x4f322 execve("/bin/sh", rsp+0x40, environ)
 # constraints:
-#   esi is the GOT address of libc
-#   [esp+0x2c] == NULL
+#   [rsp+0x40] == NULL
 #
-# 0x3a7d2	execve("/bin/sh", esp+0x30, environ)
+# 0xe569f execve("/bin/sh", r14, r12)
 # constraints:
-#   esi is the GOT address of libc
-#   [esp+0x30] == NULL
+#   [r14] == NULL || r14 == NULL
+#   [r12] == NULL || r12 == NULL
 #
-# 0x3a7d9	execve("/bin/sh", esp+0x34, environ)
+# 0xe5858 execve("/bin/sh", [rbp-0x88], [rbp-0x70])
 # constraints:
-#   esi is the GOT address of libc
-#   [esp+0x34] == NULL
+#   [[rbp-0x88]] == NULL || [rbp-0x88] == NULL
+#   [[rbp-0x70]] == NULL || [rbp-0x70] == NULL
 #
-# 0x5f875	execl("/bin/sh", eax)
+# 0xe585f execve("/bin/sh", r10, [rbp-0x70])
 # constraints:
-#   esi is the GOT address of libc
-#   eax == NULL
+#   [r10] == NULL || r10 == NULL
+#   [[rbp-0x70]] == NULL || [rbp-0x70] == NULL
 #
-# 0x5f876	execl("/bin/sh", [esp])
+# 0xe5863 execve("/bin/sh", r10, rdx)
 # constraints:
-#   esi is the GOT address of libc
-#   [esp] == NULL
-
-$ one_gadget /lib/x86_64-linux-gnu/libc.so.6
-# 0x45526	execve("/bin/sh", rsp+0x30, environ)
-# constraints:
-#   rax == NULL
+#   [r10] == NULL || r10 == NULL
+#   [rdx] == NULL || rdx == NULL
 #
-# 0x4557a	execve("/bin/sh", rsp+0x30, environ)
+# 0x10a38c execve("/bin/sh", rsp+0x70, environ)
 # constraints:
-#   [rsp+0x30] == NULL
+#   [rsp+0x70] == NULL
 #
-# 0xf1651	execve("/bin/sh", rsp+0x40, environ)
+# 0x10a398 execve("/bin/sh", rsi, [rax])
 # constraints:
-#   [rsp+0x40] == NULL
+#   [rsi] == NULL || rsi == NULL
+#   [[rax]] == NULL || [rax] == NULL
+
+```
+
+#### Other Architectures
+
+##### i386
+```bash
+$ one_gadget /lib32/libc.so.6
+# 0x3cbea execve("/bin/sh", esp+0x34, environ)
+# constraints:
+#   esi is the GOT address of libc
+#   [esp+0x34] == NULL
 #
-# 0xf24cb	execve("/bin/sh", rsp+0x60, environ)
+# 0x3cbec execve("/bin/sh", esp+0x38, environ)
 # constraints:
-#   [rsp+0x60] == NULL
-
-# show all gadgets found
-$ one_gadget /lib/x86_64-linux-gnu/libc.so.6 --level 1
-# 0x45526	execve("/bin/sh", rsp+0x30, environ)
+#   esi is the GOT address of libc
+#   [esp+0x38] == NULL
+#
+# 0x3cbf0 execve("/bin/sh", esp+0x3c, environ)
 # constraints:
-#   rax == NULL
+#   esi is the GOT address of libc
+#   [esp+0x3c] == NULL
 #
-# 0x4557a	execve("/bin/sh", rsp+0x30, environ)
+# 0x3cbf7 execve("/bin/sh", esp+0x40, environ)
 # constraints:
-#   [rsp+0x30] == NULL
+#   esi is the GOT address of libc
+#   [esp+0x40] == NULL
 #
-# 0xcde41	execve("/bin/sh", r15, r13)
+# 0x6729f execl("/bin/sh", eax)
 # constraints:
-#   [r15] == NULL || r15 == NULL
-#   [r13] == NULL || r13 == NULL
+#   esi is the GOT address of libc
+#   eax == NULL
 #
-# 0xce0e1	execve("/bin/sh", [rbp-0x78], [rbp-0x50])
+# 0x672a0 execl("/bin/sh", [esp])
 # constraints:
-#   [[rbp-0x78]] == NULL || [rbp-0x78] == NULL
-#   [[rbp-0x50]] == NULL || [rbp-0x50] == NULL
+#   esi is the GOT address of libc
+#   [esp] == NULL
 #
-# 0xce0e5	execve("/bin/sh", r9, [rbp-0x50])
+# 0x13573e execl("/bin/sh", eax)
 # constraints:
-#   [r9] == NULL || r9 == NULL
-#   [[rbp-0x50]] == NULL || [rbp-0x50] == NULL
+#   ebx is the GOT address of libc
+#   eax == NULL
 #
-# 0xce0e9	execve("/bin/sh", r9, rdx)
+# 0x13573f execl("/bin/sh", [esp])
 # constraints:
-#   [r9] == NULL || r9 == NULL
-#   [rdx] == NULL || rdx == NULL
+#   ebx is the GOT address of libc
+#   [esp] == NULL
+
+```
+![i386](https://github.com/david942j/one_gadget/blob/master/examples/i386.png?raw=true)
+
+##### AArch64
+```bash
+$ one_gadget spec/data/aarch64-libc-2.27.so
+# 0x3f160 execve("/bin/sh", sp+0x70, environ)
+# constraints:
+#   address x20+0x338 is writable
+#   x3 == NULL
 #
-# 0xf1651	execve("/bin/sh", rsp+0x40, environ)
+# 0x3f184 execve("/bin/sh", sp+0x70, environ)
 # constraints:
-#   [rsp+0x40] == NULL
+#   addresses x19+0x4, x20+0x338 are writable
+#   [sp+0x70] == NULL
 #
-# 0xf165d	execve("/bin/sh", rsi, [rax])
+# 0x3f1a8 execve("/bin/sh", x21, environ)
 # constraints:
-#   [rsi] == NULL || rsi == NULL
-#   [[rax]] == NULL || [rax] == NULL
+#   addresses x19+0x4, x20+0x338 are writable
+#   [x21] == NULL || x21 == NULL
 #
-# 0xf24cb	execve("/bin/sh", rsp+0x60, environ)
+# 0x63e90 execl("/bin/sh", x1)
 # constraints:
-#   [rsp+0x60] == NULL
+#   x1 == NULL
 
 ```
+![aarch64](https://github.com/david942j/one_gadget/blob/master/examples/aarch64.png?raw=true)
 
-#### Combine with exploit script
+#### Combine with Script
 Pass your exploit script as `one_gadget`'s arguments, it can
 try all gadgets one by one, so you don't need to try every possible gadgets manually.
 
@@ -178,34 +227,32 @@ $ one_gadget ./spec/data/libc-2.19.so -s 'echo "offset ->"'
 
 ![--script](https://github.com/david942j/one_gadget/blob/master/examples/script.png?raw=true)
 
-### Directly use in script
+### In Ruby Scripts
 ```ruby
 require 'one_gadget'
 OneGadget.gadgets(file: '/lib/x86_64-linux-gnu/libc.so.6')
-#=> [283942, 284026, 988753, 992459]
+#=> [324293, 324386, 1090444]
 
 # or in shorter way
 one_gadget('/lib/x86_64-linux-gnu/libc.so.6', level: 1)
-#=> [283942, 284026, 843329, 844001, 844005, 844009, 988753, 988765, 992459]
+#=> [324293, 324386, 939679, 940120, 940127, 940131, 1090444, 1090456]
 
 # from build id
-one_gadget('60131540dadc6796cab33388349e6e4e68692053')
-#=> [283158, 283242, 980676, 984423]
+one_gadget('b417c0ba7cc5cf06d1d1bed6652cedb9253c60d0')
+#=> [324293, 324386, 1090444]
 
 ```
 
-## Screenshots
-
-### Search gadgets in libc
-
-#### 64 bit
-![from file](https://github.com/david942j/one_gadget/blob/master/examples/from_file.png?raw=true)
+### To Python Lovers
+```python
+import subprocess
+def one_gadget(filename):
+  return map(int, subprocess.check_output(['one_gadget', '--raw', filename]).split(' '))
 
-#### 32 bit
-![from file](https://github.com/david942j/one_gadget/blob/master/examples/from_file_32bit.png?raw=true)
+one_gadget('/lib/x86_64-linux-gnu/libc.so.6')
+#=> [324293, 324386, 1090444]
 
-### Fetch gadgets from database
-![build id](https://github.com/david942j/one_gadget/blob/master/examples/from_build_id.png?raw=true)
+```
 
 ## Make OneGadget Better
 Any suggestion or feature request is welcome! Feel free to send a pull request.

data/bin/one_gadget

@@ -1,7 +1,9 @@
 #!/usr/bin/env ruby
-require 'one_gadget'
+
 require 'optparse'
 
+require 'one_gadget'
+
 options = { raw: false }
 usage = 'Usage: one_gadget [file] [options]'
 parser = OptionParser.new do |opts|
@@ -70,10 +72,9 @@ else
   exit(1)
 end
 
-extend OneGadget::Helper::ClassMethods
 if options[:script]
   gadgets.map(&:offset).each do |offset|
-    OneGadget::Logger.info("Trying #{colorize(format('0x%x', offset), sev: :integer)}...\n")
+    OneGadget::Logger.info("Trying #{OneGadget::Helper.colorize(format('0x%x', offset), sev: :integer)}...\n")
     execute(options[:script], offset)
   end
   exit(0)

data/lib/one_gadget/abi.rb

@@ -1,29 +1,49 @@
 module OneGadget
-  # define the abi of different architecture.
+  # Defines the abi of different architectures.
   module ABI
-    # Define class methods here.
-    module ClassMethods
-      # Registers in i386.
-      LINUX_X86_32 = %w(eax ebx ecx edx edi esi ebp esp) + 0.upto(7).map { |i| "xmm#{i}" }
-      # Registers in x86_64/
-      LINUX_X86_64 = LINUX_X86_32 +
-                     %w(rax rbx rcx rdx rdi rsi rbp rsp) +
-                     8.upto(15).map { |i| "r#{i}" } +
-                     8.upto(15).map { |i| "xmm#{i}" }
-      # Registers' name in amd64.
-      # @return [Array<String>] List of registers.
-      def amd64
-        LINUX_X86_64
-      end
+    # Registers of i386.
+    X86_32 = %w[eax ebx ecx edx edi esi ebp esp] + 0.upto(7).map { |i| "xmm#{i}" }
+    # Registers of x86_64.
+    X86_64 = X86_32 +
+             %w[rax rbx rcx rdx rdi rsi rbp rsp] +
+             8.upto(15).map { |i| "r#{i}" } +
+             8.upto(15).map { |i| "xmm#{i}" }
 
-      # Registers' name in i386.
-      # @return [Array<String>] List of registers.
-      def i386
-        LINUX_X86_32
-      end
+    # Registers of AArch64.
+    AARCH64 = %w[xzr wzr sp] + 0.upto(30).map { |i| ["x#{i}", "w#{i}"] }.flatten
 
-      alias all amd64
+    module_function
+
+    # Registers' name of amd64.
+    # @return [Array<String>] List of registers.
+    def amd64
+      X86_64.uniq
+    end
+
+    # Registers' name of i386.
+    # @return [Array<String>] List of registers.
+    def i386
+      X86_32
+    end
+
+    # Registers' name of aarch64.
+    # @return [Array<String>] List of registers.
+    def aarch64
+      AARCH64
+    end
+
+    # Returns all names of registers.
+    # @return [Array<String>] List of registers.
+    def all
+      amd64 + aarch64
+    end
+
+    # Checks if the register is a stack-related pointer.
+    # @param [String] reg
+    #   Register's name.
+    # @return [Boolean]
+    def stack_register?(reg)
+      %w[esp ebp rsp rbp sp x29].include?(reg)
     end
-    extend ClassMethods
   end
 end

data/lib/one_gadget/builds/libc-2.19-397c84e78c14cbffba39a48184db482211df9fb3.rb

@@ -0,0 +1,38 @@
+require 'one_gadget/gadget'
+# https://gitlab.com/libcdb/libcdb/blob/master/libc/libc6_2.19-10ubuntu2_arm64/lib/aarch64-linux-gnu/libc-2.19.so
+# 
+# AArch64
+# 
+# GNU C Library (Ubuntu GLIBC 2.19-10ubuntu2) stable release version 2.19, by Roland McGrath et al.
+# Copyright (C) 2014 Free Software Foundation, Inc.
+# This is free software; see the source for copying conditions.
+# There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+# Compiled by GNU CC version 4.8.3.
+# Compiled on a Linux 3.16.3 system on 2014-09-30.
+# Available extensions:
+# 	crypt add-on version 2.1 by Michael Glad and others
+# 	GNU Libidn by Simon Josefsson
+# 	Native POSIX Threads Library by Ulrich Drepper et al
+# 	BIND-8.2.3-T5B
+# libc ABIs: UNIQUE
+# For bug reporting instructions, please see:
+# <https://bugs.launchpad.net/ubuntu/+source/glibc/+bugs>.
+
+build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 261724,
+                      constraints: ["writable: x21+0x2e0", "x3+0x9e0 == NULL"],
+                      effect: "execve(\"/bin/sh\", sp+0x68, environ)")
+OneGadget::Gadget.add(build_id, 261732,
+                      constraints: ["writable: x20", "writable: x21+0x2e0", "[x20] == NULL || x20 == NULL"],
+                      effect: "execve(\"/bin/sh\", x20, environ)")
+OneGadget::Gadget.add(build_id, 261808,
+                      constraints: ["writable: x21+0x2e0", "writable: x24+0x4", "[x20] == NULL || x20 == NULL"],
+                      effect: "execve(\"/bin/sh\", x20, environ)")
+OneGadget::Gadget.add(build_id, 261820,
+                      constraints: ["writable: x21+0x2e0", "writable: x24+0x4", "[x1] == NULL || x1 == NULL", "[[x0]] == NULL || [x0] == NULL"],
+                      effect: "execve(\"/bin/sh\", x1, [x0])")
+OneGadget::Gadget.add(build_id, 261824,
+                      constraints: ["writable: x21+0x2e0", "writable: x24+0x4", "[x1] == NULL || x1 == NULL", "[x2] == NULL || x2 == NULL"],
+                      effect: "execve(\"/bin/sh\", x1, x2)")
+