one_gadget 1.7.1 → 1.7.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 5bb9760cff1de2c7868863e0ffa6d095e40952a16067d1b7e9fb665930c0304b
-  data.tar.gz: 2d129e1e021b4d69f4a780716e3b6bfbb3c09c2950809f8804f09e6de93e1758
+  metadata.gz: 8408e8896c26b1f1841de6d054d3535f557e9460d0cf888b11d9bf0e84794b92
+  data.tar.gz: 61f4578f7bc943a7bf2914807769285832870af127c615e45635b89dc1a66a19
 SHA512:
-  metadata.gz: 2250eb2a38fedb482306695b51a1eb099d77aac6ec614b7fd03b2f3f84334fde485372fd1f60ba6287f4b83d6d17afafa783c4ecf49d18e127ade70f845ec4b7
-  data.tar.gz: c4ad302c436c7132ddbc080bfa4f3a80fd4d77d01e0e51876eac84b3ca8ceedf7feaca2ed62c1cb957af6d101d842d6277f11369c02b50eacc36caf8919bd42c
+  metadata.gz: 8e8462690bcbdfa1424cc9374f71a027423f544b956153507b9cb6bf0ee4d829656eb559d90016ec399595a4de32dc6475155347cb417b806d10e6b9bf78f010
+  data.tar.gz: 4180279e347d9f1623ece4cd1829da966c9f759062ac787d5910019e10b7eae0f7b46e75b419997e9d8cbf1df8fc4a1aa9f7e4e02ca0557d2fb8973e5a10f2b1

data/README.md

@@ -44,13 +44,14 @@ The article introducing how I develop this tool can be found [on my blog](https:
 
 ```bash
 $ one_gadget
-# Usage: one_gadget [file] [options]
+# Usage: one_gadget <FILE|-b BuildID> [options]
 #     -b, --build-id BuildID           BuildID[sha1] of libc.
 #     -f, --[no-]force-file            Force search gadgets in file instead of build id first.
 #     -l, --level OUTPUT_LEVEL         The output level.
 #                                      OneGadget automatically selects gadgets with higher successful probability.
 #                                      Increase this level to ask OneGadget show more gadgets it found.
 #                                      Default: 0
+#     -n, --near FUNCTIONS/FILE        Order gadgets by their distance to the given functions or to the GOT functions of the given file.
 #     -r, --[no-]raw                   Output gadgets offset only, split with one space.
 #     -s, --script exploit-script      Run exploit script with all possible gadgets.
 #                                      The script will be run as 'exploit-script $offset'.
@@ -98,6 +99,90 @@ $ one_gadget -b aad7dbe330f23ea00ca63daf793b766b51aceb5d
 ```
 ![build id](https://github.com/david942j/one_gadget/blob/master/examples/from_build_id.png?raw=true)
 
+#### Gadgets Near Functions
+
+##### Why
+
+Consider this scenario when exploiting:
+1. Able to write on GOT (Global Offset Table)
+2. Libc base address is unknown
+
+In this scenario you can choose to write two low-byte on a GOT entry with one-gadget's two low-byte.
+If the function offset on GOT is close enough with the one-gadget,
+you will have at least 1/16 chance of success.
+
+##### Usage
+
+Reorder gadgets according to the distance of given functions.
+
+```bash
+$ one_gadget /lib/x86_64-linux-gnu/libc.so.6 --near exit,mkdir
+# [OneGadget] Gadgets near exit(0x43120):
+# 0x4f2c5 execve("/bin/sh", rsp+0x40, environ)
+# constraints:
+#   rcx == NULL
+#
+# 0x4f322 execve("/bin/sh", rsp+0x40, environ)
+# constraints:
+#   [rsp+0x40] == NULL
+#
+# 0x10a38c execve("/bin/sh", rsp+0x70, environ)
+# constraints:
+#   [rsp+0x70] == NULL
+#
+# [OneGadget] Gadgets near mkdir(0x10fbb0):
+# 0x10a38c execve("/bin/sh", rsp+0x70, environ)
+# constraints:
+#   [rsp+0x70] == NULL
+#
+# 0x4f322 execve("/bin/sh", rsp+0x40, environ)
+# constraints:
+#   [rsp+0x40] == NULL
+#
+# 0x4f2c5 execve("/bin/sh", rsp+0x40, environ)
+# constraints:
+#   rcx == NULL
+#
+
+```
+![near](https://github.com/david942j/one_gadget/blob/master/examples/near.png?raw=true)
+
+Regular expression is acceptable.
+```bash
+$ one_gadget /lib/x86_64-linux-gnu/libc.so.6 --near 'write.*' --raw
+# [OneGadget] Gadgets near writev(0x1166a0):
+# 1090444 324386 324293
+#
+# [OneGadget] Gadgets near write(0x110140):
+# 1090444 324386 324293
+#
+
+```
+
+Pass an ELF file as the argument, OneGadget will take all GOT functions for processing.
+```bash
+$ one_gadget /lib/x86_64-linux-gnu/libc.so.6 --near spec/data/test_near_file.elf --raw
+# [OneGadget] Gadgets near exit(0x43120):
+# 324293 324386 1090444
+#
+# [OneGadget] Gadgets near puts(0x809c0):
+# 324386 324293 1090444
+#
+# [OneGadget] Gadgets near printf(0x64e80):
+# 324386 324293 1090444
+#
+# [OneGadget] Gadgets near strlen(0x9dc70):
+# 324386 324293 1090444
+#
+# [OneGadget] Gadgets near __cxa_finalize(0x43520):
+# 324293 324386 1090444
+#
+# [OneGadget] Gadgets near __libc_start_main(0x21ab0):
+# 324293 324386 1090444
+#
+
+```
+
 #### Show All Gadgets
 
 Sometimes `one_gadget` finds too many gadgets to show them in one screen,

data/bin/one_gadget

@@ -1,87 +1,6 @@
 #!/usr/bin/env ruby
+# frozen_string_literal: true
 
-require 'optparse'
+require 'one_gadget/cli'
 
-require 'one_gadget'
-
-options = { raw: false }
-usage = 'Usage: one_gadget [file] [options]'
-parser = OptionParser.new do |opts|
-  opts.banner = usage
-
-  opts.on('-b', '--build-id BuildID', 'BuildID[sha1] of libc.') do |b|
-    options[:build_id] = b
-  end
-
-  opts.on('-f', '--[no-]force-file', 'Force search gadgets in file instead of build id first.') do |b|
-    options[:force_file] = b
-  end
-
-  opts.on('-l', '--level OUTPUT_LEVEL', Integer, 'The output level.',
-          'OneGadget automatically selects gadgets with higher successful probability.',
-          'Increase this level to ask OneGadget show more gadgets it found.',
-          'Default: 0') do |l|
-    options[:level] = l
-  end
-
-  opts.on('-r', '--[no-]raw', 'Output gadgets offset only, split with one space.') do |v|
-    options[:raw] = v
-  end
-
-  opts.on('-s', '--script exploit-script', 'Run exploit script with all possible gadgets.',
-          'The script will be run as \'exploit-script $offset\'.') do |script|
-    options[:script] = script
-  end
-
-  opts.on('--info BuildID', 'Show version information given BuildID.') do |b|
-    options[:info] = b
-  end
-
-  opts.on('--version', 'Current gem version.') do |v|
-    options[:version] = v
-  end
-end
-parser.parse!
-
-if options[:version]
-  puts "OneGadget Version #{OneGadget::VERSION}"
-  exit(0)
-end
-
-def execute(script, offset)
-  pid = fork do
-    exec([script, offset.to_s].join(' '))
-  end
-  Process.wait pid
-end
-
-if options[:info]
-  result = OneGadget::Gadget.builds_info(options[:info])
-  exit(1) if result.nil? # error happend
-  OneGadget::Logger.info("Information of #{options[:info]}:\n#{result.join("\n")}\n")
-  exit(0)
-end
-
-level = options[:level] || 0
-if options[:build_id]
-  gadgets = OneGadget.gadgets(build_id: options[:build_id], details: true, level: level)
-elsif ARGV[0]
-  gadgets = OneGadget.gadgets(file: ARGV[0], details: true, force_file: options[:force_file], level: level)
-else
-  puts parser.help
-  exit(1)
-end
-
-if options[:script]
-  gadgets.map(&:offset).each do |offset|
-    OneGadget::Logger.info("Trying #{OneGadget::Helper.colorize(format('0x%x', offset), sev: :integer)}...\n")
-    execute(options[:script], offset)
-  end
-  exit(0)
-end
-
-if options[:raw]
-  puts gadgets.map(&:offset).join(' ')
-else
-  puts gadgets.map(&:inspect).join("\n")
-end
+exit OneGadget::CLI.work(ARGV.dup)

data/lib/one_gadget.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 # OneGadget - To find the execve(/bin/sh, 0, 0) in glibc.
 #
 # @author david942j

data/lib/one_gadget/abi.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module OneGadget
   # Defines the abi of different architectures.
   module ABI

data/lib/one_gadget/builds/libc-2.23-1ca54a6e0d76188105b12e49fe6b8019bf08803a.rb

@@ -0,0 +1,46 @@
+require 'one_gadget/gadget'
+# ubuntu16.04.6-lib-x86_64-linux-gnu-libc-2.23.so
+# 
+# Advanced Micro Devices X86-64
+# 
+# GNU C Library (Ubuntu GLIBC 2.23-0ubuntu11) stable release version 2.23, by Roland McGrath et al.
+# Copyright (C) 2016 Free Software Foundation, Inc.
+# This is free software; see the source for copying conditions.
+# There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+# Compiled by GNU CC version 5.4.0 20160609.
+# Available extensions:
+# 	crypt add-on version 2.1 by Michael Glad and others
+# 	GNU Libidn by Simon Josefsson
+# 	Native POSIX Threads Library by Ulrich Drepper et al
+# 	BIND-8.2.3-T5B
+# libc ABIs: UNIQUE IFUNC
+# For bug reporting instructions, please see:
+# <https://bugs.launchpad.net/ubuntu/+source/glibc/+bugs>.
+
+build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 283158,
+                      constraints: ["rax == NULL"],
+                      effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
+OneGadget::Gadget.add(build_id, 283242,
+                      constraints: ["[rsp+0x30] == NULL"],
+                      effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
+OneGadget::Gadget.add(build_id, 839923,
+                      constraints: ["[rcx] == NULL || rcx == NULL", "[r12] == NULL || r12 == NULL"],
+                      effect: "execve(\"/bin/sh\", rcx, r12)")
+OneGadget::Gadget.add(build_id, 840136,
+                      constraints: ["[rax] == NULL || rax == NULL", "[r12] == NULL || r12 == NULL"],
+                      effect: "execve(\"/bin/sh\", rax, r12)")
+OneGadget::Gadget.add(build_id, 983716,
+                      constraints: ["[rsp+0x50] == NULL"],
+                      effect: "execve(\"/bin/sh\", rsp+0x50, environ)")
+OneGadget::Gadget.add(build_id, 983728,
+                      constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+                      effect: "execve(\"/bin/sh\", rsi, [rax])")
+OneGadget::Gadget.add(build_id, 987463,
+                      constraints: ["[rsp+0x70] == NULL"],
+                      effect: "execve(\"/bin/sh\", rsp+0x70, environ)")
+OneGadget::Gadget.add(build_id, 1009392,
+                      constraints: ["[rcx] == NULL || rcx == NULL", "[[rbp-0xf8]] == NULL || [rbp-0xf8] == NULL"],
+                      effect: "execve(\"/bin/sh\", rcx, [rbp-0xf8])")
+

data/lib/one_gadget/builds/libc-2.23-9a6b57c7a4f93d7e54e61bccb7df996c8bc58141.rb

@@ -0,0 +1,46 @@
+require 'one_gadget/gadget'
+# ubuntu16.04.06-lib32-libc-2.23.so
+# 
+# Intel 80386
+# 
+# GNU C Library (Ubuntu GLIBC 2.23-0ubuntu11) stable release version 2.23, by Roland McGrath et al.
+# Copyright (C) 2016 Free Software Foundation, Inc.
+# This is free software; see the source for copying conditions.
+# There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+# Compiled by GNU CC version 5.4.0 20160609.
+# Available extensions:
+# 	crypt add-on version 2.1 by Michael Glad and others
+# 	GNU Libidn by Simon Josefsson
+# 	Native POSIX Threads Library by Ulrich Drepper et al
+# 	BIND-8.2.3-T5B
+# libc ABIs: UNIQUE IFUNC
+# For bug reporting instructions, please see:
+# <https://bugs.launchpad.net/ubuntu/+source/glibc/+bugs>.
+
+build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 239628,
+                      constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL"],
+                      effect: "execve(\"/bin/sh\", esp+0x28, environ)")
+OneGadget::Gadget.add(build_id, 239630,
+                      constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL"],
+                      effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
+OneGadget::Gadget.add(build_id, 239634,
+                      constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL"],
+                      effect: "execve(\"/bin/sh\", esp+0x30, environ)")
+OneGadget::Gadget.add(build_id, 239641,
+                      constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL"],
+                      effect: "execve(\"/bin/sh\", esp+0x34, environ)")
+OneGadget::Gadget.add(build_id, 239676,
+                      constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+                      effect: "execve(\"/bin/sh\", eax, [esp])")
+OneGadget::Gadget.add(build_id, 239677,
+                      constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+                      effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
+OneGadget::Gadget.add(build_id, 389221,
+                      constraints: ["esi is the GOT address of libc", "eax == NULL"],
+                      effect: "execl(\"/bin/sh\", eax)")
+OneGadget::Gadget.add(build_id, 389222,
+                      constraints: ["esi is the GOT address of libc", "[esp] == NULL"],
+                      effect: "execl(\"/bin/sh\", [esp])")
+

data/lib/one_gadget/cli.rb

@@ -0,0 +1,220 @@
+# frozen_string_literal: true
+
+require 'optparse'
+
+require 'one_gadget/logger'
+require 'one_gadget/one_gadget'
+require 'one_gadget/version'
+
+module OneGadget
+  # Methods for command line interface.
+  module CLI
+    # Help message.
+    USAGE = 'Usage: one_gadget <FILE|-b BuildID> [options]'
+    # Default options.
+    DEFAULT_OPTIONS = { raw: false, force_file: false, level: 0 }.freeze
+
+    module_function
+
+    # Main method of CLI.
+    # @param [Array<String>] argv
+    #   Command line arguments.
+    # @return [Boolean]
+    #   Whether the command execute successfully.
+    # @example
+    #   CLI.work(%w[--help])
+    #   # usage message
+    #   #=> true
+    #   CLI.work(%w[--version])
+    #   # version message
+    #   #=> true
+    # @example
+    #   CLI.work([])
+    #   # usage message
+    #   #=> false
+    # @example
+    #   CLI.work(%w[-b b417c0ba7cc5cf06d1d1bed6652cedb9253c60d0 -r])
+    #   # 324293 324386 1090444
+    #   #=> true
+    def work(argv)
+      @options = DEFAULT_OPTIONS.dup
+      parser.parse!(argv)
+      return show("OneGadget Version #{OneGadget::VERSION}") if @options[:version]
+      return info_build_id(@options[:info]) if @options[:info]
+
+      libc_file = argv.pop
+      build_id = @options[:build_id]
+      level = @options[:level]
+      return error('Either FILE or BuildID can be passed') if libc_file && @options[:build_id]
+      return show(parser.help) && false unless build_id || libc_file
+
+      gadgets = if build_id
+                  OneGadget.gadgets(build_id: build_id, details: true, level: level)
+                else # libc_file
+                  OneGadget.gadgets(file: libc_file, details: true, force_file: @options[:force_file], level: level)
+                end
+      handle_gadgets(gadgets, libc_file)
+    end
+
+    # Decides how to display fetched gadgets according to options.
+    # @param [Array<OneGadget::Gadget::Gadget>] gadgets
+    # @param [String] libc_file
+    # @return [Boolean]
+    def handle_gadgets(gadgets, libc_file)
+      return false if gadgets.empty? # error occurs when fetching gadgets
+      return handle_script(gadgets, @options[:script]) if @options[:script]
+      return handle_near(libc_file, gadgets, @options[:near]) if @options[:near]
+
+      display_gadgets(gadgets, @options[:raw])
+    end
+
+    # Displays libc information given BuildID.
+    # @param [String] id
+    # @return [Boolean]
+    #   +false+ is returned if no information found.
+    # @example
+    #   CLI.info_build_id('b417c')
+    #   # [OneGadget] Information of b417c:
+    #   #             spec/data/libc-2.27-b417c0ba7cc5cf06d1d1bed6652cedb9253c60d0.so
+    #   #
+    #   #             Advanced Micro Devices X86-64
+    #   #
+    #   #             GNU C Library (Ubuntu GLIBC 2.27-3ubuntu1) stable release version 2.27.
+    #   #             Copyright (C) 2018 Free Software Foundation, Inc.
+    #   #             This is free software; see the source for copying conditions.
+    #   #             There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
+    #   #             PARTICULAR PURPOSE.
+    #   #             Compiled by GNU CC version 7.3.0.
+    #   #             libc ABIs: UNIQUE IFUNC
+    #   #             For bug reporting instructions, please see:
+    #   #             <https://bugs.launchpad.net/ubuntu/+source/glibc/+bugs>.
+    #   #=> true
+    def info_build_id(id)
+      result = OneGadget::Gadget.builds_info(id)
+      return false if result.nil? # invalid form or BuildID not found
+
+      OneGadget::Logger.info("Information of #{id}:\n#{result.join("\n")}")
+      true
+    end
+
+    # The option parser.
+    # @return [OptionParser]
+    def parser
+      @parser ||= OptionParser.new do |opts|
+        opts.banner = USAGE
+
+        opts.on('-b', '--build-id BuildID', 'BuildID[sha1] of libc.') do |b|
+          @options[:build_id] = b
+        end
+
+        opts.on('-f', '--[no-]force-file', 'Force search gadgets in file instead of build id first.') do |f|
+          @options[:force_file] = f
+        end
+
+        opts.on('-l', '--level OUTPUT_LEVEL', Integer, 'The output level.',
+                'OneGadget automatically selects gadgets with higher successful probability.',
+                'Increase this level to ask OneGadget show more gadgets it found.',
+                'Default: 0') do |l|
+          @options[:level] = l
+        end
+
+        opts.on('-n', '--near FUNCTIONS/FILE', 'Order gadgets by their distance to the given functions'\
+                ' or to the GOT functions of the given file.') do |n|
+          @options[:near] = n
+        end
+
+        opts.on('-r', '--[no-]raw', 'Output gadgets offset only, split with one space.') do |v|
+          @options[:raw] = v
+        end
+
+        opts.on('-s', '--script exploit-script', 'Run exploit script with all possible gadgets.',
+                'The script will be run as \'exploit-script $offset\'.') do |s|
+          @options[:script] = s
+        end
+
+        opts.on('--info BuildID', 'Show version information given BuildID.') do |b|
+          @options[:info] = b
+        end
+
+        opts.on('--version', 'Current gem version.') do |v|
+          @options[:version] = v
+        end
+      end
+    end
+
+    # Writes +msg+ to stdout and returns +true+.
+    # @param [String] msg
+    # @return [true]
+    def show(msg)
+      puts msg
+      true
+    end
+
+    # Spawns and waits until the process end.
+    # @param [String] cmd
+    # @return [void]
+    def execute(cmd)
+      Process.wait(spawn(cmd))
+    end
+
+    # Handles the --script feature.
+    # @param [Array<OneGadget::Gadget::Gadget>] gadgets
+    # @param [String] script
+    # @return [true]
+    def handle_script(gadgets, script)
+      gadgets.map(&:offset).each do |offset|
+        OneGadget::Logger.info("Trying #{OneGadget::Helper.colored_hex(offset)}...")
+        execute("#{script} #{offset}")
+      end
+      true
+    end
+
+    # Writes gadgets to stdout.
+    # @param [Array<OneGadget::Gadget::Gadget>] gadgets
+    # @param [Boolean] raw
+    #   In raw mode, only the offset of gadgets are printed.
+    # @return [true]
+    def display_gadgets(gadgets, raw)
+      if raw
+        show(gadgets.map(&:offset).join(' '))
+      else
+        show(gadgets.map(&:inspect).join("\n"))
+      end
+    end
+
+    # Logs error.
+    # @param [String] msg
+    # @return [false]
+    def error(msg)
+      OneGadget::Logger.error(msg)
+      false
+    end
+
+    # Implements the --near feature.
+    # @param [String] libc_file
+    # @param [Array<OneGadget::Gadget::Gadget>] gadgets
+    # @param [String] near
+    #   This can be name of functions or an ELF file.
+    #   - Use one comma without spaces to specify a list of functions: +printf,scanf,free+.
+    #   - Path to an ELF file and take its GOT functions to process: +/bin/ls+
+    def handle_near(libc_file, gadgets, near)
+      return error('Libc file must be given when using --near option') unless libc_file
+
+      functions = if File.file?(near) && OneGadget::Helper.valid_elf_file?(near)
+                    OneGadget::Helper.got_functions(near)
+                  else
+                    near.split(',').map(&:strip)
+                  end
+      function_offsets = OneGadget::Helper.function_offsets(libc_file, functions)
+      return error('No functions for processing') if function_offsets.empty?
+
+      function_offsets.each do |function, offset|
+        colored_offset = OneGadget::Helper.colored_hex(offset)
+        OneGadget::Logger.warn("Gadgets near #{OneGadget::Helper.colorize(function)}(#{colored_offset}):")
+        display_gadgets(gadgets.sort_by { |gadget| (gadget.offset - offset).abs }, @options[:raw])
+        show("\n")
+      end
+      true
+    end
+  end
+end

data/lib/one_gadget/emulators/aarch64.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'one_gadget/abi'
 require 'one_gadget/emulators/instruction'
 require 'one_gadget/emulators/processor'
@@ -150,13 +152,6 @@ module OneGadget
         register?(reg) && reg.start_with?('x')
       end
 
-      # Override
-      # def global_var?(obj)
-      #   str = obj.is_a?(OneGadget::Emulators::Lambda) ? obj.obj.to_s : obj.to_s
-      #   # TODO: check if this assumption usually correct
-      #   (%w[x19 x20 x21] << libc_base.obj).any? { |r| str.include?(r) }
-      # end
-
       def add_writable(lmda)
         # XXX: Better way is check LOAD segment of the libc ELF.
         # XXX: Should also checks deref_count, but sometimes [[$base+xx]] is also writable..

data/lib/one_gadget/emulators/amd64.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'one_gadget/abi'
 require 'one_gadget/emulators/x86'
 

data/lib/one_gadget/emulators/i386.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'one_gadget/abi'
 require 'one_gadget/emulators/x86'
 

data/lib/one_gadget/emulators/instruction.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'one_gadget/error'
 
 module OneGadget

data/lib/one_gadget/emulators/lambda.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'one_gadget/error'
 require 'one_gadget/helper'
 
@@ -26,7 +28,7 @@ module OneGadget
       def +(other)
         raise Error::InstructionArgumentError, "Expect other(#{other}) to be numeric." unless other.is_a?(Numeric)
 
-        if deref_count > 0
+        if deref_count.positive?
           ret = Lambda.new(self)
         else
           ret = Lambda.new(obj)
@@ -79,13 +81,19 @@ module OneGadget
         str
       end
 
-      # Eval the value of lambda.
-      # Only support those like +rsp+0x30+.
+      # Evaluates the value of lambda.
+      # Only supports +rsp+0x30+ form.
       # @param [Hash{String => Integer}] context
       #   The context.
       # @return [Integer] Result of evaluation.
+      # @example
+      #   l = Lambda.parse('rax+0x30')
+      #   l.evaluate('rax' => 2)
+      #   #=> 50
       def evaluate(context)
-        raise Error::InstructionArgumentError, "Can't eval #{self}" if deref_count > 0 || (obj && !context.key?(obj))
+        if deref_count.positive? || (obj && !context.key?(obj))
+          raise Error::InstructionArgumentError, "Can't eval #{self}"
+        end
 
         context[obj] + immi
       end

data/lib/one_gadget/emulators/processor.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'one_gadget/emulators/lambda'
 require 'one_gadget/error'
 

data/lib/one_gadget/emulators/x86.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'one_gadget/emulators/instruction'
 require 'one_gadget/emulators/lambda'
 require 'one_gadget/emulators/processor'

data/lib/one_gadget/error.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module OneGadget
   # OneGadget errors.
   module Error

data/lib/one_gadget/fetcher.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'one_gadget/error'
 require 'one_gadget/fetchers/aarch64'
 require 'one_gadget/fetchers/amd64'

data/lib/one_gadget/fetchers/aarch64.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'one_gadget/emulators/aarch64'
 require 'one_gadget/fetchers/base'
 

data/lib/one_gadget/fetchers/amd64.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'one_gadget/emulators/amd64'
 require 'one_gadget/fetchers/x86'
 

data/lib/one_gadget/fetchers/base.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'shellwords'
 
 module OneGadget

data/lib/one_gadget/fetchers/i386.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'elftools'
 
 require 'one_gadget/emulators/i386'

data/lib/one_gadget/fetchers/x86.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'one_gadget/fetchers/base'
 
 module OneGadget

data/lib/one_gadget/gadget.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'one_gadget/abi'
 require 'one_gadget/emulators/lambda'
 require 'one_gadget/error'

data/lib/one_gadget/helper.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'net/http'
 require 'openssl'
 require 'pathname'
@@ -125,6 +127,13 @@ module OneGadget
       "#{color}#{str.sub(cc[:esc_m], color)}#{cc[:esc_m]}"
     end
 
+    # Returns the hexified and colorized integer.
+    # @param [Integer] val
+    # @return [String]
+    def colored_hex(val)
+      colorize(hex(val), sev: :integer)
+    end
+
     # Fetch the latest release version's tag name.
     # @return [String] The tag name, in form +vX.X.X+.
     def latest_tag
@@ -200,7 +209,7 @@ module OneGadget
     rescue ELFTools::ELFError # not a valid ELF
       :invalid
     ensure
-      f.close if f
+      f&.close
     end
 
     # Present number in hex format.
@@ -312,5 +321,31 @@ module OneGadget
         i386: 'i686-linux-gnu-objdump'
       }[arch]
     end
+
+    # Returns the names of functions from the file's global offset table.
+    # @param [String] file
+    # @return [Array<String>]
+    def got_functions(file)
+      arch = architecture(file)
+      objdump_bin = find_objdump(arch)
+      `#{::Shellwords.join([objdump_bin, '-T', file])} | grep -iPo 'GLIBC_.+?\\s+\\K.*'`.split
+    end
+
+    # Returns a dictionary that maps functions to their offsets.
+    # @param [String] file
+    # @param [Array<String>] functions
+    # @return [Hash{String => Integer}]
+    def function_offsets(file, functions)
+      arch = architecture(file)
+      objdump_bin = find_objdump(arch)
+      objdump_cmd = ::Shellwords.join([objdump_bin, '-T', file])
+      functions.map! { |f| '\\b' + f + '\\b' }
+      ret = {}
+      `#{objdump_cmd} | grep -iP '(#{functions.join('|')})'`.lines.map(&:chomp).each do |line|
+        tokens = line.split
+        ret[tokens.last] = tokens.first.to_i(16)
+      end
+      ret
+    end
   end
 end

data/lib/one_gadget/logger.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'logger'
 
 require 'one_gadget/helper'
@@ -18,7 +20,9 @@ module OneGadget
               when 'INFO' then :reg
               when 'ERROR' then :error
               end
-      "[#{OneGadget::Helper.colorize('OneGadget', sev: color)}] #{message.join}"
+      msg = +"[#{OneGadget::Helper.colorize('OneGadget', sev: color)}] #{message.join}"
+      msg << "\n" unless msg.end_with?("\n")
+      msg
     end
 
     module_function

data/lib/one_gadget/one_gadget.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'one_gadget/error'
 require 'one_gadget/fetcher'
 require 'one_gadget/helper'
@@ -60,7 +62,7 @@ module OneGadget
     # Remove hard-to-reach-constrains gadgets according to level
     def refine_gadgets(gadgets, level)
       return [] if gadgets.empty?
-      return gadgets if level > 0 # currently only supports level > 0 or not
+      return gadgets if level.positive? # currently only supports level > 0 or not
 
       high, low = gadgets.partition { |g| g.score >= 0.2 }
       return take_until(low, 3) if high.empty?

data/lib/one_gadget/update.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'fileutils'
 
 require 'one_gadget/helper'

data/lib/one_gadget/version.rb

@@ -1,4 +1,6 @@
+# frozen_string_literal: true
+
 module OneGadget
   # Current gem version.
-  VERSION = '1.7.1'.freeze
+  VERSION = '1.7.2'
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: one_gadget
 version: !ruby/object:Gem::Version
-  version: 1.7.1
+  version: 1.7.2
 platform: ruby
 authors:
 - david942j
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2019-04-19 00:00:00.000000000 Z
+date: 2019-05-05 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: elftools
@@ -634,6 +634,7 @@ files:
 - lib/one_gadget/builds/libc-2.23-131c254aed46e6a24cb08f3abe802ea0ef50e5f9.rb
 - lib/one_gadget/builds/libc-2.23-1800a4bdb0c42a7bb7a570ed90724fa04de8a4fe.rb
 - lib/one_gadget/builds/libc-2.23-1b1d19add6d861e16e04e4b8e9864a7bc16c1327.rb
+- lib/one_gadget/builds/libc-2.23-1ca54a6e0d76188105b12e49fe6b8019bf08803a.rb
 - lib/one_gadget/builds/libc-2.23-1e80992437b5e1cb76bf56605ee8991e76e85f69.rb
 - lib/one_gadget/builds/libc-2.23-1f1cf1c7ff279aa37add352423fd850e06be1098.rb
 - lib/one_gadget/builds/libc-2.23-233dde1d38ecdc54bef352f1b5ee4e007ec9df26.rb
@@ -671,6 +672,7 @@ files:
 - lib/one_gadget/builds/libc-2.23-961068caa1dcd5005b27c7c6abe32e94102eae3f.rb
 - lib/one_gadget/builds/libc-2.23-96f8c796364693379a2a0c753133fecbd1c52434.rb
 - lib/one_gadget/builds/libc-2.23-99de357f509368d89f95b0e92b0d5227e8b8addc.rb
+- lib/one_gadget/builds/libc-2.23-9a6b57c7a4f93d7e54e61bccb7df996c8bc58141.rb
 - lib/one_gadget/builds/libc-2.23-9e85392b0c4e3e2c8fdc063dfda4c3d0e0156e54.rb
 - lib/one_gadget/builds/libc-2.23-a594a9c73a6067ab00a0f8db78d665be147acdc1.rb
 - lib/one_gadget/builds/libc-2.23-a6fe771348e04d552fa1e6dcaf610699719bdd0e.rb
@@ -831,6 +833,7 @@ files:
 - lib/one_gadget/builds/libc-2.28-5784a31a1c26f6d2157e585205ebb63dd19ff90f.rb
 - lib/one_gadget/builds/libc-2.28-5b157f49586a3ca84d55837f97ff466767dd3445.rb
 - lib/one_gadget/builds/libc-2.28-6ee9454b96efa9e343f9e8105f2fa4529265ea05.rb
+- lib/one_gadget/cli.rb
 - lib/one_gadget/emulators/aarch64.rb
 - lib/one_gadget/emulators/amd64.rb
 - lib/one_gadget/emulators/i386.rb
@@ -867,7 +870,7 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: 2.1.0
+      version: 2.3.0
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="