Skip to content

Latest commit

 

History

History
64 lines (42 loc) · 3.8 KB

one-gadget.md

File metadata and controls

64 lines (42 loc) · 3.8 KB
Raw

One Gadget

{% hint style="success" %} Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks
{% endhint %}

Basic Information

One Gadget allows to obtain a shell instead of using system and "/bin/sh". One Gadget will find inside the libc library some way to obtain a shell (execve("/bin/sh")) using just one address.
However, normally there are some constrains, the most common ones and easy to avoid are like [rsp+0x30] == NULL As you control the values inside the RSP you just have to send some more NULL values so the constrain is avoided.

ONE_GADGET = libc.address + 0x4526a
rop2 = base + p64(ONE_GADGET) + "\x00"*100

To the address indicated by One Gadget you need to add the base address where libc is loaded.

{% hint style="success" %} One Gadget is a great help for Arbitrary Write 2 Exec techniques and might simplify ROP chains as you only need to call one address (and fulfil the requirements). {% endhint %}

ARM64

The github repo mentions that ARM64 is supported by the tool, but when running it in the libc of a Kali 2023.3 it doesn't find any gadget.

Angry Gadget

From the github repo: Inspired by OneGadget this tool is written in python and uses angr to test constraints for gadgets executing execve('/bin/sh', NULL, NULL)
If you've run out gadgets to try from OneGadget, Angry Gadget gives a lot more with complicated constraints to try!

pip install angry_gadget

angry_gadget.py examples/libc6_2.23-0ubuntu10_amd64.so

{% hint style="success" %} Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks
{% endhint %}