A python library to find one-gadget
Project description
one-gadget-lib
One-gadget is code that invokes "/bin/sh" without any arguments, so all you need is jump to its address. This library provides the function to find offset to one-gadget in libc.
One-gadget-lib works with both python2 and python3.
Install
pip install one_gadget
or
pip3 install one_gadget
Dependencies
- capstone
- pyelftools
However, you don't have to install them explicitly.
Usage
from one_gadget import generate_one_gadget
path_to_libc = '/lib/x86_64-linux-gnu/libc.so.6'
for offset in generate_one_gadget(path_to_libc):
print(offset)
Future works
- Support ARM
- Support complex case like this:
45216: 48 8d 35 43 13 38 00 lea rsi,[rip+0x381343] # 3c6560 <__abort_msg@@GLIBC_PRIVATE+0x980>
4521d: 31 d2 xor edx,edx
4521f: bf 02 00 00 00 mov edi,0x2
45224: 48 89 5c 24 40 mov QWORD PTR [rsp+0x40],rbx
45229: 48 c7 44 24 48 00 00 mov QWORD PTR [rsp+0x48],0x0
45230: 00 00
45232: 48 89 44 24 30 mov QWORD PTR [rsp+0x30],rax
45237: 48 8d 05 16 7b 14 00 lea rax,[rip+0x147b16] # 18cd54 <_libc_intl_domainname@@GLIBC_2.2.5+0x194>
4523e: 48 89 44 24 38 mov QWORD PTR [rsp+0x38],rax
45243: e8 a8 04 ff ff call 356f0 <__sigaction@@GLIBC_2.2.5>
45248: 48 8d 35 71 12 38 00 lea rsi,[rip+0x381271] # 3c64c0 <__abort_msg@@GLIBC_PRIVATE+0x8e0>
4524f: 31 d2 xor edx,edx
45251: bf 03 00 00 00 mov edi,0x3
45256: e8 95 04 ff ff call 356f0 <__sigaction@@GLIBC_2.2.5>
4525b: 31 d2 xor edx,edx
4525d: 4c 89 e6 mov rsi,r12
45260: bf 02 00 00 00 mov edi,0x2
45265: e8 b6 04 ff ff call 35720 <sigprocmask@@GLIBC_2.2.5>
4526a: 48 8b 05 47 ec 37 00 mov rax,QWORD PTR [rip+0x37ec47] # 3c3eb8 <_IO_file_jumps@@GLIBC_2.2.5+0x7d8>
45271: 48 8d 3d df 7a 14 00 lea rdi,[rip+0x147adf] # 18cd57 <_libc_intl_domainname@@GLIBC_2.2.5+0x197>
45278: 48 8d 74 24 30 lea rsi,[rsp+0x30]
4527d: c7 05 19 12 38 00 00 mov DWORD PTR [rip+0x381219],0x0 # 3c64a0 <__abort_msg@@GLIBC_PRIVATE+0x8c0>
45284: 00 00 00
45287: c7 05 13 12 38 00 00 mov DWORD PTR [rip+0x381213],0x0 # 3c64a4 <__abort_msg@@GLIBC_PRIVATE+0x8c4>
4528e: 00 00 00
45291: 48 8b 10 mov rdx,QWORD PTR [rax]
45294: e8 d7 74 08 00 call cc770 <execve@@GLIBC_2.2.5>
Reference
- one_gadget
- The one-gadget in glibc (blog post by the author of one_gadget)
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
one_gadget-1.1.0.tar.gz
(5.8 kB
view details)
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file one_gadget-1.1.0.tar.gz.
File metadata
- Download URL: one_gadget-1.1.0.tar.gz
- Upload date:
- Size: 5.8 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/1.11.0 pkginfo/1.4.2 requests/2.18.4 setuptools/40.0.0 requests-toolbelt/0.8.0 tqdm/4.19.8 CPython/3.5.2
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
dc4be6bef7214c2686a1d0b35293862cad8cc4e82ae3192bed555181924f1977
|
|
| MD5 |
6e93b09aeee9ea1b54b0b8f698688829
|
|
| BLAKE2b-256 |
4551562df4586938592869dd825bec99fe83283657876395300fe4adc9087939
|
File details
Details for the file one_gadget-1.1.0-py3-none-any.whl.
File metadata
- Download URL: one_gadget-1.1.0-py3-none-any.whl
- Upload date:
- Size: 5.9 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/1.11.0 pkginfo/1.4.2 requests/2.18.4 setuptools/40.0.0 requests-toolbelt/0.8.0 tqdm/4.19.8 CPython/3.5.2
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
9a71167f902c2555ba9e7d5378f16fbd389a1f17df3e41027f4bd7eb545c93ee
|
|
| MD5 |
56c1a84ee2f77535fa740b6f329434eb
|
|
| BLAKE2b-256 |
e408068918e4bfddf2c8c403e5594fab6210b90aac63e6e45a358555c656983b
|
