pwn-gadget 0.0.2

Find satisfiable one gadgets from a running gdb instance

pwn_gadget

Check for satisfied one gadget constraints using the state of a running gdb instance

Installation

Required to have the one_gadget tool installed and in your path, it is called via subprocess to gather the gadgets/constraints

Manual Install

Installs pwn_gadget package for use in pwntools scripts and as a gdb command

git clone https://github.com/zolutal/pwn_gadget && \
pip install pwn_gadget/ && \
cp pwn_gadget/pwn_gadget.py ~/.pwn_gadget.py && echo "source ~/.pwn_gadget.py" >> ~/.gdbinit

Installation from PyPi

Installs pwn_gadget package for use in pwntools scripts, will not setup gdb command (also may be somewhat outdated)

pip install pwn-gadget

How does this work?

pwn_gadget parses the constraints generated by one_gadget in python into a format that can be evaluated by a gdb print command.

Leveraging the gdb python api, accessed by a gdb plugin or through pwntools' gdb module, it executes those commands parsed from the one_gadget constraints.

Performs all of the boolean operations in the one_gadget constraints on the results from the commands run in gdb.

Searches for a gadget where every boolean operation returned True, returning either that offset or None.

Regardless of if a satisfiable gadget is found or not, color coded information on the succeeding and failing constraints for each gadget will be printed.

Usage

As a gdb plugin

(gdb) pwn_gadget ./libc.so.6

In a pwntools script

from pwn import *
import pwn_gadget

p = process("chal")
libc = p.libc

# attach and break at the target address
_, gdb_api = gdb.attach(p, gdbscript="b *(vuln+180)", api=True)
# call pwn_gadget function to look for satisfied gadgets
gadget = pwn_gadget.find_gadget(gdb_api, libc.path)

# use found address in payload
payload = b"A"*32 + p64(gadget+libc.address)
p.sendline(payload)

p.interactive()

Example Output

Success

Failure