Skip to main content

Find satisfiable one gadgets from a running gdb instance

Project description

pwn_gadget

Check for satisfied one gadget constraints using the state of a running gdb instance

Installation

Required to have the one_gadget tool installed and in your path, it is called via subprocess to gather the gadgets/constraints

Manual Install

Installs pwn_gadget package for use in pwntools scripts and as a gdb command

git clone https://github.com/zolutal/pwn_gadget && \
pip install pwn_gadget/ && \
cp pwn_gadget/pwn_gadget.py ~/.pwn_gadget.py && echo "source ~/.pwn_gadget.py" >> ~/.gdbinit

Installation from PyPi

Installs pwn_gadget package for use in pwntools scripts, will not setup gdb command (also may be somewhat outdated)

pip install pwn-gadget

How does this work?

pwn_gadget parses the constraints generated by one_gadget in python into a format that can be evaluated by a gdb print command.

Leveraging the gdb python api, accessed by a gdb plugin or through pwntools' gdb module, it executes those commands parsed from the one_gadget constraints.

Performs all of the boolean operations in the one_gadget constraints on the results from the commands run in gdb.

Searches for a gadget where every boolean operation returned True, returning either that offset or None.

Regardless of if a satisfiable gadget is found or not, color coded information on the succeeding and failing constraints for each gadget will be printed.

Usage

As a gdb plugin

(gdb) pwn_gadget ./libc.so.6

In a pwntools script

from pwn import *
import pwn_gadget

p = process("chal")
libc = p.libc

# attach and break at the target address
_, gdb_api = gdb.attach(p, gdbscript="b *(vuln+180)", api=True)
# call pwn_gadget function to look for satisfied gadgets
gadget = pwn_gadget.find_gadget(gdb_api, libc.path)

# use found address in payload
payload = b"A"*32 + p64(gadget+libc.address)
p.sendline(payload)

p.interactive()

Example Output

Success

Successful discovery of satisfied one gadget

Failure

Failed discovery of satisfied one gadget

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distributions

No source distribution files available for this release.See tutorial on generating distribution archives.

Built Distribution

pwn_gadget-0.0.2-py3-none-any.whl (8.0 kB view details)

Uploaded Python 3

File details

Details for the file pwn_gadget-0.0.2-py3-none-any.whl.

File metadata

  • Download URL: pwn_gadget-0.0.2-py3-none-any.whl
  • Upload date:
  • Size: 8.0 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/4.0.1 CPython/3.10.4

File hashes

Hashes for pwn_gadget-0.0.2-py3-none-any.whl
Algorithm Hash digest
SHA256 438000772b0d8fbdee0ee960983f5558e4a91392644c9f4be6a40e47247b2588
MD5 4e7ba1e824d0478add25ab34a8b3205f
BLAKE2b-256 13cdc8ed156ef5caf44b09f7333d0549591d2d8d26d2856fcff2195f53807d9b

See more details on using hashes here.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page