Find satisfiable one gadgets from a running gdb instance
Project description
pwn_gadget
Check for satisfied one gadget constraints using the state of a running gdb instance
Installation
Required to have the one_gadget tool installed and in your path, it is called via subprocess to gather the gadgets/constraints
Manual Install
Installs pwn_gadget package for use in pwntools scripts and as a gdb command
git clone https://github.com/zolutal/pwn_gadget && \
pip install pwn_gadget/ && \
cp pwn_gadget/pwn_gadget.py ~/.pwn_gadget.py && echo "source ~/.pwn_gadget.py" >> ~/.gdbinit
Installation from PyPi
Installs pwn_gadget package for use in pwntools scripts, will not setup gdb command (also may be somewhat outdated)
pip install pwn-gadget
How does this work?
pwn_gadget parses the constraints generated by one_gadget in python into a format that can be evaluated by a gdb print
command.
Leveraging the gdb python api, accessed by a gdb plugin or through pwntools' gdb module, it executes those commands parsed from the one_gadget constraints.
Performs all of the boolean operations in the one_gadget constraints on the results from the commands run in gdb.
Searches for a gadget where every boolean operation returned True, returning either that offset or None.
Regardless of if a satisfiable gadget is found or not, color coded information on the succeeding and failing constraints for each gadget will be printed.
Usage
As a gdb plugin
(gdb) pwn_gadget ./libc.so.6
In a pwntools script
from pwn import *
import pwn_gadget
p = process("chal")
libc = p.libc
# attach and break at the target address
_, gdb_api = gdb.attach(p, gdbscript="b *(vuln+180)", api=True)
# call pwn_gadget function to look for satisfied gadgets
gadget = pwn_gadget.find_gadget(gdb_api, libc.path)
# use found address in payload
payload = b"A"*32 + p64(gadget+libc.address)
p.sendline(payload)
p.interactive()
Example Output
Success
Failure
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distributions
Built Distribution
Hashes for pwn_gadget-0.0.2-py3-none-any.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | 438000772b0d8fbdee0ee960983f5558e4a91392644c9f4be6a40e47247b2588 |
|
MD5 | 4e7ba1e824d0478add25ab34a8b3205f |
|
BLAKE2b-256 | 13cdc8ed156ef5caf44b09f7333d0549591d2d8d26d2856fcff2195f53807d9b |