Skip to content

Latest commit

 

History

History
62 lines (40 loc) · 3.83 KB

one-gadget.md

File metadata and controls

62 lines (40 loc) · 3.83 KB
Raw

One Gadget

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks:

Basic Information

One Gadget allows to obtain a shell instead of using system and "/bin/sh". One Gadget will find inside the libc library some way to obtain a shell (execve("/bin/sh")) using just one address.
However, normally there are some constrains, the most common ones and easy to avoid are like [rsp+0x30] == NULL As you control the values inside the RSP you just have to send some more NULL values so the constrain is avoided.

ONE_GADGET = libc.address + 0x4526a
rop2 = base + p64(ONE_GADGET) + "\x00"*100

To the address indicated by One Gadget you need to add the base address where libc is loaded.

{% hint style="success" %} One Gadget is a great help for Arbitrary Write 2 Exec techniques and might simplify ROP chains as you only need to call one address (and fulfil the requirements). {% endhint %}

ARM64

The github repo mentions that ARM64 is supported by the tool, but when running it in the libc of a Kali 2023.3 it doesn't find any gadget.

Angry Gadget

From the github repo: Inspired by OneGadget this tool is written in python and uses angr to test constraints for gadgets executing execve('/bin/sh', NULL, NULL)
If you've run out gadgets to try from OneGadget, Angry Gadget gives a lot more with complicated constraints to try!

pip install angry_gadget

angry_gadget.py examples/libc6_2.23-0ubuntu10_amd64.so
Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks: