From 8765130054a135031810f6fe7fa943ebc22787e1 Mon Sep 17 00:00:00 2001 From: david942j Date: Sat, 18 Sep 2021 16:54:58 +0800 Subject: [PATCH] amd64: loose the limitation of gadgets with jmp (#178) * amd64: loose the limitation of gadgets with jmp Fix #176 Signed-off-by: david942j --- ...19-df559a150829d9f3cdd0b5ce1e5b4d512d20f55f.rb | 2 +- ...20-398115bd423958b1769317a6f7e4928df141eb57.rb | 2 +- ...20-f3063b7115d5a383189937852ce356f4c60fd190.rb | 2 +- ...21-9ac81172d5ff96f40d984fe7c10073a98f1a6b2e.rb | 2 +- ...21-f0c24219cbba0605e39e02123398437c5dbbb104.rb | 2 +- ...22-b916e3c1d80069d0209f6376b33e42b75ec49eda.rb | 2 +- ...25-58c735bc7b19b0aeb395cce70cf63bd62ac75e4a.rb | 9 +++++++++ ...26-1c39b3b3faa2a2cbb0fa0b6845b29332562262d3.rb | 9 +++++++++ ...26-6d2b609f0c8e7b338f767b08c5ac712fac809d31.rb | 9 +++++++++ ...26-ddcc13122ddbfe5e5ef77d4ebe66d124ae5762c2.rb | 9 +++++++++ ...26-fb587bc4429e7d1b0de31a3b9ee8ae78ee797eb0.rb | 9 +++++++++ ...27-73cd526a553b3b47c6dd0d6dc62175263cdc646e.rb | 3 +++ ...27-9dd0bb57f81671704475d1e5163405f7b4d4b454.rb | 3 +++ ...27-ce450eb01a5e5acc7ce7b8c2633b02cc1093339e.rb | 3 +++ ...27-d1237c55f6778f53b369cf22ff81979b2fe340bb.rb | 3 +++ ...28-5b157f49586a3ca84d55837f97ff466767dd3445.rb | 12 ++++++++++++ ...28-65ed813688b116fdce9e866ad2fef2e734167337.rb | 6 ++++++ ...28-6ee9454b96efa9e343f9e8105f2fa4529265ea05.rb | 6 ++++++ ...29-5b7203920d3d786ac40af8e0d5104683335f11be.rb | 6 ++++++ ...29-85d5020664b11fd2708859275de41d5ab9d104cf.rb | 6 ++++++ ...29-a8af6c81cb28a37bf3a546970bf64224402f8bd4.rb | 8 +++++++- ...29-c19c88c33b60742ca906e0f9f96fe31b8b79ea9c.rb | 6 ++++++ ...29-d561ec515222887a1e004555981169199d841024.rb | 12 ++++++++++++ ...30-2155f455ad56bd871c8225bcca85ee25c1c197c4.rb | 12 ++++++++++++ ...30-33d1f350f13728651d74dd2a56bad1e4e4648f5e.rb | 8 +++++++- ...30-7a1e2ae26cef50584af2c60a5ad3a7ae3e9b1446.rb | 6 ++++++ ...30-cbe9cff3c43b979739af1681b61a3d585725577b.rb | 12 ++++++++++++ ...30-f07144cc3d0ac50415f3a2e061be6da672c914ba.rb | 6 ++++++ ...30-f44469d65b4efd2e5951513ed7cbf773657f1283.rb | 6 ++++++ ...31-099b9225bcb0d019d9d60884be583eb31bb5f44e.rb | 12 ++++++++++++ ...31-0d1b3211736c4ca528a32ea0d565d41a2ede3b58.rb | 6 ++++++ ...31-12e412d1938ec3ff79751f0e85f31bc52f7e3722.rb | 6 ++++++ ...31-4d4d0853eb075b8b0cfaee0aee7cdf4254a3e877.rb | 6 ++++++ ...31-634252e0c5f8b03957a2e529719d4101699a894a.rb | 12 ++++++++++++ ...31-6dbad1709854c527793f6401666e45a791b7c793.rb | 6 ++++++ ...31-e67e80e70619717709e3180e552a11a285036a54.rb | 8 +++++++- ...31-eb3c5cf73a0a6b7f2b3895a56dbc443806700971.rb | 6 ++++++ ...32-1e3fb06b8c86b5e282e3e11bd207d399fb4952e2.rb | 15 +++++++++++++++ ...32-7ec3e74da842ca3c6a9ba20b21303ce1bc7a45af.rb | 15 +++++++++++++++ ...32-7fba7abef941659c229c2636aa0905c28652ee3f.rb | 6 ++++++ ...32-82f6b69e698bb579baefb35a3fb0346632fa2c4d.rb | 15 +++++++++++++++ ...32-87f011a7e4cc3fc60a54d0d3dd690e7438decc8d.rb | 6 ++++++ ...32-ac287babd169c70013b752da2713dfb96d9a503f.rb | 15 +++++++++++++++ ...32-cb91dd613d38b806a16bed1b364c084ad63d1a1f.rb | 6 ++++++ ...32-e13b24f94b260dd6394bdb2433d2a78e37078d5c.rb | 6 ++++++ ...32-e1596c76d0d93d8a36378ba976f034f140618d59.rb | 6 ++++++ ...32-f45b67ab28af1581cba8e4713e0fd3b2bc004b2e.rb | 8 +++++++- ...33-18edf6b683a2f9768cc0ee9cc64ae6fbb545deb2.rb | 15 +++++++++++++++ ...33-2b48299781548c9bc452eac6df39902547c884ed.rb | 15 +++++++++++++++ ...33-37169e68b33cad12e272bb4896d71fd0d4fd98bb.rb | 6 ++++++ ...33-54a6e404e7dc1de7c1434a00b7b1ad325b81f22a.rb | 6 ++++++ ...33-7983d313db4a441a3762c8861ca405aa0331c0c8.rb | 6 ++++++ ...33-97c8d90bd86bc698d156630e8803de433a640090.rb | 15 +++++++++++++++ ...33-9bf4c513db255ab7248cef9f0f96b4403df29852.rb | 6 ++++++ ...33-9e592d3efa165bc2bab8b40426370bd50cb0b027.rb | 6 ++++++ ...33-abf3b2a9815c0cd6e4280cd99474d34102804eb2.rb | 6 ++++++ ...33-b046eecd056a0c30995703f6cfca7a8e3a9ef5fa.rb | 6 ++++++ lib/one_gadget/fetchers/amd64.rb | 2 +- tasks/builds/generate.rake | 6 ++++-- 59 files changed, 423 insertions(+), 13 deletions(-) diff --git a/lib/one_gadget/builds/libc-2.19-df559a150829d9f3cdd0b5ce1e5b4d512d20f55f.rb b/lib/one_gadget/builds/libc-2.19-df559a150829d9f3cdd0b5ce1e5b4d512d20f55f.rb index c9ae66ec..a3be3040 100644 --- a/lib/one_gadget/builds/libc-2.19-df559a150829d9f3cdd0b5ce1e5b4d512d20f55f.rb +++ b/lib/one_gadget/builds/libc-2.19-df559a150829d9f3cdd0b5ce1e5b4d512d20f55f.rb @@ -1,5 +1,5 @@ require 'one_gadget/gadget' -# https://gitlab.com/david942j/libcdb/blob/master/libc/glibc-2.19-16.2.5.i686/lib/libc-2.19.so +# https://gitlab.com/david942j/libcdb/blob/master/libc/glibc-32bit-2.19-16.2.5.x86_64/lib/libc-2.19.so # # Intel 80386 # diff --git a/lib/one_gadget/builds/libc-2.20-398115bd423958b1769317a6f7e4928df141eb57.rb b/lib/one_gadget/builds/libc-2.20-398115bd423958b1769317a6f7e4928df141eb57.rb index 1019c152..21eacd58 100644 --- a/lib/one_gadget/builds/libc-2.20-398115bd423958b1769317a6f7e4928df141eb57.rb +++ b/lib/one_gadget/builds/libc-2.20-398115bd423958b1769317a6f7e4928df141eb57.rb @@ -1,5 +1,5 @@ require 'one_gadget/gadget' -# https://gitlab.com/david942j/libcdb/blob/master/libc/glibc-2.20-3-i686.pkg.tar/usr/lib/libc-2.20.so +# https://gitlab.com/david942j/libcdb/blob/master/libc/glibc-2.20-4-i686.pkg.tar/usr/lib/libc-2.20.so # # Intel 80386 # diff --git a/lib/one_gadget/builds/libc-2.20-f3063b7115d5a383189937852ce356f4c60fd190.rb b/lib/one_gadget/builds/libc-2.20-f3063b7115d5a383189937852ce356f4c60fd190.rb index 3398f2e3..1a2a541a 100644 --- a/lib/one_gadget/builds/libc-2.20-f3063b7115d5a383189937852ce356f4c60fd190.rb +++ b/lib/one_gadget/builds/libc-2.20-f3063b7115d5a383189937852ce356f4c60fd190.rb @@ -1,5 +1,5 @@ require 'one_gadget/gadget' -# https://gitlab.com/david942j/libcdb/blob/master/libc/glibc-2.20-3-x86_64.pkg.tar/usr/lib/libc-2.20.so +# https://gitlab.com/david942j/libcdb/blob/master/libc/glibc-2.20-4-x86_64.pkg.tar/usr/lib/libc-2.20.so # # Advanced Micro Devices X86-64 # diff --git a/lib/one_gadget/builds/libc-2.21-9ac81172d5ff96f40d984fe7c10073a98f1a6b2e.rb b/lib/one_gadget/builds/libc-2.21-9ac81172d5ff96f40d984fe7c10073a98f1a6b2e.rb index ad96ecbe..72407f5c 100644 --- a/lib/one_gadget/builds/libc-2.21-9ac81172d5ff96f40d984fe7c10073a98f1a6b2e.rb +++ b/lib/one_gadget/builds/libc-2.21-9ac81172d5ff96f40d984fe7c10073a98f1a6b2e.rb @@ -1,5 +1,5 @@ require 'one_gadget/gadget' -# https://gitlab.com/david942j/libcdb/blob/master/libc/glibc-2.21-1-x86_64.pkg.tar/usr/lib/libc-2.21.so +# https://gitlab.com/david942j/libcdb/blob/master/libc/glibc-2.21-2-x86_64.pkg.tar/usr/lib/libc-2.21.so # # Advanced Micro Devices X86-64 # diff --git a/lib/one_gadget/builds/libc-2.21-f0c24219cbba0605e39e02123398437c5dbbb104.rb b/lib/one_gadget/builds/libc-2.21-f0c24219cbba0605e39e02123398437c5dbbb104.rb index 1162e5f3..5ddf9526 100644 --- a/lib/one_gadget/builds/libc-2.21-f0c24219cbba0605e39e02123398437c5dbbb104.rb +++ b/lib/one_gadget/builds/libc-2.21-f0c24219cbba0605e39e02123398437c5dbbb104.rb @@ -1,5 +1,5 @@ require 'one_gadget/gadget' -# https://gitlab.com/david942j/libcdb/blob/master/libc/glibc-2.21-3.2.i686/lib/libc-2.21.so +# https://gitlab.com/david942j/libcdb/blob/master/libc/glibc-32bit-2.21-3.2.x86_64/lib/libc-2.21.so # # Intel 80386 # diff --git a/lib/one_gadget/builds/libc-2.22-b916e3c1d80069d0209f6376b33e42b75ec49eda.rb b/lib/one_gadget/builds/libc-2.22-b916e3c1d80069d0209f6376b33e42b75ec49eda.rb index 47807ee8..2541e322 100644 --- a/lib/one_gadget/builds/libc-2.22-b916e3c1d80069d0209f6376b33e42b75ec49eda.rb +++ b/lib/one_gadget/builds/libc-2.22-b916e3c1d80069d0209f6376b33e42b75ec49eda.rb @@ -1,5 +1,5 @@ require 'one_gadget/gadget' -# https://gitlab.com/david942j/libcdb/blob/master/libc/lib32-glibc-2.22-3-x86_64.pkg.tar/usr/lib32/libc-2.22.so +# https://gitlab.com/david942j/libcdb/blob/master/libc/lib32-glibc-2.22-3.1-x86_64.pkg.tar/usr/lib32/libc-2.22.so # # Intel 80386 # diff --git a/lib/one_gadget/builds/libc-2.25-58c735bc7b19b0aeb395cce70cf63bd62ac75e4a.rb b/lib/one_gadget/builds/libc-2.25-58c735bc7b19b0aeb395cce70cf63bd62ac75e4a.rb index f200feeb..c8b8034f 100644 --- a/lib/one_gadget/builds/libc-2.25-58c735bc7b19b0aeb395cce70cf63bd62ac75e4a.rb +++ b/lib/one_gadget/builds/libc-2.25-58c735bc7b19b0aeb395cce70cf63bd62ac75e4a.rb @@ -28,6 +28,15 @@ OneGadget::Gadget.add(build_id, 765680, constraints: ["[r12] == NULL || r12 == NULL", "[r13] == NULL || r13 == NULL"], effect: "execve(\"/bin/sh\", r12, r13)") +OneGadget::Gadget.add(build_id, 765738, + constraints: ["writable: rbp-0x38", "[rbp-0x40] == NULL || rbp-0x40 == NULL", "[r13] == NULL || r13 == NULL"], + effect: "execve(\"/bin/sh\", rbp-0x40, r13)") +OneGadget::Gadget.add(build_id, 765742, + constraints: ["writable: rbp-0x30", "[rbp-0x40] == NULL || rbp-0x40 == NULL", "[r13] == NULL || r13 == NULL"], + effect: "execve(\"/bin/sh\", rbp-0x40, r13)") +OneGadget::Gadget.add(build_id, 765750, + constraints: ["writable: rbp-0x40", "[rbp-0x40] == NULL || rbp-0x40 == NULL", "[r13] == NULL || r13 == NULL"], + effect: "execve(\"/bin/sh\", rbp-0x40, r13)") OneGadget::Gadget.add(build_id, 890131, constraints: ["[rsp+0x80] == NULL"], effect: "execve(\"/bin/sh\", rsp+0x80, environ)") diff --git a/lib/one_gadget/builds/libc-2.26-1c39b3b3faa2a2cbb0fa0b6845b29332562262d3.rb b/lib/one_gadget/builds/libc-2.26-1c39b3b3faa2a2cbb0fa0b6845b29332562262d3.rb index 5b0e4ca5..c43288f4 100644 --- a/lib/one_gadget/builds/libc-2.26-1c39b3b3faa2a2cbb0fa0b6845b29332562262d3.rb +++ b/lib/one_gadget/builds/libc-2.26-1c39b3b3faa2a2cbb0fa0b6845b29332562262d3.rb @@ -28,6 +28,15 @@ OneGadget::Gadget.add(build_id, 799344, constraints: ["[r12] == NULL || r12 == NULL", "[r13] == NULL || r13 == NULL"], effect: "execve(\"/bin/sh\", r12, r13)") +OneGadget::Gadget.add(build_id, 799402, + constraints: ["writable: rbp-0x38", "[rbp-0x40] == NULL || rbp-0x40 == NULL", "[r13] == NULL || r13 == NULL"], + effect: "execve(\"/bin/sh\", rbp-0x40, r13)") +OneGadget::Gadget.add(build_id, 799406, + constraints: ["writable: rbp-0x30", "[rbp-0x40] == NULL || rbp-0x40 == NULL", "[r13] == NULL || r13 == NULL"], + effect: "execve(\"/bin/sh\", rbp-0x40, r13)") +OneGadget::Gadget.add(build_id, 799414, + constraints: ["writable: rbp-0x40", "[rbp-0x40] == NULL || rbp-0x40 == NULL", "[r13] == NULL || r13 == NULL"], + effect: "execve(\"/bin/sh\", rbp-0x40, r13)") OneGadget::Gadget.add(build_id, 921646, constraints: ["[rsp+0x70] == NULL"], effect: "execve(\"/bin/sh\", rsp+0x70, environ)") diff --git a/lib/one_gadget/builds/libc-2.26-6d2b609f0c8e7b338f767b08c5ac712fac809d31.rb b/lib/one_gadget/builds/libc-2.26-6d2b609f0c8e7b338f767b08c5ac712fac809d31.rb index 5b9b88d6..5e32aa7d 100644 --- a/lib/one_gadget/builds/libc-2.26-6d2b609f0c8e7b338f767b08c5ac712fac809d31.rb +++ b/lib/one_gadget/builds/libc-2.26-6d2b609f0c8e7b338f767b08c5ac712fac809d31.rb @@ -28,6 +28,15 @@ OneGadget::Gadget.add(build_id, 890627, constraints: ["[r13] == NULL || r13 == NULL", "[rbx] == NULL || rbx == NULL"], effect: "execve(\"/bin/sh\", r13, rbx)") +OneGadget::Gadget.add(build_id, 890922, + constraints: ["writable: rbp-0x48", "[rbp-0x50] == NULL || rbp-0x50 == NULL", "[rbx] == NULL || rbx == NULL"], + effect: "execve(\"/bin/sh\", rbp-0x50, rbx)") +OneGadget::Gadget.add(build_id, 890926, + constraints: ["writable: rbp-0x40", "[rbp-0x50] == NULL || rbp-0x50 == NULL", "[rbx] == NULL || rbx == NULL"], + effect: "execve(\"/bin/sh\", rbp-0x50, rbx)") +OneGadget::Gadget.add(build_id, 890934, + constraints: ["writable: rbp-0x50", "[rbp-0x50] == NULL || rbp-0x50 == NULL", "[rbx] == NULL || rbx == NULL"], + effect: "execve(\"/bin/sh\", rbp-0x50, rbx)") OneGadget::Gadget.add(build_id, 891345, constraints: ["[[rbp-0xa0]] == NULL || [rbp-0xa0] == NULL", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL"], effect: "execve(\"/bin/sh\", [rbp-0xa0], [rbp-0x70])") diff --git a/lib/one_gadget/builds/libc-2.26-ddcc13122ddbfe5e5ef77d4ebe66d124ae5762c2.rb b/lib/one_gadget/builds/libc-2.26-ddcc13122ddbfe5e5ef77d4ebe66d124ae5762c2.rb index 1f93d573..933b81fd 100644 --- a/lib/one_gadget/builds/libc-2.26-ddcc13122ddbfe5e5ef77d4ebe66d124ae5762c2.rb +++ b/lib/one_gadget/builds/libc-2.26-ddcc13122ddbfe5e5ef77d4ebe66d124ae5762c2.rb @@ -28,6 +28,15 @@ OneGadget::Gadget.add(build_id, 890723, constraints: ["[r13] == NULL || r13 == NULL", "[rbx] == NULL || rbx == NULL"], effect: "execve(\"/bin/sh\", r13, rbx)") +OneGadget::Gadget.add(build_id, 891018, + constraints: ["writable: rbp-0x48", "[rbp-0x50] == NULL || rbp-0x50 == NULL", "[rbx] == NULL || rbx == NULL"], + effect: "execve(\"/bin/sh\", rbp-0x50, rbx)") +OneGadget::Gadget.add(build_id, 891022, + constraints: ["writable: rbp-0x40", "[rbp-0x50] == NULL || rbp-0x50 == NULL", "[rbx] == NULL || rbx == NULL"], + effect: "execve(\"/bin/sh\", rbp-0x50, rbx)") +OneGadget::Gadget.add(build_id, 891030, + constraints: ["writable: rbp-0x50", "[rbp-0x50] == NULL || rbp-0x50 == NULL", "[rbx] == NULL || rbx == NULL"], + effect: "execve(\"/bin/sh\", rbp-0x50, rbx)") OneGadget::Gadget.add(build_id, 891441, constraints: ["[[rbp-0xa0]] == NULL || [rbp-0xa0] == NULL", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL"], effect: "execve(\"/bin/sh\", [rbp-0xa0], [rbp-0x70])") diff --git a/lib/one_gadget/builds/libc-2.26-fb587bc4429e7d1b0de31a3b9ee8ae78ee797eb0.rb b/lib/one_gadget/builds/libc-2.26-fb587bc4429e7d1b0de31a3b9ee8ae78ee797eb0.rb index e91c86a6..d4a87ec5 100644 --- a/lib/one_gadget/builds/libc-2.26-fb587bc4429e7d1b0de31a3b9ee8ae78ee797eb0.rb +++ b/lib/one_gadget/builds/libc-2.26-fb587bc4429e7d1b0de31a3b9ee8ae78ee797eb0.rb @@ -28,6 +28,15 @@ OneGadget::Gadget.add(build_id, 799376, constraints: ["[r12] == NULL || r12 == NULL", "[r13] == NULL || r13 == NULL"], effect: "execve(\"/bin/sh\", r12, r13)") +OneGadget::Gadget.add(build_id, 799434, + constraints: ["writable: rbp-0x38", "[rbp-0x40] == NULL || rbp-0x40 == NULL", "[r13] == NULL || r13 == NULL"], + effect: "execve(\"/bin/sh\", rbp-0x40, r13)") +OneGadget::Gadget.add(build_id, 799438, + constraints: ["writable: rbp-0x30", "[rbp-0x40] == NULL || rbp-0x40 == NULL", "[r13] == NULL || r13 == NULL"], + effect: "execve(\"/bin/sh\", rbp-0x40, r13)") +OneGadget::Gadget.add(build_id, 799446, + constraints: ["writable: rbp-0x40", "[rbp-0x40] == NULL || rbp-0x40 == NULL", "[r13] == NULL || r13 == NULL"], + effect: "execve(\"/bin/sh\", rbp-0x40, r13)") OneGadget::Gadget.add(build_id, 921694, constraints: ["[rsp+0x70] == NULL"], effect: "execve(\"/bin/sh\", rsp+0x70, environ)") diff --git a/lib/one_gadget/builds/libc-2.27-73cd526a553b3b47c6dd0d6dc62175263cdc646e.rb b/lib/one_gadget/builds/libc-2.27-73cd526a553b3b47c6dd0d6dc62175263cdc646e.rb index 3c917dad..fdfdcfee 100644 --- a/lib/one_gadget/builds/libc-2.27-73cd526a553b3b47c6dd0d6dc62175263cdc646e.rb +++ b/lib/one_gadget/builds/libc-2.27-73cd526a553b3b47c6dd0d6dc62175263cdc646e.rb @@ -23,6 +23,9 @@ OneGadget::Gadget.add(build_id, 806271, constraints: ["[r13] == NULL || r13 == NULL", "[r12] == NULL || r12 == NULL"], effect: "execve(\"/bin/sh\", r13, r12)") +OneGadget::Gadget.add(build_id, 806325, + constraints: ["writable: rbp-0x38", "[rbp-0x40] == NULL || rbp-0x40 == NULL", "[r12] == NULL || r12 == NULL"], + effect: "execve(\"/bin/sh\", rbp-0x40, r12)") OneGadget::Gadget.add(build_id, 929870, constraints: ["[rsp+0x60] == NULL"], effect: "execve(\"/bin/sh\", rsp+0x60, environ)") diff --git a/lib/one_gadget/builds/libc-2.27-9dd0bb57f81671704475d1e5163405f7b4d4b454.rb b/lib/one_gadget/builds/libc-2.27-9dd0bb57f81671704475d1e5163405f7b4d4b454.rb index 8bf03dd2..ee407894 100644 --- a/lib/one_gadget/builds/libc-2.27-9dd0bb57f81671704475d1e5163405f7b4d4b454.rb +++ b/lib/one_gadget/builds/libc-2.27-9dd0bb57f81671704475d1e5163405f7b4d4b454.rb @@ -23,6 +23,9 @@ OneGadget::Gadget.add(build_id, 806783, constraints: ["[r13] == NULL || r13 == NULL", "[r12] == NULL || r12 == NULL"], effect: "execve(\"/bin/sh\", r13, r12)") +OneGadget::Gadget.add(build_id, 806837, + constraints: ["writable: rbp-0x38", "[rbp-0x40] == NULL || rbp-0x40 == NULL", "[r12] == NULL || r12 == NULL"], + effect: "execve(\"/bin/sh\", rbp-0x40, r12)") OneGadget::Gadget.add(build_id, 930286, constraints: ["[rsp+0x60] == NULL"], effect: "execve(\"/bin/sh\", rsp+0x60, environ)") diff --git a/lib/one_gadget/builds/libc-2.27-ce450eb01a5e5acc7ce7b8c2633b02cc1093339e.rb b/lib/one_gadget/builds/libc-2.27-ce450eb01a5e5acc7ce7b8c2633b02cc1093339e.rb index c47dbaae..25916cd3 100644 --- a/lib/one_gadget/builds/libc-2.27-ce450eb01a5e5acc7ce7b8c2633b02cc1093339e.rb +++ b/lib/one_gadget/builds/libc-2.27-ce450eb01a5e5acc7ce7b8c2633b02cc1093339e.rb @@ -32,6 +32,9 @@ OneGadget::Gadget.add(build_id, 939554, constraints: ["[rcx] == NULL || rcx == NULL", "[rdx] == NULL || rdx == NULL"], effect: "execve(\"/bin/sh\", rcx, rdx)") +OneGadget::Gadget.add(build_id, 939613, + constraints: ["writable: [rbp-0x78]+0x10", "writable: rbp-0x80", "[[rbp-0x78]] == NULL || [rbp-0x78] == NULL", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL"], + effect: "execve(\"/bin/sh\", [rbp-0x78], [rbp-0x70])") OneGadget::Gadget.add(build_id, 1090588, constraints: ["[rsp+0x70] == NULL"], effect: "execve(\"/bin/sh\", rsp+0x70, environ)") diff --git a/lib/one_gadget/builds/libc-2.27-d1237c55f6778f53b369cf22ff81979b2fe340bb.rb b/lib/one_gadget/builds/libc-2.27-d1237c55f6778f53b369cf22ff81979b2fe340bb.rb index 2850fe7b..3aaedd1a 100644 --- a/lib/one_gadget/builds/libc-2.27-d1237c55f6778f53b369cf22ff81979b2fe340bb.rb +++ b/lib/one_gadget/builds/libc-2.27-d1237c55f6778f53b369cf22ff81979b2fe340bb.rb @@ -23,6 +23,9 @@ OneGadget::Gadget.add(build_id, 806895, constraints: ["[r13] == NULL || r13 == NULL", "[r12] == NULL || r12 == NULL"], effect: "execve(\"/bin/sh\", r13, r12)") +OneGadget::Gadget.add(build_id, 806949, + constraints: ["writable: rbp-0x38", "[rbp-0x40] == NULL || rbp-0x40 == NULL", "[r12] == NULL || r12 == NULL"], + effect: "execve(\"/bin/sh\", rbp-0x40, r12)") OneGadget::Gadget.add(build_id, 930462, constraints: ["[rsp+0x60] == NULL"], effect: "execve(\"/bin/sh\", rsp+0x60, environ)") diff --git a/lib/one_gadget/builds/libc-2.28-5b157f49586a3ca84d55837f97ff466767dd3445.rb b/lib/one_gadget/builds/libc-2.28-5b157f49586a3ca84d55837f97ff466767dd3445.rb index 92d0cbee..96e1e244 100644 --- a/lib/one_gadget/builds/libc-2.28-5b157f49586a3ca84d55837f97ff466767dd3445.rb +++ b/lib/one_gadget/builds/libc-2.28-5b157f49586a3ca84d55837f97ff466767dd3445.rb @@ -38,6 +38,18 @@ OneGadget::Gadget.add(build_id, 914339, constraints: ["[rcx] == NULL || rcx == NULL", "[rdx] == NULL || rdx == NULL"], effect: "execve(\"/bin/sh\", rcx, rdx)") +OneGadget::Gadget.add(build_id, 914421, + constraints: ["writable: rbp-0x48", "[rbp-0x50] == NULL || rbp-0x50 == NULL", "[r13] == NULL || r13 == NULL"], + effect: "execve(\"/bin/sh\", rbp-0x50, r13)") +OneGadget::Gadget.add(build_id, 914425, + constraints: ["writable: rbp-0x50", "[rbp-0x50] == NULL || rbp-0x50 == NULL", "[r13] == NULL || r13 == NULL"], + effect: "execve(\"/bin/sh\", rbp-0x50, r13)") +OneGadget::Gadget.add(build_id, 914483, + constraints: ["writable: [rbp-0x78]+0x10", "writable: rbp-0x80", "[[rbp-0x78]] == NULL || [rbp-0x78] == NULL", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL"], + effect: "execve(\"/bin/sh\", [rbp-0x78], [rbp-0x70])") +OneGadget::Gadget.add(build_id, 914487, + constraints: ["writable: [rbp-0x78]+0x10", "writable: rbp-0x50", "[[rbp-0x78]] == NULL || [rbp-0x78] == NULL", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL"], + effect: "execve(\"/bin/sh\", [rbp-0x78], [rbp-0x70])") OneGadget::Gadget.add(build_id, 1064784, constraints: ["[rsp+0x70] == NULL"], effect: "execve(\"/bin/sh\", rsp+0x70, environ)") diff --git a/lib/one_gadget/builds/libc-2.28-65ed813688b116fdce9e866ad2fef2e734167337.rb b/lib/one_gadget/builds/libc-2.28-65ed813688b116fdce9e866ad2fef2e734167337.rb index 4ec1dd88..015105b8 100644 --- a/lib/one_gadget/builds/libc-2.28-65ed813688b116fdce9e866ad2fef2e734167337.rb +++ b/lib/one_gadget/builds/libc-2.28-65ed813688b116fdce9e866ad2fef2e734167337.rb @@ -32,6 +32,12 @@ OneGadget::Gadget.add(build_id, 823392, constraints: ["[rsi] == NULL || rsi == NULL", "[rdx] == NULL || rdx == NULL"], effect: "execve(\"/bin/sh\", rsi, rdx)") +OneGadget::Gadget.add(build_id, 823482, + constraints: ["writable: rbp-0x38", "[rbp-0x40] == NULL || rbp-0x40 == NULL", "[r12] == NULL || r12 == NULL"], + effect: "execve(\"/bin/sh\", rbp-0x40, r12)") +OneGadget::Gadget.add(build_id, 823486, + constraints: ["writable: rbp-0x40", "[rbp-0x40] == NULL || rbp-0x40 == NULL", "[r12] == NULL || r12 == NULL"], + effect: "execve(\"/bin/sh\", rbp-0x40, r12)") OneGadget::Gadget.add(build_id, 947760, constraints: ["[rsp+0x60] == NULL"], effect: "execve(\"/bin/sh\", rsp+0x60, environ)") diff --git a/lib/one_gadget/builds/libc-2.28-6ee9454b96efa9e343f9e8105f2fa4529265ea05.rb b/lib/one_gadget/builds/libc-2.28-6ee9454b96efa9e343f9e8105f2fa4529265ea05.rb index 5296780e..2c7e0915 100644 --- a/lib/one_gadget/builds/libc-2.28-6ee9454b96efa9e343f9e8105f2fa4529265ea05.rb +++ b/lib/one_gadget/builds/libc-2.28-6ee9454b96efa9e343f9e8105f2fa4529265ea05.rb @@ -32,6 +32,12 @@ OneGadget::Gadget.add(build_id, 816112, constraints: ["[rsi] == NULL || rsi == NULL", "[rdx] == NULL || rdx == NULL"], effect: "execve(\"/bin/sh\", rsi, rdx)") +OneGadget::Gadget.add(build_id, 816201, + constraints: ["writable: rbp-0x38", "[rbp-0x40] == NULL || rbp-0x40 == NULL", "[r12] == NULL || r12 == NULL"], + effect: "execve(\"/bin/sh\", rbp-0x40, r12)") +OneGadget::Gadget.add(build_id, 816205, + constraints: ["writable: rbp-0x40", "[rbp-0x40] == NULL || rbp-0x40 == NULL", "[r12] == NULL || r12 == NULL"], + effect: "execve(\"/bin/sh\", rbp-0x40, r12)") OneGadget::Gadget.add(build_id, 939838, constraints: ["[rsp+0x60] == NULL"], effect: "execve(\"/bin/sh\", rsp+0x60, environ)") diff --git a/lib/one_gadget/builds/libc-2.29-5b7203920d3d786ac40af8e0d5104683335f11be.rb b/lib/one_gadget/builds/libc-2.29-5b7203920d3d786ac40af8e0d5104683335f11be.rb index b884caf8..88f3ff60 100644 --- a/lib/one_gadget/builds/libc-2.29-5b7203920d3d786ac40af8e0d5104683335f11be.rb +++ b/lib/one_gadget/builds/libc-2.29-5b7203920d3d786ac40af8e0d5104683335f11be.rb @@ -23,6 +23,12 @@ OneGadget::Gadget.add(build_id, 826176, constraints: ["[rsi] == NULL || rsi == NULL", "[rdx] == NULL || rdx == NULL"], effect: "execve(\"/bin/sh\", rsi, rdx)") +OneGadget::Gadget.add(build_id, 826266, + constraints: ["writable: rbp-0x38", "[rbp-0x40] == NULL || rbp-0x40 == NULL", "[r13] == NULL || r13 == NULL"], + effect: "execve(\"/bin/sh\", rbp-0x40, r13)") +OneGadget::Gadget.add(build_id, 826273, + constraints: ["writable: rbp-0x40", "[rbp-0x40] == NULL || rbp-0x40 == NULL", "[r13] == NULL || r13 == NULL"], + effect: "execve(\"/bin/sh\", rbp-0x40, r13)") OneGadget::Gadget.add(build_id, 949339, constraints: ["[rsp+0x60] == NULL"], effect: "execve(\"/bin/sh\", rsp+0x60, environ)") diff --git a/lib/one_gadget/builds/libc-2.29-85d5020664b11fd2708859275de41d5ab9d104cf.rb b/lib/one_gadget/builds/libc-2.29-85d5020664b11fd2708859275de41d5ab9d104cf.rb index 6f7831fc..8d7e176a 100644 --- a/lib/one_gadget/builds/libc-2.29-85d5020664b11fd2708859275de41d5ab9d104cf.rb +++ b/lib/one_gadget/builds/libc-2.29-85d5020664b11fd2708859275de41d5ab9d104cf.rb @@ -23,6 +23,12 @@ OneGadget::Gadget.add(build_id, 824736, constraints: ["[rsi] == NULL || rsi == NULL", "[rdx] == NULL || rdx == NULL"], effect: "execve(\"/bin/sh\", rsi, rdx)") +OneGadget::Gadget.add(build_id, 824825, + constraints: ["writable: rbp-0x38", "[rbp-0x40] == NULL || rbp-0x40 == NULL", "[r12] == NULL || r12 == NULL"], + effect: "execve(\"/bin/sh\", rbp-0x40, r12)") +OneGadget::Gadget.add(build_id, 824829, + constraints: ["writable: rbp-0x40", "[rbp-0x40] == NULL || rbp-0x40 == NULL", "[r12] == NULL || r12 == NULL"], + effect: "execve(\"/bin/sh\", rbp-0x40, r12)") OneGadget::Gadget.add(build_id, 948598, constraints: ["[rsp+0x60] == NULL"], effect: "execve(\"/bin/sh\", rsp+0x60, environ)") diff --git a/lib/one_gadget/builds/libc-2.29-a8af6c81cb28a37bf3a546970bf64224402f8bd4.rb b/lib/one_gadget/builds/libc-2.29-a8af6c81cb28a37bf3a546970bf64224402f8bd4.rb index 414df3d3..fc0f0ae1 100644 --- a/lib/one_gadget/builds/libc-2.29-a8af6c81cb28a37bf3a546970bf64224402f8bd4.rb +++ b/lib/one_gadget/builds/libc-2.29-a8af6c81cb28a37bf3a546970bf64224402f8bd4.rb @@ -1,5 +1,5 @@ require 'one_gadget/gadget' -# https://gitlab.com/david942j/libcdb/blob/master/libc/glibc-2.29-3-x86_64.pkg.tar/usr/lib/libc-2.29.so +# https://gitlab.com/david942j/libcdb/blob/master/libc/glibc-2.29-4-x86_64.pkg.tar/usr/lib/libc-2.29.so # # Advanced Micro Devices X86-64 # @@ -23,6 +23,12 @@ OneGadget::Gadget.add(build_id, 826624, constraints: ["[rsi] == NULL || rsi == NULL", "[rdx] == NULL || rdx == NULL"], effect: "execve(\"/bin/sh\", rsi, rdx)") +OneGadget::Gadget.add(build_id, 826714, + constraints: ["writable: rbp-0x38", "[rbp-0x40] == NULL || rbp-0x40 == NULL", "[r13] == NULL || r13 == NULL"], + effect: "execve(\"/bin/sh\", rbp-0x40, r13)") +OneGadget::Gadget.add(build_id, 826721, + constraints: ["writable: rbp-0x40", "[rbp-0x40] == NULL || rbp-0x40 == NULL", "[r13] == NULL || r13 == NULL"], + effect: "execve(\"/bin/sh\", rbp-0x40, r13)") OneGadget::Gadget.add(build_id, 949803, constraints: ["[rsp+0x60] == NULL"], effect: "execve(\"/bin/sh\", rsp+0x60, environ)") diff --git a/lib/one_gadget/builds/libc-2.29-c19c88c33b60742ca906e0f9f96fe31b8b79ea9c.rb b/lib/one_gadget/builds/libc-2.29-c19c88c33b60742ca906e0f9f96fe31b8b79ea9c.rb index 655afe69..5eccc0a9 100644 --- a/lib/one_gadget/builds/libc-2.29-c19c88c33b60742ca906e0f9f96fe31b8b79ea9c.rb +++ b/lib/one_gadget/builds/libc-2.29-c19c88c33b60742ca906e0f9f96fe31b8b79ea9c.rb @@ -23,6 +23,12 @@ OneGadget::Gadget.add(build_id, 819920, constraints: ["[rsi] == NULL || rsi == NULL", "[rdx] == NULL || rdx == NULL"], effect: "execve(\"/bin/sh\", rsi, rdx)") +OneGadget::Gadget.add(build_id, 820010, + constraints: ["writable: rbp-0x38", "[rbp-0x40] == NULL || rbp-0x40 == NULL", "[r12] == NULL || r12 == NULL"], + effect: "execve(\"/bin/sh\", rbp-0x40, r12)") +OneGadget::Gadget.add(build_id, 820014, + constraints: ["writable: rbp-0x40", "[rbp-0x40] == NULL || rbp-0x40 == NULL", "[r12] == NULL || r12 == NULL"], + effect: "execve(\"/bin/sh\", rbp-0x40, r12)") OneGadget::Gadget.add(build_id, 944400, constraints: ["[rsp+0x60] == NULL"], effect: "execve(\"/bin/sh\", rsp+0x60, environ)") diff --git a/lib/one_gadget/builds/libc-2.29-d561ec515222887a1e004555981169199d841024.rb b/lib/one_gadget/builds/libc-2.29-d561ec515222887a1e004555981169199d841024.rb index 49bf3aae..9463609b 100644 --- a/lib/one_gadget/builds/libc-2.29-d561ec515222887a1e004555981169199d841024.rb +++ b/lib/one_gadget/builds/libc-2.29-d561ec515222887a1e004555981169199d841024.rb @@ -29,6 +29,18 @@ OneGadget::Gadget.add(build_id, 926595, constraints: ["[rcx] == NULL || rcx == NULL", "[rdx] == NULL || rdx == NULL"], effect: "execve(\"/bin/sh\", rcx, rdx)") +OneGadget::Gadget.add(build_id, 926677, + constraints: ["writable: rbp-0x48", "[rbp-0x50] == NULL || rbp-0x50 == NULL", "[r13] == NULL || r13 == NULL"], + effect: "execve(\"/bin/sh\", rbp-0x50, r13)") +OneGadget::Gadget.add(build_id, 926681, + constraints: ["writable: rbp-0x50", "[rbp-0x50] == NULL || rbp-0x50 == NULL", "[r13] == NULL || r13 == NULL"], + effect: "execve(\"/bin/sh\", rbp-0x50, r13)") +OneGadget::Gadget.add(build_id, 926739, + constraints: ["writable: [rbp-0x78]+0x10", "writable: rbp-0x80", "[[rbp-0x78]] == NULL || [rbp-0x78] == NULL", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL"], + effect: "execve(\"/bin/sh\", [rbp-0x78], [rbp-0x70])") +OneGadget::Gadget.add(build_id, 926743, + constraints: ["writable: [rbp-0x78]+0x10", "writable: rbp-0x50", "[[rbp-0x78]] == NULL || [rbp-0x78] == NULL", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL"], + effect: "execve(\"/bin/sh\", [rbp-0x78], [rbp-0x70])") OneGadget::Gadget.add(build_id, 1076984, constraints: ["[rsp+0x70] == NULL"], effect: "execve(\"/bin/sh\", rsp+0x70, environ)") diff --git a/lib/one_gadget/builds/libc-2.30-2155f455ad56bd871c8225bcca85ee25c1c197c4.rb b/lib/one_gadget/builds/libc-2.30-2155f455ad56bd871c8225bcca85ee25c1c197c4.rb index f9e5e8b9..775f842b 100644 --- a/lib/one_gadget/builds/libc-2.30-2155f455ad56bd871c8225bcca85ee25c1c197c4.rb +++ b/lib/one_gadget/builds/libc-2.30-2155f455ad56bd871c8225bcca85ee25c1c197c4.rb @@ -29,6 +29,18 @@ OneGadget::Gadget.add(build_id, 945046, constraints: ["writable: rbp-0x78", "[r10] == NULL || r10 == NULL", "[rdx] == NULL || rdx == NULL"], effect: "execve(\"/bin/sh\", r10, rdx)") +OneGadget::Gadget.add(build_id, 945161, + constraints: ["writable: rbp-0x48", "[rbp-0x50] == NULL || rbp-0x50 == NULL", "[r12] == NULL || r12 == NULL"], + effect: "execve(\"/bin/sh\", rbp-0x50, r12)") +OneGadget::Gadget.add(build_id, 945168, + constraints: ["writable: rbp-0x50", "[rbp-0x50] == NULL || rbp-0x50 == NULL", "[r12] == NULL || r12 == NULL"], + effect: "execve(\"/bin/sh\", rbp-0x50, r12)") +OneGadget::Gadget.add(build_id, 945237, + constraints: ["writable: r10+0x10", "writable: rbp-0x50", "[r10] == NULL || r10 == NULL", "[r12] == NULL || r12 == NULL"], + effect: "execve(\"/bin/sh\", r10, r12)") +OneGadget::Gadget.add(build_id, 945245, + constraints: ["writable: r10+0x10", "writable: rbp-0x48", "[r10] == NULL || r10 == NULL", "[r12] == NULL || r12 == NULL"], + effect: "execve(\"/bin/sh\", r10, r12)") OneGadget::Gadget.add(build_id, 1093545, constraints: ["[rsp+0x70] == NULL"], effect: "execve(\"/bin/sh\", rsp+0x70, environ)") diff --git a/lib/one_gadget/builds/libc-2.30-33d1f350f13728651d74dd2a56bad1e4e4648f5e.rb b/lib/one_gadget/builds/libc-2.30-33d1f350f13728651d74dd2a56bad1e4e4648f5e.rb index 24469f3f..dd0663f7 100644 --- a/lib/one_gadget/builds/libc-2.30-33d1f350f13728651d74dd2a56bad1e4e4648f5e.rb +++ b/lib/one_gadget/builds/libc-2.30-33d1f350f13728651d74dd2a56bad1e4e4648f5e.rb @@ -1,5 +1,5 @@ require 'one_gadget/gadget' -# https://gitlab.com/david942j/libcdb/blob/master/libc/glibc-2.30-2-x86_64.pkg.tar/usr/lib/libc-2.30.so +# https://gitlab.com/david942j/libcdb/blob/master/libc/glibc-2.30-3-x86_64.pkg.tar/usr/lib/libc-2.30.so # # Advanced Micro Devices X86-64 # @@ -23,6 +23,12 @@ OneGadget::Gadget.add(build_id, 840624, constraints: ["[rsi] == NULL || rsi == NULL", "[rdx] == NULL || rdx == NULL"], effect: "execve(\"/bin/sh\", rsi, rdx)") +OneGadget::Gadget.add(build_id, 840714, + constraints: ["writable: rbp-0x38", "[rbp-0x40] == NULL || rbp-0x40 == NULL", "[r13] == NULL || r13 == NULL"], + effect: "execve(\"/bin/sh\", rbp-0x40, r13)") +OneGadget::Gadget.add(build_id, 840721, + constraints: ["writable: rbp-0x40", "[rbp-0x40] == NULL || rbp-0x40 == NULL", "[r13] == NULL || r13 == NULL"], + effect: "execve(\"/bin/sh\", rbp-0x40, r13)") OneGadget::Gadget.add(build_id, 962475, constraints: ["[rsp+0x60] == NULL"], effect: "execve(\"/bin/sh\", rsp+0x60, environ)") diff --git a/lib/one_gadget/builds/libc-2.30-7a1e2ae26cef50584af2c60a5ad3a7ae3e9b1446.rb b/lib/one_gadget/builds/libc-2.30-7a1e2ae26cef50584af2c60a5ad3a7ae3e9b1446.rb index e2c26fa1..cfbcb758 100644 --- a/lib/one_gadget/builds/libc-2.30-7a1e2ae26cef50584af2c60a5ad3a7ae3e9b1446.rb +++ b/lib/one_gadget/builds/libc-2.30-7a1e2ae26cef50584af2c60a5ad3a7ae3e9b1446.rb @@ -23,6 +23,12 @@ OneGadget::Gadget.add(build_id, 840624, constraints: ["[rsi] == NULL || rsi == NULL", "[rdx] == NULL || rdx == NULL"], effect: "execve(\"/bin/sh\", rsi, rdx)") +OneGadget::Gadget.add(build_id, 840714, + constraints: ["writable: rbp-0x38", "[rbp-0x40] == NULL || rbp-0x40 == NULL", "[r13] == NULL || r13 == NULL"], + effect: "execve(\"/bin/sh\", rbp-0x40, r13)") +OneGadget::Gadget.add(build_id, 840721, + constraints: ["writable: rbp-0x40", "[rbp-0x40] == NULL || rbp-0x40 == NULL", "[r13] == NULL || r13 == NULL"], + effect: "execve(\"/bin/sh\", rbp-0x40, r13)") OneGadget::Gadget.add(build_id, 962475, constraints: ["[rsp+0x60] == NULL"], effect: "execve(\"/bin/sh\", rsp+0x60, environ)") diff --git a/lib/one_gadget/builds/libc-2.30-cbe9cff3c43b979739af1681b61a3d585725577b.rb b/lib/one_gadget/builds/libc-2.30-cbe9cff3c43b979739af1681b61a3d585725577b.rb index 535ec0ba..cd366b87 100644 --- a/lib/one_gadget/builds/libc-2.30-cbe9cff3c43b979739af1681b61a3d585725577b.rb +++ b/lib/one_gadget/builds/libc-2.30-cbe9cff3c43b979739af1681b61a3d585725577b.rb @@ -29,6 +29,18 @@ OneGadget::Gadget.add(build_id, 945046, constraints: ["writable: rbp-0x78", "[r10] == NULL || r10 == NULL", "[rdx] == NULL || rdx == NULL"], effect: "execve(\"/bin/sh\", r10, rdx)") +OneGadget::Gadget.add(build_id, 945161, + constraints: ["writable: rbp-0x48", "[rbp-0x50] == NULL || rbp-0x50 == NULL", "[r12] == NULL || r12 == NULL"], + effect: "execve(\"/bin/sh\", rbp-0x50, r12)") +OneGadget::Gadget.add(build_id, 945168, + constraints: ["writable: rbp-0x50", "[rbp-0x50] == NULL || rbp-0x50 == NULL", "[r12] == NULL || r12 == NULL"], + effect: "execve(\"/bin/sh\", rbp-0x50, r12)") +OneGadget::Gadget.add(build_id, 945237, + constraints: ["writable: r10+0x10", "writable: rbp-0x50", "[r10] == NULL || r10 == NULL", "[r12] == NULL || r12 == NULL"], + effect: "execve(\"/bin/sh\", r10, r12)") +OneGadget::Gadget.add(build_id, 945245, + constraints: ["writable: r10+0x10", "writable: rbp-0x48", "[r10] == NULL || r10 == NULL", "[r12] == NULL || r12 == NULL"], + effect: "execve(\"/bin/sh\", r10, r12)") OneGadget::Gadget.add(build_id, 1093433, constraints: ["[rsp+0x70] == NULL"], effect: "execve(\"/bin/sh\", rsp+0x70, environ)") diff --git a/lib/one_gadget/builds/libc-2.30-f07144cc3d0ac50415f3a2e061be6da672c914ba.rb b/lib/one_gadget/builds/libc-2.30-f07144cc3d0ac50415f3a2e061be6da672c914ba.rb index 4fecf644..6867e025 100644 --- a/lib/one_gadget/builds/libc-2.30-f07144cc3d0ac50415f3a2e061be6da672c914ba.rb +++ b/lib/one_gadget/builds/libc-2.30-f07144cc3d0ac50415f3a2e061be6da672c914ba.rb @@ -23,6 +23,12 @@ OneGadget::Gadget.add(build_id, 846519, constraints: ["[rsi] == NULL || rsi == NULL", "[rdx] == NULL || rdx == NULL"], effect: "execve(\"/bin/sh\", rsi, rdx)") +OneGadget::Gadget.add(build_id, 846609, + constraints: ["writable: rbp-0x38", "[rbp-0x40] == NULL || rbp-0x40 == NULL", "[r12] == NULL || r12 == NULL"], + effect: "execve(\"/bin/sh\", rbp-0x40, r12)") +OneGadget::Gadget.add(build_id, 846616, + constraints: ["writable: rbp-0x40", "[rbp-0x40] == NULL || rbp-0x40 == NULL", "[r12] == NULL || r12 == NULL"], + effect: "execve(\"/bin/sh\", rbp-0x40, r12)") OneGadget::Gadget.add(build_id, 970123, constraints: ["[rsp+0x60] == NULL"], effect: "execve(\"/bin/sh\", rsp+0x60, environ)") diff --git a/lib/one_gadget/builds/libc-2.30-f44469d65b4efd2e5951513ed7cbf773657f1283.rb b/lib/one_gadget/builds/libc-2.30-f44469d65b4efd2e5951513ed7cbf773657f1283.rb index 94ad5979..bf3efa2b 100644 --- a/lib/one_gadget/builds/libc-2.30-f44469d65b4efd2e5951513ed7cbf773657f1283.rb +++ b/lib/one_gadget/builds/libc-2.30-f44469d65b4efd2e5951513ed7cbf773657f1283.rb @@ -23,6 +23,12 @@ OneGadget::Gadget.add(build_id, 846519, constraints: ["[rsi] == NULL || rsi == NULL", "[rdx] == NULL || rdx == NULL"], effect: "execve(\"/bin/sh\", rsi, rdx)") +OneGadget::Gadget.add(build_id, 846609, + constraints: ["writable: rbp-0x38", "[rbp-0x40] == NULL || rbp-0x40 == NULL", "[r12] == NULL || r12 == NULL"], + effect: "execve(\"/bin/sh\", rbp-0x40, r12)") +OneGadget::Gadget.add(build_id, 846616, + constraints: ["writable: rbp-0x40", "[rbp-0x40] == NULL || rbp-0x40 == NULL", "[r12] == NULL || r12 == NULL"], + effect: "execve(\"/bin/sh\", rbp-0x40, r12)") OneGadget::Gadget.add(build_id, 970075, constraints: ["[rsp+0x60] == NULL"], effect: "execve(\"/bin/sh\", rsp+0x60, environ)") diff --git a/lib/one_gadget/builds/libc-2.31-099b9225bcb0d019d9d60884be583eb31bb5f44e.rb b/lib/one_gadget/builds/libc-2.31-099b9225bcb0d019d9d60884be583eb31bb5f44e.rb index 5392d94d..8451ec62 100644 --- a/lib/one_gadget/builds/libc-2.31-099b9225bcb0d019d9d60884be583eb31bb5f44e.rb +++ b/lib/one_gadget/builds/libc-2.31-099b9225bcb0d019d9d60884be583eb31bb5f44e.rb @@ -29,4 +29,16 @@ OneGadget::Gadget.add(build_id, 945782, constraints: ["writable: rbp-0x78", "[r10] == NULL || r10 == NULL", "[rdx] == NULL || rdx == NULL"], effect: "execve(\"/bin/sh\", r10, rdx)") +OneGadget::Gadget.add(build_id, 945897, + constraints: ["writable: rbp-0x48", "[rbp-0x50] == NULL || rbp-0x50 == NULL", "[r12] == NULL || r12 == NULL"], + effect: "execve(\"/bin/sh\", rbp-0x50, r12)") +OneGadget::Gadget.add(build_id, 945904, + constraints: ["writable: rbp-0x50", "[rbp-0x50] == NULL || rbp-0x50 == NULL", "[r12] == NULL || r12 == NULL"], + effect: "execve(\"/bin/sh\", rbp-0x50, r12)") +OneGadget::Gadget.add(build_id, 945973, + constraints: ["writable: r10+0x10", "writable: rbp-0x50", "[r10] == NULL || r10 == NULL", "[r12] == NULL || r12 == NULL"], + effect: "execve(\"/bin/sh\", r10, r12)") +OneGadget::Gadget.add(build_id, 945981, + constraints: ["writable: r10+0x10", "writable: rbp-0x48", "[r10] == NULL || r10 == NULL", "[r12] == NULL || r12 == NULL"], + effect: "execve(\"/bin/sh\", r10, r12)") diff --git a/lib/one_gadget/builds/libc-2.31-0d1b3211736c4ca528a32ea0d565d41a2ede3b58.rb b/lib/one_gadget/builds/libc-2.31-0d1b3211736c4ca528a32ea0d565d41a2ede3b58.rb index fb14e934..2ba08626 100644 --- a/lib/one_gadget/builds/libc-2.31-0d1b3211736c4ca528a32ea0d565d41a2ede3b58.rb +++ b/lib/one_gadget/builds/libc-2.31-0d1b3211736c4ca528a32ea0d565d41a2ede3b58.rb @@ -23,4 +23,10 @@ OneGadget::Gadget.add(build_id, 841536, constraints: ["[rsi] == NULL || rsi == NULL", "[rdx] == NULL || rdx == NULL"], effect: "execve(\"/bin/sh\", rsi, rdx)") +OneGadget::Gadget.add(build_id, 841626, + constraints: ["writable: rbp-0x38", "[rbp-0x40] == NULL || rbp-0x40 == NULL", "[r13] == NULL || r13 == NULL"], + effect: "execve(\"/bin/sh\", rbp-0x40, r13)") +OneGadget::Gadget.add(build_id, 841633, + constraints: ["writable: rbp-0x40", "[rbp-0x40] == NULL || rbp-0x40 == NULL", "[r13] == NULL || r13 == NULL"], + effect: "execve(\"/bin/sh\", rbp-0x40, r13)") diff --git a/lib/one_gadget/builds/libc-2.31-12e412d1938ec3ff79751f0e85f31bc52f7e3722.rb b/lib/one_gadget/builds/libc-2.31-12e412d1938ec3ff79751f0e85f31bc52f7e3722.rb index d4fbf5f6..6383b70a 100644 --- a/lib/one_gadget/builds/libc-2.31-12e412d1938ec3ff79751f0e85f31bc52f7e3722.rb +++ b/lib/one_gadget/builds/libc-2.31-12e412d1938ec3ff79751f0e85f31bc52f7e3722.rb @@ -23,4 +23,10 @@ OneGadget::Gadget.add(build_id, 841008, constraints: ["[rsi] == NULL || rsi == NULL", "[rdx] == NULL || rdx == NULL"], effect: "execve(\"/bin/sh\", rsi, rdx)") +OneGadget::Gadget.add(build_id, 841098, + constraints: ["writable: rbp-0x38", "[rbp-0x40] == NULL || rbp-0x40 == NULL", "[r13] == NULL || r13 == NULL"], + effect: "execve(\"/bin/sh\", rbp-0x40, r13)") +OneGadget::Gadget.add(build_id, 841105, + constraints: ["writable: rbp-0x40", "[rbp-0x40] == NULL || rbp-0x40 == NULL", "[r13] == NULL || r13 == NULL"], + effect: "execve(\"/bin/sh\", rbp-0x40, r13)") diff --git a/lib/one_gadget/builds/libc-2.31-4d4d0853eb075b8b0cfaee0aee7cdf4254a3e877.rb b/lib/one_gadget/builds/libc-2.31-4d4d0853eb075b8b0cfaee0aee7cdf4254a3e877.rb index 76192674..64404575 100644 --- a/lib/one_gadget/builds/libc-2.31-4d4d0853eb075b8b0cfaee0aee7cdf4254a3e877.rb +++ b/lib/one_gadget/builds/libc-2.31-4d4d0853eb075b8b0cfaee0aee7cdf4254a3e877.rb @@ -23,4 +23,10 @@ OneGadget::Gadget.add(build_id, 847175, constraints: ["[rsi] == NULL || rsi == NULL", "[rdx] == NULL || rdx == NULL"], effect: "execve(\"/bin/sh\", rsi, rdx)") +OneGadget::Gadget.add(build_id, 847265, + constraints: ["writable: rbp-0x38", "[rbp-0x40] == NULL || rbp-0x40 == NULL", "[r12] == NULL || r12 == NULL"], + effect: "execve(\"/bin/sh\", rbp-0x40, r12)") +OneGadget::Gadget.add(build_id, 847272, + constraints: ["writable: rbp-0x40", "[rbp-0x40] == NULL || rbp-0x40 == NULL", "[r12] == NULL || r12 == NULL"], + effect: "execve(\"/bin/sh\", rbp-0x40, r12)") diff --git a/lib/one_gadget/builds/libc-2.31-634252e0c5f8b03957a2e529719d4101699a894a.rb b/lib/one_gadget/builds/libc-2.31-634252e0c5f8b03957a2e529719d4101699a894a.rb index 35670cb7..ed9cd500 100644 --- a/lib/one_gadget/builds/libc-2.31-634252e0c5f8b03957a2e529719d4101699a894a.rb +++ b/lib/one_gadget/builds/libc-2.31-634252e0c5f8b03957a2e529719d4101699a894a.rb @@ -29,4 +29,16 @@ OneGadget::Gadget.add(build_id, 945382, constraints: ["writable: rbp-0x78", "[r10] == NULL || r10 == NULL", "[rdx] == NULL || rdx == NULL"], effect: "execve(\"/bin/sh\", r10, rdx)") +OneGadget::Gadget.add(build_id, 945497, + constraints: ["writable: rbp-0x48", "[rbp-0x50] == NULL || rbp-0x50 == NULL", "[r12] == NULL || r12 == NULL"], + effect: "execve(\"/bin/sh\", rbp-0x50, r12)") +OneGadget::Gadget.add(build_id, 945504, + constraints: ["writable: rbp-0x50", "[rbp-0x50] == NULL || rbp-0x50 == NULL", "[r12] == NULL || r12 == NULL"], + effect: "execve(\"/bin/sh\", rbp-0x50, r12)") +OneGadget::Gadget.add(build_id, 945573, + constraints: ["writable: r10+0x10", "writable: rbp-0x50", "[r10] == NULL || r10 == NULL", "[r12] == NULL || r12 == NULL"], + effect: "execve(\"/bin/sh\", r10, r12)") +OneGadget::Gadget.add(build_id, 945581, + constraints: ["writable: r10+0x10", "writable: rbp-0x48", "[r10] == NULL || r10 == NULL", "[r12] == NULL || r12 == NULL"], + effect: "execve(\"/bin/sh\", r10, r12)") diff --git a/lib/one_gadget/builds/libc-2.31-6dbad1709854c527793f6401666e45a791b7c793.rb b/lib/one_gadget/builds/libc-2.31-6dbad1709854c527793f6401666e45a791b7c793.rb index ab822b78..63606e31 100644 --- a/lib/one_gadget/builds/libc-2.31-6dbad1709854c527793f6401666e45a791b7c793.rb +++ b/lib/one_gadget/builds/libc-2.31-6dbad1709854c527793f6401666e45a791b7c793.rb @@ -23,4 +23,10 @@ OneGadget::Gadget.add(build_id, 841008, constraints: ["[rsi] == NULL || rsi == NULL", "[rdx] == NULL || rdx == NULL"], effect: "execve(\"/bin/sh\", rsi, rdx)") +OneGadget::Gadget.add(build_id, 841098, + constraints: ["writable: rbp-0x38", "[rbp-0x40] == NULL || rbp-0x40 == NULL", "[r13] == NULL || r13 == NULL"], + effect: "execve(\"/bin/sh\", rbp-0x40, r13)") +OneGadget::Gadget.add(build_id, 841105, + constraints: ["writable: rbp-0x40", "[rbp-0x40] == NULL || rbp-0x40 == NULL", "[r13] == NULL || r13 == NULL"], + effect: "execve(\"/bin/sh\", rbp-0x40, r13)") diff --git a/lib/one_gadget/builds/libc-2.31-e67e80e70619717709e3180e552a11a285036a54.rb b/lib/one_gadget/builds/libc-2.31-e67e80e70619717709e3180e552a11a285036a54.rb index 19bacf93..1eea6a40 100644 --- a/lib/one_gadget/builds/libc-2.31-e67e80e70619717709e3180e552a11a285036a54.rb +++ b/lib/one_gadget/builds/libc-2.31-e67e80e70619717709e3180e552a11a285036a54.rb @@ -1,5 +1,5 @@ require 'one_gadget/gadget' -# https://gitlab.com/david942j/libcdb/blob/master/libc/glibc-2.31-4-x86_64.pkg.tar/usr/lib/libc-2.31.so +# https://gitlab.com/david942j/libcdb/blob/master/libc/glibc-2.31-5-x86_64.pkg.tar/usr/lib/libc-2.31.so # # Advanced Micro Devices X86-64 # @@ -23,4 +23,10 @@ OneGadget::Gadget.add(build_id, 841648, constraints: ["[rsi] == NULL || rsi == NULL", "[rdx] == NULL || rdx == NULL"], effect: "execve(\"/bin/sh\", rsi, rdx)") +OneGadget::Gadget.add(build_id, 841738, + constraints: ["writable: rbp-0x38", "[rbp-0x40] == NULL || rbp-0x40 == NULL", "[r13] == NULL || r13 == NULL"], + effect: "execve(\"/bin/sh\", rbp-0x40, r13)") +OneGadget::Gadget.add(build_id, 841745, + constraints: ["writable: rbp-0x40", "[rbp-0x40] == NULL || rbp-0x40 == NULL", "[r13] == NULL || r13 == NULL"], + effect: "execve(\"/bin/sh\", rbp-0x40, r13)") diff --git a/lib/one_gadget/builds/libc-2.31-eb3c5cf73a0a6b7f2b3895a56dbc443806700971.rb b/lib/one_gadget/builds/libc-2.31-eb3c5cf73a0a6b7f2b3895a56dbc443806700971.rb index eaee0660..76b6bc07 100644 --- a/lib/one_gadget/builds/libc-2.31-eb3c5cf73a0a6b7f2b3895a56dbc443806700971.rb +++ b/lib/one_gadget/builds/libc-2.31-eb3c5cf73a0a6b7f2b3895a56dbc443806700971.rb @@ -23,4 +23,10 @@ OneGadget::Gadget.add(build_id, 846775, constraints: ["[rsi] == NULL || rsi == NULL", "[rdx] == NULL || rdx == NULL"], effect: "execve(\"/bin/sh\", rsi, rdx)") +OneGadget::Gadget.add(build_id, 846865, + constraints: ["writable: rbp-0x38", "[rbp-0x40] == NULL || rbp-0x40 == NULL", "[r12] == NULL || r12 == NULL"], + effect: "execve(\"/bin/sh\", rbp-0x40, r12)") +OneGadget::Gadget.add(build_id, 846872, + constraints: ["writable: rbp-0x40", "[rbp-0x40] == NULL || rbp-0x40 == NULL", "[r12] == NULL || r12 == NULL"], + effect: "execve(\"/bin/sh\", rbp-0x40, r12)") diff --git a/lib/one_gadget/builds/libc-2.32-1e3fb06b8c86b5e282e3e11bd207d399fb4952e2.rb b/lib/one_gadget/builds/libc-2.32-1e3fb06b8c86b5e282e3e11bd207d399fb4952e2.rb index cfa9a7b3..961f7c0e 100644 --- a/lib/one_gadget/builds/libc-2.32-1e3fb06b8c86b5e282e3e11bd207d399fb4952e2.rb +++ b/lib/one_gadget/builds/libc-2.32-1e3fb06b8c86b5e282e3e11bd207d399fb4952e2.rb @@ -29,4 +29,19 @@ OneGadget::Gadget.add(build_id, 914777, constraints: ["writable: rbp-0x78", "[r10] == NULL || r10 == NULL", "[rdx] == NULL || rdx == NULL"], effect: "execve(\"/bin/sh\", r10, rdx)") +OneGadget::Gadget.add(build_id, 914886, + constraints: ["writable: rbp-0x48", "[rbp-0x50] == NULL || rbp-0x50 == NULL", "[r12] == NULL || r12 == NULL"], + effect: "execve(\"/bin/sh\", rbp-0x50, r12)") +OneGadget::Gadget.add(build_id, 914893, + constraints: ["writable: rbp-0x50", "[rbp-0x50] == NULL || rbp-0x50 == NULL", "[r12] == NULL || r12 == NULL"], + effect: "execve(\"/bin/sh\", rbp-0x50, r12)") +OneGadget::Gadget.add(build_id, 914955, + constraints: ["writable: rbp-0x48", "[rbp-0x50] == NULL || rbp-0x50 == NULL", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL"], + effect: "execve(\"/bin/sh\", rbp-0x50, [rbp-0x70])") +OneGadget::Gadget.add(build_id, 914962, + constraints: ["writable: rbp-0x50", "[rbp-0x50] == NULL || rbp-0x50 == NULL", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL"], + effect: "execve(\"/bin/sh\", rbp-0x50, [rbp-0x70])") +OneGadget::Gadget.add(build_id, 914966, + constraints: ["writable: r10+0x10", "writable: rbp-0x50", "[r10] == NULL || r10 == NULL", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL"], + effect: "execve(\"/bin/sh\", r10, [rbp-0x70])") diff --git a/lib/one_gadget/builds/libc-2.32-7ec3e74da842ca3c6a9ba20b21303ce1bc7a45af.rb b/lib/one_gadget/builds/libc-2.32-7ec3e74da842ca3c6a9ba20b21303ce1bc7a45af.rb index beae2409..d06c27cd 100644 --- a/lib/one_gadget/builds/libc-2.32-7ec3e74da842ca3c6a9ba20b21303ce1bc7a45af.rb +++ b/lib/one_gadget/builds/libc-2.32-7ec3e74da842ca3c6a9ba20b21303ce1bc7a45af.rb @@ -29,4 +29,19 @@ OneGadget::Gadget.add(build_id, 915257, constraints: ["writable: rbp-0x78", "[r10] == NULL || r10 == NULL", "[rdx] == NULL || rdx == NULL"], effect: "execve(\"/bin/sh\", r10, rdx)") +OneGadget::Gadget.add(build_id, 915366, + constraints: ["writable: rbp-0x48", "[rbp-0x50] == NULL || rbp-0x50 == NULL", "[r12] == NULL || r12 == NULL"], + effect: "execve(\"/bin/sh\", rbp-0x50, r12)") +OneGadget::Gadget.add(build_id, 915373, + constraints: ["writable: rbp-0x50", "[rbp-0x50] == NULL || rbp-0x50 == NULL", "[r12] == NULL || r12 == NULL"], + effect: "execve(\"/bin/sh\", rbp-0x50, r12)") +OneGadget::Gadget.add(build_id, 915435, + constraints: ["writable: rbp-0x48", "[rbp-0x50] == NULL || rbp-0x50 == NULL", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL"], + effect: "execve(\"/bin/sh\", rbp-0x50, [rbp-0x70])") +OneGadget::Gadget.add(build_id, 915442, + constraints: ["writable: rbp-0x50", "[rbp-0x50] == NULL || rbp-0x50 == NULL", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL"], + effect: "execve(\"/bin/sh\", rbp-0x50, [rbp-0x70])") +OneGadget::Gadget.add(build_id, 915446, + constraints: ["writable: r10+0x10", "writable: rbp-0x50", "[r10] == NULL || r10 == NULL", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL"], + effect: "execve(\"/bin/sh\", r10, [rbp-0x70])") diff --git a/lib/one_gadget/builds/libc-2.32-7fba7abef941659c229c2636aa0905c28652ee3f.rb b/lib/one_gadget/builds/libc-2.32-7fba7abef941659c229c2636aa0905c28652ee3f.rb index ef244117..641b7981 100644 --- a/lib/one_gadget/builds/libc-2.32-7fba7abef941659c229c2636aa0905c28652ee3f.rb +++ b/lib/one_gadget/builds/libc-2.32-7fba7abef941659c229c2636aa0905c28652ee3f.rb @@ -23,4 +23,10 @@ OneGadget::Gadget.add(build_id, 846708, constraints: ["[rsi] == NULL || rsi == NULL", "[rdx] == NULL || rdx == NULL"], effect: "execve(\"/bin/sh\", rsi, rdx)") +OneGadget::Gadget.add(build_id, 846798, + constraints: ["writable: rbp-0x38", "[rbp-0x40] == NULL || rbp-0x40 == NULL", "[r12] == NULL || r12 == NULL"], + effect: "execve(\"/bin/sh\", rbp-0x40, r12)") +OneGadget::Gadget.add(build_id, 846805, + constraints: ["writable: rbp-0x40", "[rbp-0x40] == NULL || rbp-0x40 == NULL", "[r12] == NULL || r12 == NULL"], + effect: "execve(\"/bin/sh\", rbp-0x40, r12)") diff --git a/lib/one_gadget/builds/libc-2.32-82f6b69e698bb579baefb35a3fb0346632fa2c4d.rb b/lib/one_gadget/builds/libc-2.32-82f6b69e698bb579baefb35a3fb0346632fa2c4d.rb index 8c200e46..ec639e6e 100644 --- a/lib/one_gadget/builds/libc-2.32-82f6b69e698bb579baefb35a3fb0346632fa2c4d.rb +++ b/lib/one_gadget/builds/libc-2.32-82f6b69e698bb579baefb35a3fb0346632fa2c4d.rb @@ -29,4 +29,19 @@ OneGadget::Gadget.add(build_id, 915257, constraints: ["writable: rbp-0x78", "[r10] == NULL || r10 == NULL", "[rdx] == NULL || rdx == NULL"], effect: "execve(\"/bin/sh\", r10, rdx)") +OneGadget::Gadget.add(build_id, 915366, + constraints: ["writable: rbp-0x48", "[rbp-0x50] == NULL || rbp-0x50 == NULL", "[r12] == NULL || r12 == NULL"], + effect: "execve(\"/bin/sh\", rbp-0x50, r12)") +OneGadget::Gadget.add(build_id, 915373, + constraints: ["writable: rbp-0x50", "[rbp-0x50] == NULL || rbp-0x50 == NULL", "[r12] == NULL || r12 == NULL"], + effect: "execve(\"/bin/sh\", rbp-0x50, r12)") +OneGadget::Gadget.add(build_id, 915435, + constraints: ["writable: rbp-0x48", "[rbp-0x50] == NULL || rbp-0x50 == NULL", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL"], + effect: "execve(\"/bin/sh\", rbp-0x50, [rbp-0x70])") +OneGadget::Gadget.add(build_id, 915442, + constraints: ["writable: rbp-0x50", "[rbp-0x50] == NULL || rbp-0x50 == NULL", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL"], + effect: "execve(\"/bin/sh\", rbp-0x50, [rbp-0x70])") +OneGadget::Gadget.add(build_id, 915446, + constraints: ["writable: r10+0x10", "writable: rbp-0x50", "[r10] == NULL || r10 == NULL", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL"], + effect: "execve(\"/bin/sh\", r10, [rbp-0x70])") diff --git a/lib/one_gadget/builds/libc-2.32-87f011a7e4cc3fc60a54d0d3dd690e7438decc8d.rb b/lib/one_gadget/builds/libc-2.32-87f011a7e4cc3fc60a54d0d3dd690e7438decc8d.rb index 90953a68..6b6e11f9 100644 --- a/lib/one_gadget/builds/libc-2.32-87f011a7e4cc3fc60a54d0d3dd690e7438decc8d.rb +++ b/lib/one_gadget/builds/libc-2.32-87f011a7e4cc3fc60a54d0d3dd690e7438decc8d.rb @@ -23,4 +23,10 @@ OneGadget::Gadget.add(build_id, 842336, constraints: ["[rsi] == NULL || rsi == NULL", "[rdx] == NULL || rdx == NULL"], effect: "execve(\"/bin/sh\", rsi, rdx)") +OneGadget::Gadget.add(build_id, 842426, + constraints: ["writable: rbp-0x38", "[rbp-0x40] == NULL || rbp-0x40 == NULL", "[r13] == NULL || r13 == NULL"], + effect: "execve(\"/bin/sh\", rbp-0x40, r13)") +OneGadget::Gadget.add(build_id, 842433, + constraints: ["writable: rbp-0x40", "[rbp-0x40] == NULL || rbp-0x40 == NULL", "[r13] == NULL || r13 == NULL"], + effect: "execve(\"/bin/sh\", rbp-0x40, r13)") diff --git a/lib/one_gadget/builds/libc-2.32-ac287babd169c70013b752da2713dfb96d9a503f.rb b/lib/one_gadget/builds/libc-2.32-ac287babd169c70013b752da2713dfb96d9a503f.rb index ef4c2b99..21cf8d55 100644 --- a/lib/one_gadget/builds/libc-2.32-ac287babd169c70013b752da2713dfb96d9a503f.rb +++ b/lib/one_gadget/builds/libc-2.32-ac287babd169c70013b752da2713dfb96d9a503f.rb @@ -29,4 +29,19 @@ OneGadget::Gadget.add(build_id, 915257, constraints: ["writable: rbp-0x78", "[r10] == NULL || r10 == NULL", "[rdx] == NULL || rdx == NULL"], effect: "execve(\"/bin/sh\", r10, rdx)") +OneGadget::Gadget.add(build_id, 915366, + constraints: ["writable: rbp-0x48", "[rbp-0x50] == NULL || rbp-0x50 == NULL", "[r12] == NULL || r12 == NULL"], + effect: "execve(\"/bin/sh\", rbp-0x50, r12)") +OneGadget::Gadget.add(build_id, 915373, + constraints: ["writable: rbp-0x50", "[rbp-0x50] == NULL || rbp-0x50 == NULL", "[r12] == NULL || r12 == NULL"], + effect: "execve(\"/bin/sh\", rbp-0x50, r12)") +OneGadget::Gadget.add(build_id, 915435, + constraints: ["writable: rbp-0x48", "[rbp-0x50] == NULL || rbp-0x50 == NULL", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL"], + effect: "execve(\"/bin/sh\", rbp-0x50, [rbp-0x70])") +OneGadget::Gadget.add(build_id, 915442, + constraints: ["writable: rbp-0x50", "[rbp-0x50] == NULL || rbp-0x50 == NULL", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL"], + effect: "execve(\"/bin/sh\", rbp-0x50, [rbp-0x70])") +OneGadget::Gadget.add(build_id, 915446, + constraints: ["writable: r10+0x10", "writable: rbp-0x50", "[r10] == NULL || r10 == NULL", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL"], + effect: "execve(\"/bin/sh\", r10, [rbp-0x70])") diff --git a/lib/one_gadget/builds/libc-2.32-cb91dd613d38b806a16bed1b364c084ad63d1a1f.rb b/lib/one_gadget/builds/libc-2.32-cb91dd613d38b806a16bed1b364c084ad63d1a1f.rb index ea6b22c4..5d7be32e 100644 --- a/lib/one_gadget/builds/libc-2.32-cb91dd613d38b806a16bed1b364c084ad63d1a1f.rb +++ b/lib/one_gadget/builds/libc-2.32-cb91dd613d38b806a16bed1b364c084ad63d1a1f.rb @@ -23,4 +23,10 @@ OneGadget::Gadget.add(build_id, 846212, constraints: ["[rsi] == NULL || rsi == NULL", "[rdx] == NULL || rdx == NULL"], effect: "execve(\"/bin/sh\", rsi, rdx)") +OneGadget::Gadget.add(build_id, 846302, + constraints: ["writable: rbp-0x38", "[rbp-0x40] == NULL || rbp-0x40 == NULL", "[r12] == NULL || r12 == NULL"], + effect: "execve(\"/bin/sh\", rbp-0x40, r12)") +OneGadget::Gadget.add(build_id, 846309, + constraints: ["writable: rbp-0x40", "[rbp-0x40] == NULL || rbp-0x40 == NULL", "[r12] == NULL || r12 == NULL"], + effect: "execve(\"/bin/sh\", rbp-0x40, r12)") diff --git a/lib/one_gadget/builds/libc-2.32-e13b24f94b260dd6394bdb2433d2a78e37078d5c.rb b/lib/one_gadget/builds/libc-2.32-e13b24f94b260dd6394bdb2433d2a78e37078d5c.rb index dc5138a9..e853669a 100644 --- a/lib/one_gadget/builds/libc-2.32-e13b24f94b260dd6394bdb2433d2a78e37078d5c.rb +++ b/lib/one_gadget/builds/libc-2.32-e13b24f94b260dd6394bdb2433d2a78e37078d5c.rb @@ -23,4 +23,10 @@ OneGadget::Gadget.add(build_id, 846708, constraints: ["[rsi] == NULL || rsi == NULL", "[rdx] == NULL || rdx == NULL"], effect: "execve(\"/bin/sh\", rsi, rdx)") +OneGadget::Gadget.add(build_id, 846798, + constraints: ["writable: rbp-0x38", "[rbp-0x40] == NULL || rbp-0x40 == NULL", "[r12] == NULL || r12 == NULL"], + effect: "execve(\"/bin/sh\", rbp-0x40, r12)") +OneGadget::Gadget.add(build_id, 846805, + constraints: ["writable: rbp-0x40", "[rbp-0x40] == NULL || rbp-0x40 == NULL", "[r12] == NULL || r12 == NULL"], + effect: "execve(\"/bin/sh\", rbp-0x40, r12)") diff --git a/lib/one_gadget/builds/libc-2.32-e1596c76d0d93d8a36378ba976f034f140618d59.rb b/lib/one_gadget/builds/libc-2.32-e1596c76d0d93d8a36378ba976f034f140618d59.rb index 337f4514..36e4547d 100644 --- a/lib/one_gadget/builds/libc-2.32-e1596c76d0d93d8a36378ba976f034f140618d59.rb +++ b/lib/one_gadget/builds/libc-2.32-e1596c76d0d93d8a36378ba976f034f140618d59.rb @@ -23,4 +23,10 @@ OneGadget::Gadget.add(build_id, 846708, constraints: ["[rsi] == NULL || rsi == NULL", "[rdx] == NULL || rdx == NULL"], effect: "execve(\"/bin/sh\", rsi, rdx)") +OneGadget::Gadget.add(build_id, 846798, + constraints: ["writable: rbp-0x38", "[rbp-0x40] == NULL || rbp-0x40 == NULL", "[r12] == NULL || r12 == NULL"], + effect: "execve(\"/bin/sh\", rbp-0x40, r12)") +OneGadget::Gadget.add(build_id, 846805, + constraints: ["writable: rbp-0x40", "[rbp-0x40] == NULL || rbp-0x40 == NULL", "[r12] == NULL || r12 == NULL"], + effect: "execve(\"/bin/sh\", rbp-0x40, r12)") diff --git a/lib/one_gadget/builds/libc-2.32-f45b67ab28af1581cba8e4713e0fd3b2bc004b2e.rb b/lib/one_gadget/builds/libc-2.32-f45b67ab28af1581cba8e4713e0fd3b2bc004b2e.rb index 9c278dd0..3ed750c2 100644 --- a/lib/one_gadget/builds/libc-2.32-f45b67ab28af1581cba8e4713e0fd3b2bc004b2e.rb +++ b/lib/one_gadget/builds/libc-2.32-f45b67ab28af1581cba8e4713e0fd3b2bc004b2e.rb @@ -1,5 +1,5 @@ require 'one_gadget/gadget' -# https://gitlab.com/david942j/libcdb/blob/master/libc/glibc-2.32-1-x86_64.pkg.tar/usr/lib/libc-2.32.so +# https://gitlab.com/david942j/libcdb/blob/master/libc/glibc-2.32-4-x86_64.pkg.tar/usr/lib/libc-2.32.so # # Advanced Micro Devices X86-64 # @@ -23,4 +23,10 @@ OneGadget::Gadget.add(build_id, 842336, constraints: ["[rsi] == NULL || rsi == NULL", "[rdx] == NULL || rdx == NULL"], effect: "execve(\"/bin/sh\", rsi, rdx)") +OneGadget::Gadget.add(build_id, 842426, + constraints: ["writable: rbp-0x38", "[rbp-0x40] == NULL || rbp-0x40 == NULL", "[r13] == NULL || r13 == NULL"], + effect: "execve(\"/bin/sh\", rbp-0x40, r13)") +OneGadget::Gadget.add(build_id, 842433, + constraints: ["writable: rbp-0x40", "[rbp-0x40] == NULL || rbp-0x40 == NULL", "[r13] == NULL || r13 == NULL"], + effect: "execve(\"/bin/sh\", rbp-0x40, r13)") diff --git a/lib/one_gadget/builds/libc-2.33-18edf6b683a2f9768cc0ee9cc64ae6fbb545deb2.rb b/lib/one_gadget/builds/libc-2.33-18edf6b683a2f9768cc0ee9cc64ae6fbb545deb2.rb index 518fdfd5..c469f1bb 100644 --- a/lib/one_gadget/builds/libc-2.33-18edf6b683a2f9768cc0ee9cc64ae6fbb545deb2.rb +++ b/lib/one_gadget/builds/libc-2.33-18edf6b683a2f9768cc0ee9cc64ae6fbb545deb2.rb @@ -29,4 +29,19 @@ OneGadget::Gadget.add(build_id, 911625, constraints: ["writable: rbp-0x78", "[r10] == NULL || r10 == NULL", "[rdx] == NULL || rdx == NULL"], effect: "execve(\"/bin/sh\", r10, rdx)") +OneGadget::Gadget.add(build_id, 911734, + constraints: ["writable: rbp-0x48", "[rbp-0x50] == NULL || rbp-0x50 == NULL", "[r12] == NULL || r12 == NULL"], + effect: "execve(\"/bin/sh\", rbp-0x50, r12)") +OneGadget::Gadget.add(build_id, 911741, + constraints: ["writable: rbp-0x50", "[rbp-0x50] == NULL || rbp-0x50 == NULL", "[r12] == NULL || r12 == NULL"], + effect: "execve(\"/bin/sh\", rbp-0x50, r12)") +OneGadget::Gadget.add(build_id, 911803, + constraints: ["writable: rbp-0x48", "[rbp-0x50] == NULL || rbp-0x50 == NULL", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL"], + effect: "execve(\"/bin/sh\", rbp-0x50, [rbp-0x70])") +OneGadget::Gadget.add(build_id, 911810, + constraints: ["writable: rbp-0x50", "[rbp-0x50] == NULL || rbp-0x50 == NULL", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL"], + effect: "execve(\"/bin/sh\", rbp-0x50, [rbp-0x70])") +OneGadget::Gadget.add(build_id, 911814, + constraints: ["writable: r10+0x10", "writable: rbp-0x50", "[r10] == NULL || r10 == NULL", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL"], + effect: "execve(\"/bin/sh\", r10, [rbp-0x70])") diff --git a/lib/one_gadget/builds/libc-2.33-2b48299781548c9bc452eac6df39902547c884ed.rb b/lib/one_gadget/builds/libc-2.33-2b48299781548c9bc452eac6df39902547c884ed.rb index e83945d5..f9282b4d 100644 --- a/lib/one_gadget/builds/libc-2.33-2b48299781548c9bc452eac6df39902547c884ed.rb +++ b/lib/one_gadget/builds/libc-2.33-2b48299781548c9bc452eac6df39902547c884ed.rb @@ -29,4 +29,19 @@ OneGadget::Gadget.add(build_id, 911737, constraints: ["writable: rbp-0x78", "[r10] == NULL || r10 == NULL", "[rdx] == NULL || rdx == NULL"], effect: "execve(\"/bin/sh\", r10, rdx)") +OneGadget::Gadget.add(build_id, 911846, + constraints: ["writable: rbp-0x48", "[rbp-0x50] == NULL || rbp-0x50 == NULL", "[r12] == NULL || r12 == NULL"], + effect: "execve(\"/bin/sh\", rbp-0x50, r12)") +OneGadget::Gadget.add(build_id, 911853, + constraints: ["writable: rbp-0x50", "[rbp-0x50] == NULL || rbp-0x50 == NULL", "[r12] == NULL || r12 == NULL"], + effect: "execve(\"/bin/sh\", rbp-0x50, r12)") +OneGadget::Gadget.add(build_id, 911915, + constraints: ["writable: rbp-0x48", "[rbp-0x50] == NULL || rbp-0x50 == NULL", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL"], + effect: "execve(\"/bin/sh\", rbp-0x50, [rbp-0x70])") +OneGadget::Gadget.add(build_id, 911922, + constraints: ["writable: rbp-0x50", "[rbp-0x50] == NULL || rbp-0x50 == NULL", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL"], + effect: "execve(\"/bin/sh\", rbp-0x50, [rbp-0x70])") +OneGadget::Gadget.add(build_id, 911926, + constraints: ["writable: r10+0x10", "writable: rbp-0x50", "[r10] == NULL || r10 == NULL", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL"], + effect: "execve(\"/bin/sh\", r10, [rbp-0x70])") diff --git a/lib/one_gadget/builds/libc-2.33-37169e68b33cad12e272bb4896d71fd0d4fd98bb.rb b/lib/one_gadget/builds/libc-2.33-37169e68b33cad12e272bb4896d71fd0d4fd98bb.rb index 0e933836..973e6d4f 100644 --- a/lib/one_gadget/builds/libc-2.33-37169e68b33cad12e272bb4896d71fd0d4fd98bb.rb +++ b/lib/one_gadget/builds/libc-2.33-37169e68b33cad12e272bb4896d71fd0d4fd98bb.rb @@ -23,4 +23,10 @@ OneGadget::Gadget.add(build_id, 842388, constraints: ["[rsi] == NULL || rsi == NULL", "[rdx] == NULL || rdx == NULL"], effect: "execve(\"/bin/sh\", rsi, rdx)") +OneGadget::Gadget.add(build_id, 842478, + constraints: ["writable: rbp-0x38", "[rbp-0x40] == NULL || rbp-0x40 == NULL", "[r12] == NULL || r12 == NULL"], + effect: "execve(\"/bin/sh\", rbp-0x40, r12)") +OneGadget::Gadget.add(build_id, 842485, + constraints: ["writable: rbp-0x40", "[rbp-0x40] == NULL || rbp-0x40 == NULL", "[r12] == NULL || r12 == NULL"], + effect: "execve(\"/bin/sh\", rbp-0x40, r12)") diff --git a/lib/one_gadget/builds/libc-2.33-54a6e404e7dc1de7c1434a00b7b1ad325b81f22a.rb b/lib/one_gadget/builds/libc-2.33-54a6e404e7dc1de7c1434a00b7b1ad325b81f22a.rb index 8229b93e..554d6d2f 100644 --- a/lib/one_gadget/builds/libc-2.33-54a6e404e7dc1de7c1434a00b7b1ad325b81f22a.rb +++ b/lib/one_gadget/builds/libc-2.33-54a6e404e7dc1de7c1434a00b7b1ad325b81f22a.rb @@ -23,4 +23,10 @@ OneGadget::Gadget.add(build_id, 838688, constraints: ["[rsi] == NULL || rsi == NULL", "[rdx] == NULL || rdx == NULL"], effect: "execve(\"/bin/sh\", rsi, rdx)") +OneGadget::Gadget.add(build_id, 838778, + constraints: ["writable: rbp-0x38", "[rbp-0x40] == NULL || rbp-0x40 == NULL", "[r13] == NULL || r13 == NULL"], + effect: "execve(\"/bin/sh\", rbp-0x40, r13)") +OneGadget::Gadget.add(build_id, 838785, + constraints: ["writable: rbp-0x40", "[rbp-0x40] == NULL || rbp-0x40 == NULL", "[r13] == NULL || r13 == NULL"], + effect: "execve(\"/bin/sh\", rbp-0x40, r13)") diff --git a/lib/one_gadget/builds/libc-2.33-7983d313db4a441a3762c8861ca405aa0331c0c8.rb b/lib/one_gadget/builds/libc-2.33-7983d313db4a441a3762c8861ca405aa0331c0c8.rb index a6ffec8d..0270af8a 100644 --- a/lib/one_gadget/builds/libc-2.33-7983d313db4a441a3762c8861ca405aa0331c0c8.rb +++ b/lib/one_gadget/builds/libc-2.33-7983d313db4a441a3762c8861ca405aa0331c0c8.rb @@ -23,4 +23,10 @@ OneGadget::Gadget.add(build_id, 842244, constraints: ["[rsi] == NULL || rsi == NULL", "[rdx] == NULL || rdx == NULL"], effect: "execve(\"/bin/sh\", rsi, rdx)") +OneGadget::Gadget.add(build_id, 842334, + constraints: ["writable: rbp-0x38", "[rbp-0x40] == NULL || rbp-0x40 == NULL", "[r12] == NULL || r12 == NULL"], + effect: "execve(\"/bin/sh\", rbp-0x40, r12)") +OneGadget::Gadget.add(build_id, 842341, + constraints: ["writable: rbp-0x40", "[rbp-0x40] == NULL || rbp-0x40 == NULL", "[r12] == NULL || r12 == NULL"], + effect: "execve(\"/bin/sh\", rbp-0x40, r12)") diff --git a/lib/one_gadget/builds/libc-2.33-97c8d90bd86bc698d156630e8803de433a640090.rb b/lib/one_gadget/builds/libc-2.33-97c8d90bd86bc698d156630e8803de433a640090.rb index 7c309806..e14e07e7 100644 --- a/lib/one_gadget/builds/libc-2.33-97c8d90bd86bc698d156630e8803de433a640090.rb +++ b/lib/one_gadget/builds/libc-2.33-97c8d90bd86bc698d156630e8803de433a640090.rb @@ -29,4 +29,19 @@ OneGadget::Gadget.add(build_id, 911737, constraints: ["writable: rbp-0x78", "[r10] == NULL || r10 == NULL", "[rdx] == NULL || rdx == NULL"], effect: "execve(\"/bin/sh\", r10, rdx)") +OneGadget::Gadget.add(build_id, 911846, + constraints: ["writable: rbp-0x48", "[rbp-0x50] == NULL || rbp-0x50 == NULL", "[r12] == NULL || r12 == NULL"], + effect: "execve(\"/bin/sh\", rbp-0x50, r12)") +OneGadget::Gadget.add(build_id, 911853, + constraints: ["writable: rbp-0x50", "[rbp-0x50] == NULL || rbp-0x50 == NULL", "[r12] == NULL || r12 == NULL"], + effect: "execve(\"/bin/sh\", rbp-0x50, r12)") +OneGadget::Gadget.add(build_id, 911915, + constraints: ["writable: rbp-0x48", "[rbp-0x50] == NULL || rbp-0x50 == NULL", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL"], + effect: "execve(\"/bin/sh\", rbp-0x50, [rbp-0x70])") +OneGadget::Gadget.add(build_id, 911922, + constraints: ["writable: rbp-0x50", "[rbp-0x50] == NULL || rbp-0x50 == NULL", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL"], + effect: "execve(\"/bin/sh\", rbp-0x50, [rbp-0x70])") +OneGadget::Gadget.add(build_id, 911926, + constraints: ["writable: r10+0x10", "writable: rbp-0x50", "[r10] == NULL || r10 == NULL", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL"], + effect: "execve(\"/bin/sh\", r10, [rbp-0x70])") diff --git a/lib/one_gadget/builds/libc-2.33-9bf4c513db255ab7248cef9f0f96b4403df29852.rb b/lib/one_gadget/builds/libc-2.33-9bf4c513db255ab7248cef9f0f96b4403df29852.rb index 1a1c8bd4..3790885e 100644 --- a/lib/one_gadget/builds/libc-2.33-9bf4c513db255ab7248cef9f0f96b4403df29852.rb +++ b/lib/one_gadget/builds/libc-2.33-9bf4c513db255ab7248cef9f0f96b4403df29852.rb @@ -23,4 +23,10 @@ OneGadget::Gadget.add(build_id, 842388, constraints: ["[rsi] == NULL || rsi == NULL", "[rdx] == NULL || rdx == NULL"], effect: "execve(\"/bin/sh\", rsi, rdx)") +OneGadget::Gadget.add(build_id, 842478, + constraints: ["writable: rbp-0x38", "[rbp-0x40] == NULL || rbp-0x40 == NULL", "[r12] == NULL || r12 == NULL"], + effect: "execve(\"/bin/sh\", rbp-0x40, r12)") +OneGadget::Gadget.add(build_id, 842485, + constraints: ["writable: rbp-0x40", "[rbp-0x40] == NULL || rbp-0x40 == NULL", "[r12] == NULL || r12 == NULL"], + effect: "execve(\"/bin/sh\", rbp-0x40, r12)") diff --git a/lib/one_gadget/builds/libc-2.33-9e592d3efa165bc2bab8b40426370bd50cb0b027.rb b/lib/one_gadget/builds/libc-2.33-9e592d3efa165bc2bab8b40426370bd50cb0b027.rb index b975f417..1288d6fa 100644 --- a/lib/one_gadget/builds/libc-2.33-9e592d3efa165bc2bab8b40426370bd50cb0b027.rb +++ b/lib/one_gadget/builds/libc-2.33-9e592d3efa165bc2bab8b40426370bd50cb0b027.rb @@ -23,4 +23,10 @@ OneGadget::Gadget.add(build_id, 838944, constraints: ["[rsi] == NULL || rsi == NULL", "[rdx] == NULL || rdx == NULL"], effect: "execve(\"/bin/sh\", rsi, rdx)") +OneGadget::Gadget.add(build_id, 839034, + constraints: ["writable: rbp-0x38", "[rbp-0x40] == NULL || rbp-0x40 == NULL", "[r13] == NULL || r13 == NULL"], + effect: "execve(\"/bin/sh\", rbp-0x40, r13)") +OneGadget::Gadget.add(build_id, 839041, + constraints: ["writable: rbp-0x40", "[rbp-0x40] == NULL || rbp-0x40 == NULL", "[r13] == NULL || r13 == NULL"], + effect: "execve(\"/bin/sh\", rbp-0x40, r13)") diff --git a/lib/one_gadget/builds/libc-2.33-abf3b2a9815c0cd6e4280cd99474d34102804eb2.rb b/lib/one_gadget/builds/libc-2.33-abf3b2a9815c0cd6e4280cd99474d34102804eb2.rb index bc3bdf81..75442deb 100644 --- a/lib/one_gadget/builds/libc-2.33-abf3b2a9815c0cd6e4280cd99474d34102804eb2.rb +++ b/lib/one_gadget/builds/libc-2.33-abf3b2a9815c0cd6e4280cd99474d34102804eb2.rb @@ -23,4 +23,10 @@ OneGadget::Gadget.add(build_id, 838944, constraints: ["[rsi] == NULL || rsi == NULL", "[rdx] == NULL || rdx == NULL"], effect: "execve(\"/bin/sh\", rsi, rdx)") +OneGadget::Gadget.add(build_id, 839034, + constraints: ["writable: rbp-0x38", "[rbp-0x40] == NULL || rbp-0x40 == NULL", "[r13] == NULL || r13 == NULL"], + effect: "execve(\"/bin/sh\", rbp-0x40, r13)") +OneGadget::Gadget.add(build_id, 839041, + constraints: ["writable: rbp-0x40", "[rbp-0x40] == NULL || rbp-0x40 == NULL", "[r13] == NULL || r13 == NULL"], + effect: "execve(\"/bin/sh\", rbp-0x40, r13)") diff --git a/lib/one_gadget/builds/libc-2.33-b046eecd056a0c30995703f6cfca7a8e3a9ef5fa.rb b/lib/one_gadget/builds/libc-2.33-b046eecd056a0c30995703f6cfca7a8e3a9ef5fa.rb index 57e89ef9..2d41235a 100644 --- a/lib/one_gadget/builds/libc-2.33-b046eecd056a0c30995703f6cfca7a8e3a9ef5fa.rb +++ b/lib/one_gadget/builds/libc-2.33-b046eecd056a0c30995703f6cfca7a8e3a9ef5fa.rb @@ -23,4 +23,10 @@ OneGadget::Gadget.add(build_id, 838944, constraints: ["[rsi] == NULL || rsi == NULL", "[rdx] == NULL || rdx == NULL"], effect: "execve(\"/bin/sh\", rsi, rdx)") +OneGadget::Gadget.add(build_id, 839034, + constraints: ["writable: rbp-0x38", "[rbp-0x40] == NULL || rbp-0x40 == NULL", "[r13] == NULL || r13 == NULL"], + effect: "execve(\"/bin/sh\", rbp-0x40, r13)") +OneGadget::Gadget.add(build_id, 839041, + constraints: ["writable: rbp-0x40", "[rbp-0x40] == NULL || rbp-0x40 == NULL", "[r13] == NULL || r13 == NULL"], + effect: "execve(\"/bin/sh\", rbp-0x40, r13)") diff --git a/lib/one_gadget/fetchers/amd64.rb b/lib/one_gadget/fetchers/amd64.rb index a9880fe0..4233c0e8 100644 --- a/lib/one_gadget/fetchers/amd64.rb +++ b/lib/one_gadget/fetchers/amd64.rb @@ -32,7 +32,7 @@ def candidates # ... # call execve def jmp_case_candidates - `#{@objdump.command}|egrep 'rdi.*# #{bin_sh_hex}' -A 3`.split('--').map do |cand| + `#{@objdump.command}|egrep '# #{bin_sh_hex}' -A 8`.split('--').map do |cand| cand = cand.lines.map(&:strip).reject(&:empty?) jmp_at = cand.index { |c| c.include?('jmp') } next nil if jmp_at.nil? diff --git a/tasks/builds/generate.rake b/tasks/builds/generate.rake index 2ad181f2..8d77820a 100644 --- a/tasks/builds/generate.rake +++ b/tasks/builds/generate.rake @@ -16,10 +16,12 @@ EOS namespace :builds do desc 'Generates lib/builds/*.rb from libc files' # bundle exec rake "builds:generate[../libcdb/libc/**/*]" - task :generate, :pattern do |_t, args| + # bundle exec rake "builds:generate[../libcdb/libc/**/*, overwrite]" + task :generate, :pattern, :mode do |_t, args| require 'elftools' require 'one_gadget' entries = Dir.glob(args.pattern).select { |f| File.file?(f) && !File.symlink?(f) } + overwrite = args.mode == 'overwrite' total = entries.size if total > 1 print "Process #{total} files? (Y/n) " @@ -39,7 +41,7 @@ namespace :builds do next skipped('version too old') if Gem::Version.new(version) < Gem::Version.new('2.19') filename = File.join(path, "libc-#{version}-#{info[:build_id]}.rb") - next skipped('file exists') if File.file?(filename) + next skipped('file exists') if !overwrite && File.file?(filename) gadgets = OneGadget.gadgets(file: libc_file, force_file: true, details: true, level: 100) next failed('no gadgets found') if gadgets.empty?