2017年2月23日 星期四

[Project] The one-gadget in glibc

Introduction

One-gadgets are useful gadgets in glibc, which leads to call execve('/bin/sh', NULL, NULL). It's convenient to use it to get RCE (remote code execution) whenever we can only control PC (program counter). For example, sometimes the vulnerability only leads to an arbitrary function call without controlling the first argument, which forbids us to call system("sh"). But one-gadgets can do the magic in this situation. I used to use IDA-pro to find these gadgets every time, even I found it before. So I decided to stop doing such routine and develop an easy-to-use tool for it.

one_gadget is the product, it not only finds one-gadgets but also shows the constraints need to be satisfied.


This article records how one_gadget works.