One-gadget is a useful gadget in glibc, which leads to call (, , ). It's convenient to use it to get RCE (remote code execution) whenever we can only control ip (i.e. the program counter). For example, sometimes the vulnerability only leads to an arbitrary function call without controlling the first argument, which forbids us to call (). But one-gadgets can do the magic in this situation. I used to use IDA-pro to find these gadgets every time, even I found it before. So I decided to stop doing such routine and develop an easy-to-use tool for it.
one_gadget is the product, it not only finds one-gadgets but also shows the constraints need to be satisfied.
This article records how one_gadget works.
The source code of one_gadget can be found here.
It's a ruby gem, type gem install one_gadget in command line to install it.
First of all, a potential gadget must satisfy:
- has accessed to the /bin/sh string.
- call the exec* family function.
To demonstrate clearly, consider the following assembly code, which is the result of objdump of libc-2.23:
Line 45271 is equivalent to , and is exactly the string /bin/sh.
It's easy to find the string offset with command strings:
As the constraints of this gadget, notice line 45278 is . So we know the final result of this gadget is , which implies the constraint of this gadget is .
So the strategy of finding gadgets is simple:
- find assembly codes that access /bin/sh as one-gadget candidates.
- filter out candidates that not calling execve in a near line.
- The asm code looks like is the constraint.
This simple strategy can find three one-gadgets in glibc-2.19 and glibc-2.23, listed as follows:
These gadgets are useful since their constraints are only certain value on stack to be zero.
While this simple strategy totally fails in a 32-bit libc.
Let's see what a potential one-gadget in a 32-bit libc looks like:
There are two main differences between 32-bit and 64-bit:
- Data access: In 32-bit, it uses to access readonly data.
- Calling convention: In 32-bit, arguments are on the stack, while 64-bit uses registers.
Following discuss why these two differences make one-gadgets in 32-bit much harder to be found and used.
Data access method
64-bit libc uses the related offset of rip to access data segment. While in a 32-bit libc, there's assembly code looks like:
In different functions may use different register as the base to access data. For example, the first six lines of function fexecve is:
After executing instruction , ebx will be set as
libc_base+0xb06a9+0x101957=libc_base+0x1b2000, where 0x1b2000 is the value of dynamic tag PLTGOT:
$ readelf -d libc.so.6 | grep PLTGOT 0x00000003 (PLTGOT) 0x1b2000
Since we are finding one-gadgets, which should not appear in the first few lines of a function, that is, all 32-bit one-gadgets will have a constraint that certain register (usually ebx or esi) points to the GOT area in libc.
This constraint seems really tough, since ebx and esi are callee safe in x86, which means their value will be pop-ed back before a routine returns. While in practice, the value of esi or edi is already be the desired value in main, which was set in __libc_start_main. So this constraint still possible to be satisfied.
In 32-bit, the arguments are put in . There are two ways to do this, one is directly use mov to set these values, another is to use the push instruction. Two kinds of instructions need to be considered when finding gadgets, more complex than in 64-bit, but not hard.
All is well until I found this gadget:
At first glance we may say this gadget will call , but this is incorrect. Before line 3ac88 sets argv to , the value of esp has been changed by and , thus the correct result of this gadget should be .
Because of this complicated gadget, I decided not to use a rule-base strategy to find gadgets, but use symbolic execution instead.
I implement an extremely simple symbolic execution on Ruby to find one-gadgets. It's simple because we don't need to consider the condition-branch. All we need is to show the correct constraints for this gadget. For example, consider this assembly:
If we want the first argument of func to be zero, the real constraint is eax equals zero.
To deal with this, just set every registers and every stack slots as a symbolic variable, the meaning of symbolic can be found in the wiki page.
With SE, we can correctly resolve the constraints of one-gadgets. Furthermore, we can try to execute from any position in glibc, and check if it results in a function call like (, argv, environ).
The one_gadget tool is still under development, as version 1.3.1 it can find many one-gadgets in glibc-2.23. After removing duplicate or hard-to-reach constraints, six one-gadgets in 64-bit and three one-gadgets in 32-bit have been found, they are shown as follows:
I also tried different versions of libc, for example, one_gadget found six and four one-gadgets in glibc-2.19 64-bit and 32-bit, respectively.
Any suggestion is welcome, thanks for your reading :)