Comments (4)
david942j
commented on July 2, 2024
1
With the PR it becomes:
0x50a37 posix_spawn(rsp+0x1c, "/bin/sh", 0, rbp, rsp+0x60, environ)
constraints:
rsp & 0xf == 0
rcx == NULL
rbp == NULL || (u16)[rbp] == NULL
0xebcf1 execve("/bin/sh", r10, [rbp-0x70])
constraints:
address rbp-0x78 is writable
[r10] == NULL || r10 == NULL
[[rbp-0x70]] == NULL || [rbp-0x70] == NULL
0xebcf5 execve("/bin/sh", r10, rdx)
constraints:
address rbp-0x78 is writable
[r10] == NULL || r10 == NULL
[rdx] == NULL || rdx == NULL
0xebcf8 execve("/bin/sh", rsi, rdx)
constraints:
address rbp-0x78 is writable
[rsi] == NULL || rsi == NULL
[rdx] == NULL || rdx == NULL
This result looks better to me as well
from one_gadget.
david942j
commented on July 2, 2024
Thanks for your report!
TBH it might not be clear which set of constraints is easier to achieve:
address rbp-0x78 is writable
[rsi] == NULL || rsi == NULL
[rdx] == NULL || rdx == NULL
vs
[rsp+0x70] == NULL
[r9] == NULL || r9 == NULL
rdx == NULL || (s32)[rdx+0x4] <= 0
But let me check whether I should properly tune my scoring system of gadgets' constraints.
from one_gadget.
0x4d5a-ctf
commented on July 2, 2024
True, the "easier to achieve" rating was quite subjective for my special use case. I still think that, from my limited personal experience, constraints on the stack are harder to fulfill.
Thanks for taking a look into it and the fast response!
from one_gadget.
david942j
commented on July 2, 2024
Released v1.8.1
from one_gadget.
Related Issues (20)
- Find one-gadgets in normal binaries HOT 3
- Failed to find some gadgets on glibc 2.31
- Consider the content of argv array as constraints HOT 1
- Consider posix_spawn as a gadget HOT 2
- Ruby 2.8 support
- Use Travis Windows and drop AppVeyor HOT 1
- GOT address of libc HOT 3
- Some gadgets are missing HOT 2
- Missing constraints on rbp
- one_gadget requires Ruby version >= 2.4. HOT 1
- No gadgets found on F34 x86_64 libc HOT 2
- one_gadget can't find any gadget in my glibc HOT 5
- jmp_case_candidates() "bad value for range" error HOT 3
- The filename that ends with a number might cause one_gadget to fail to find some gadgets for amd64
- Other architectures support HOT 3
- UnsupportedArchitectureError is raised if the system locale is non-english HOT 6
- Move code in bin/one_gadget to an independent module
- Add constraint for XMM alignment HOT 1
- Add offset feature . HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from one_gadget.