Closed lebr0nli closed 1 year ago
david942j
commented
1 year ago Thanks for this nice enhancement!
I haven't looked into the implementation yet, but you may want to resolve the tests failure first: https://github.com/david942j/one_gadget/actions/runs/5506576476/job/15242511295
Because your changes there seem to be more gadgets found.
lebr0nli
commented
1 year ago I haven't looked into the implementation yet, but you may want to resolve the tests failure first:
Ok, done. I updated the tests and also fixed a bug I found while I examined some of the gadgets. Please let me know if anything is missing!
david942j
commented
1 year ago Merged, thanks a lot for the contribution!
lebr0nli
commented
11 months ago This patch seemed to work well during the recent CTF challenge I played, and I have actually seen someone fail to solve the challenge because they get misled by the old version one_gadget lol. Should we bump the version or maybe make a beta release?
Also seems we need to update the gadgets/constraints saved on the remote(?), seems like I still need to add a -f flag to avoid one_gadget fetching the wrong constraints from the remote sometimes.
I can probably help if I have some time(if needed :p), could you give me some guides to helping maintain these? Thanks!
david942j
commented
11 months ago remote actually means on github, let me do the update and release a new version
david942j
commented
11 months ago v1.9.0 released
lebr0nli
commented
11 months ago Thanks!
Before this PR, one_gadget can't handle
argvandenvpwell, especially whenargvis on the stack.For example, with libc 2.37 from http://archive.ubuntu.com/ubuntu/pool/main/g/glibc//libc6_2.37-0ubuntu2_amd64.deb, one_gadget might found the gadget like this:
But this is not true, the disassembly of this gadget is something like:
So there are several problems:
[rbp-0x50]doesn't need to beNULL, because it will eventually be set torip+0xd1fb2(the address of "/bin/sh"). In addition,rbp-0x50cannot beNULLbecauserbp-0x50should be writable.execveis called, its argv will be[rbp-0x50].[rbp-0x50]will be set to the address of "/bin/sh",[rbp-0x48]will be set tor12, and[rbp-0x40]will be set toNULL. So the correct constraint is thatr12need to be NULL or somehow{"/bin/sh", r12, NULL}is a valid argv (e.g.r12points to address of "-").execveis called,r13will become its envp. But[r13]orr13doesn't always need to beNULL. Actually, the content ofenvpis not very important most of the time, if it's notNULL, we just need to make sure it's pointing to a readable address with some continuous readable addresses inside it that make r13 can become a valid envp.After this PR, one_gadget will find the correct constraints for this gadget and show more useful information:
More before/after for the libc in http://archive.ubuntu.com/ubuntu/pool/main/g/glibc//libc6_2.37-0ubuntu2_amd64.deb:
Before:
After:
^ Similar to the first example,
[rbp-0x50]is not control by user, the correct constraints arerax == NULLor{"/bin/sh", rax, NULL}is a valid argv.Before:
After:
^ By showing more details, users can easier know that if they can control
[rsp+0x70]to store a readable address(since sh won't bother by weirdargv[0]) and luckily[rsp+0x78]isNULL, they can spawn the shell.Not very sure if this PR fully fixes the problem that #120 mentioned, but hopefully it should at least fix the case when argv is on the stack for x86 libc. Also, the enhancements and fixes introduced by this PR still have some TODOs (I mentioned them in the comment, e.g. the scoring parts). Currently, I don't have a good idea for resolving them, let me know if you have any ideas that I can improve in this PR. (Or maybe we can just leave them for now and fix them in another PR if they don't affect too much :p)