pwntools icon indicating copy to clipboard operation
pwntools copied to clipboard
verified publisher icon Gallopsled

Automatic finding one-gadget

Open Isaac0616 opened this issue 8 years ago • 10 comments

There is a tool for finding one-gadget written in ruby. Is it a good idea to have one in pwntools?

Isaac0616 avatar Mar 24 '17 06:03 Isaac0616

Perhaps? It'd be better / easier to use if there were a single endpoint which had all of the offsets in a neutral format like JSON.

I think that the other tool is useful in its own right, I'm not sure that it necessarily fits into the Pwntools workflow currently.

zachriggle avatar Mar 24 '17 17:03 zachriggle

For anyone searching for "one_gadget pwntools" and ending up on this issue: I made the following utility function which calls the one_gadget tool with a path or build id and returns a list of offsets. It requires one_gadget to be installed and in the PATH:

def get_one_gadgets(libc):
	args = ["one_gadget", "-r"]
	if len(libc) == 40 and all(x in string.hexdigits for x in libc.hex()):
		args += ["-b", libc.hex()]
	else:
		args += [libc]
	return [int(offset) for offset in subprocess.check_output(args).decode('ascii').strip().split()]

which can then be called for example with:

print(get_one_gadgets(ELF('libc.so.6').buildid))

or

print(get_one_gadgets(ELF('challenge').libc.path))

ZetaTwo avatar Sep 29 '19 00:09 ZetaTwo

Maybe this fits you -

from one_gadget import generate_one_gadget

path_to_libc = './libc-2.23.so'

for offset in generate_one_gadget(path_to_libc):
    print(offset)
Spoiler! This does not work everytime

Hellsender01 avatar Jan 03 '22 18:01 Hellsender01

How acceptable would it be for pwntools to have a one_gadget function in the ELF class that simply uses subprocess to call the Ruby one_gadget? An error would have to be thrown in case it's not installed and on the PATH, but I think it could be incredibly helpful.

Not quite sure on the licensing issues this would invoke, though.

ir0nstone avatar Mar 26 '24 20:03 ir0nstone

Nobody (except the transitional NMap license) ever argued spawning a subprocess constitutes a derivative work, so it falls just under 'use for any purpose' under both FSF-approved and OSI-approved licenses, so licensing-wise this is 100% safe. I would love to call a direct API though in case anyone ever implemented one. In case of an error we can just display a message analogous to missing binutils.

Email z wtorku 26 marca 2024 od Andreja L:

How acceptable would it be for pwntools to have a one_gadget function in the ELF class that simply uses subprocess to call the Ruby one_gadget? An error would have to be thrown in case it's not installed and on the PATH, but I think it could be incredibly helpful.

Not quite sure on the licensing issues this would invoke, though.

-- Reply to this email directly or view it on GitHub: https://github.com/Gallopsled/pwntools/issues/932#issuecomment-2021463188 You are receiving this because you are subscribed to this thread.

Message ID: @.***

-- Wysłane z mojego urządzenia Sailfish

Arusekk avatar Mar 27 '24 10:03 Arusekk