one_gadget
one_gadget copied to clipboard
david942j
Consider the content of argv array as constraints
Checked on glibc 2.31, https://gitlab.com/david942j/libcdb/blob/master/libc/libc6_2.31-0ubuntu10_amd64/lib/x86_64-linux-gnu/libc-2.31.so
e6df7: 48 8d 05 ac 07 0d 00 lea rax,[rip+0xd07ac] # 1b75aa <_libc_intl_domainname@@GLIBC_2.2.5+0x1a5>
e6dfe: 49 89 e3 mov r11,rsp
e6e01: 4c 8d 55 b0 lea r10,[rbp-0x50]
e6e05: 48 89 45 b0 mov QWORD PTR [rbp-0x50],rax
e6e09: 48 8b 45 98 mov rax,QWORD PTR [rbp-0x68]
e6e0d: 48 89 45 b8 mov QWORD PTR [rbp-0x48],rax
e6e11: e9 25 ff ff ff jmp e6d3b <execvpe@@GLIBC_2.11+0x46b>
<...>
e6d3b: 49 c7 42 10 00 00 00 00 mov QWORD PTR [r10+0x10],0x0
e6d43: 4c 89 e2 mov rdx,r12
e6d46: 4c 89 d6 mov rsi,r10
e6d49: 48 8d 3d 5a 08 0d 00 lea rdi,[rip+0xd085a] # 1b75aa <_libc_intl_domainname@@GLIBC_2.2.5+0x1a5>
e6d50: 4c 89 5d 88 mov QWORD PTR [rbp-0x78],r11
e6d54: e8 67 f4 ff ff call e61c0 <execve@@GLIBC_2.2.5>
It calls execve("/bin/sh", rbp-0x50, r12), the "array" of rbp-0x50 is { "/bin/sh", [rbp-0x68], 0 }, which is a valid one gadget with [rbp-0x68] == NULL as the constraint. (and rbp-0x50 has to be writable)
Similar situation:
0x7ffff7a72374 <do_system+964> mov rax, qword ptr [rip + 0x363b2d] <0x7ffff7a72374>
0x7ffff7a7237b <do_system+971> lea rdi, [rip + 0x122066]
0x7ffff7a72382 <do_system+978> lea rsi, [rsp + 0x30]
0x7ffff7a72387 <do_system+983> mov dword ptr [rip + 0x36612f], 0 <0x7ffff7dd84c0>
0x7ffff7a72391 <do_system+993> mov dword ptr [rip + 0x366129], 0 <0x7ffff7dd84c4>
0x7ffff7a7239b <do_system+1003> mov rdx, qword ptr [rax]
0x7ffff7a7239e <do_system+1006> call execve
The tool conservatively sets that [rsp + 0x30] == NULL must hold, but [rsp + 0x30] = 0x0000555555554dd1 (valid ptr) and [rsp + 0x38] = NULL which is a valid case for a one gadget.
Thanks for noting this and adding it as an improvement.
