search
githubEdit

One Gadget

circle-check

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)arrow-up-right Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)arrow-up-right

chevron-rightSupport HackTrickshashtag

hashtag
Basic Information

One Gadgetarrow-up-right allows to obtain a shell instead of using system and "/bin/sh". One Gadget will find inside the libc library some way to obtain a shell (execve("/bin/sh")) using just one address. However, normally there are some constrains, the most common ones and easy to avoid are like [rsp+0x30] == NULL As you control the values inside the RSP you just have to send some more NULL values so the constrain is avoided.

To the address indicated by One Gadget you need to add the base address where libc is loaded.

circle-check

One Gadget is a great help for Arbitrary Write 2 Exec techniques and might simplify ROP chains as you only need to call one address (and fulfil the requirements).

hashtag
ARM64

The github repo mentions that ARM64 is supported by the tool, but when running it in the libc of a Kali 2023.3 it doesn't find any gadget.

hashtag
Angry Gadget

From the github repoarrow-up-right: Inspired by OneGadgetarrow-up-right this tool is written in python and uses angrarrow-up-right to test constraints for gadgets executing execve('/bin/sh', NULL, NULL) If you've run out gadgets to try from OneGadget, Angry Gadget gives a lot more with complicated constraints to try!

circle-check

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)arrow-up-right Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)arrow-up-right

chevron-rightSupport HackTrickshashtag
PreviousLeaking libc - templateNextRet2lib + Printf leak - arm64

Last updated