One gadget

Quick win

A one gadget is an execve("/bin/sh") command that is directly present in gLIBC. Using this gadget it's possible to execute an arbitrary code with a single gadget.

Finding one gadget

It's possible to retrieve all one gadget of a libc using the tool one_gadget :

# one_gadget /tmp/libc.so.6 
0x13ea3b execl("/bin/sh", eax)
constraints:
  ebp is the GOT address of libc
  eax == NULL

0x13ea3c execl("/bin/sh", [esp])
constraints:
  ebp is the GOT address of libc
  [esp] == NULL

For most of one gadget some requirements have to be met in order to execute the gadget.

PreviousJump Oriented Programming - JOP NextStack pivoting

Last updated 2 years ago