one_gadget
可通过glibc来获取shell
pip3 install one_gadget安装即可
Example
通过
one_gadget libc路径找到对应的get shell地址和get shell的条件如下面的
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
└─$ one_gadget /lib/x86_64-linux-gnu/libc.so.6
0x4d74c posix_spawn(rsp+0xc, "/bin/sh", 0, rbx, rsp+0x50, environ)
constraints:
address rsp+0x68 is writable
rsp & 0xf == 0
rax == NULL || {"sh", rax, rip+0x14a6c3, r12, ...} is a valid argv
rbx == NULL || (u16)[rbx] == NULL
0x4d753 posix_spawn(rsp+0xc, "/bin/sh", 0, rbx, rsp+0x50, environ)
constraints:
address rsp+0x68 is writable
rsp & 0xf == 0
rcx == NULL || {rcx, rax, rip+0x14a6c3, r12, ...} is a valid argv
rbx == NULL || (u16)[rbx] == NULL
0xd636b execve("/bin/sh", rbp-0x40, r13)
constraints:
address rbp-0x38 is writable
rdi == NULL || {"/bin/sh", rdi, NULL} is a valid argv
[r13] == NULL || r13 == NULL || r13 is a valid envp例如
2
3
4
5
6
constraints:#获取shell的约束条件
address rsp+0x68 is writable#rsp+0x68是可写的
rsp & 0xf == 0#rsp & 0xf为0
rax == NULL || {"sh", rax, rip+0x14a6c3, r12, ...} is a valid argv
rbx == NULL || (u16)[rbx] == NULL
- 标题: one_gadget
- 作者: runwu2204
- 创建于 : 2024-05-24 23:19:18
- 更新于 : 2024-06-09 02:11:37
- 链接: https://runwu2204.github.io/2024/05/24/Pwn/linux/tool/one_gadget/
- 版权声明: 本文章采用 CC BY-NC-SA 4.0 进行许可。
评论