Giters

david942j / one_gadget

The best tool for finding one gadget RCE in libc.so.6

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Consider the content of argv array as constraints

david942j opened this issue · comments

commented

Checked on glibc 2.31, https://gitlab.com/david942j/libcdb/blob/master/libc/libc6_2.31-0ubuntu10_amd64/lib/x86_64-linux-gnu/libc-2.31.so

   e6df7:       48 8d 05 ac 07 0d 00    lea    rax,[rip+0xd07ac]        # 1b75aa <_libc_intl_domainname@@GLIBC_2.2.5+0x1a5>
   e6dfe:       49 89 e3                mov    r11,rsp
   e6e01:       4c 8d 55 b0             lea    r10,[rbp-0x50]
   e6e05:       48 89 45 b0             mov    QWORD PTR [rbp-0x50],rax
   e6e09:       48 8b 45 98             mov    rax,QWORD PTR [rbp-0x68]
   e6e0d:       48 89 45 b8             mov    QWORD PTR [rbp-0x48],rax
   e6e11:       e9 25 ff ff ff          jmp    e6d3b <execvpe@@GLIBC_2.11+0x46b>
<...>
   e6d3b:       49 c7 42 10 00 00 00 00         mov    QWORD PTR [r10+0x10],0x0
   e6d43:       4c 89 e2                mov    rdx,r12
   e6d46:       4c 89 d6                mov    rsi,r10
   e6d49:       48 8d 3d 5a 08 0d 00    lea    rdi,[rip+0xd085a]        # 1b75aa <_libc_intl_domainname@@GLIBC_2.2.5+0x1a5>
   e6d50:       4c 89 5d 88             mov    QWORD PTR [rbp-0x78],r11
   e6d54:       e8 67 f4 ff ff          call   e61c0 <execve@@GLIBC_2.2.5>

It calls execve("/bin/sh", rbp-0x50, r12), the "array" of rbp-0x50 is { "/bin/sh", [rbp-0x68], 0 }, which is a valid one gadget with [rbp-0x68] == NULL as the constraint. (and rbp-0x50 has to be writable)

commented

Similar situation:
0x7ffff7a72374 <do_system+964> mov rax, qword ptr [rip + 0x363b2d] <0x7ffff7a72374>
0x7ffff7a7237b <do_system+971> lea rdi, [rip + 0x122066]
0x7ffff7a72382 <do_system+978> lea rsi, [rsp + 0x30]
0x7ffff7a72387 <do_system+983> mov dword ptr [rip + 0x36612f], 0 <0x7ffff7dd84c0>
0x7ffff7a72391 <do_system+993> mov dword ptr [rip + 0x366129], 0 <0x7ffff7dd84c4>
0x7ffff7a7239b <do_system+1003> mov rdx, qword ptr [rax]
0x7ffff7a7239e <do_system+1006> call execve

The tool conservatively sets that [rsp + 0x30] == NULL must hold, but [rsp + 0x30] = 0x0000555555554dd1 (valid ptr) and [rsp + 0x38] = NULL which is a valid case for a one gadget.

Thanks for noting this and adding it as an improvement.