one_gadget can't find any gadget in my glibc

Question

one_gadget can't find any gadget in my glibc

levintp opened this issue 3 years ago · comments

I'm trying to find gadgets on my own GLIBC using one_gagdet, but I can't seem to find anything.
Using the command like so:

$ one_gadget /usr/lib/libc.so.6

or

$ one_gadget /lib/libc.so.6

Gives no output at all. Using it on a binary that is not GLIBC gives an error so I know one_gadget is working.

GLIBC version is release 2.33.

Is it possible that there are no gadgets, am I doing something wrong, or is it a bug that I've encountered in one_gadget?

david942j · Answer 1 · Sun Sep 05 2021 14:26:32 GMT+0800 (China Standard Time)

Could you provide more information, such as what OS are you using, and the output of
$ file /usr/lib/libc.so.6 and $ file /lib/lib.so.6

It's possible that one_gadget may not work well (find less gadgets) on new glibc releases, I didn't test them after all.

Lior Levin · Answer 2 · Sun Sep 05 2021 18:33:49 GMT+0800 (China Standard Time)

I got Archlinux on my system.

$ file /usr/lib/libc.so.6
/usr/lib/libc.so.6: symbolic link to libc-2.33.so

$ file /usr/lib/libc-2.33.so
/usr/lib/libc-2.33.so: ELF 64-bit LSB shared object, x86-64, version 1 (GNU/Linux), dynamically linked, interpreter /usr/lib/ld-linux-x86-64.so.2, BuildID[sha1]=..., for GNU/Linux 4.4.0, not stripped

$ file /lib/libc.so.6
/lib/libc.so.6: symbolic link to libc-2.33.so

$ file /lib/libc-2.33.so
/lib/libc-2.33.so: ELF 64-bit LSB shared object, x86-64, version 1 (GNU/Linux), dynamically linked, interpreter /usr/lib/ld-linux-x86-64.so.2, BuildID[sha1]=..., for GNU/Linux 4.4.0, not stripped

both /lib/libc-2.33.so and /usr/lib/libc-2.33.so also show no gadgets found.

david942j · Answer 3 · Tue Sep 07 2021 20:42:56 GMT+0800 (China Standard Time)

Sorry I don't have archlinux so it's appreciated if you can upload the binaries here

Umut Barış Öztunç · Answer 4 · Fri Sep 17 2021 20:39:36 GMT+0800 (China Standard Time)

I don't know why he hid the hashes of the files which is the most useful information. Anyway, I have an arch-based distro and I confirmed that one_gadget fails to find gadgets.

I took a quick look at the file and I must say that it is kind of weird. I couldn't find many gadgets and most are calling posix_spawn. The address 0xCC566 looks like a potential oldschool gadget that uses execve:

Here is the file:
libc-2.33.so.zip

david942j · Answer 5 · Sat Sep 18 2021 11:50:42 GMT+0800 (China Standard Time)

@umutoztunc Thanks for your help!

For the posix_spawn I have filed #121 but don't have time to work on it currently.

And yap 0xcc566 seems to be a valid gadget that should be found, I can debug why it's not reported