diff --git a/lib/one_gadget/builds/libc-2.19-01e14462fc6097604edd54a2ee63664c65b2c12b.rb b/lib/one_gadget/builds/libc-2.19-01e14462fc6097604edd54a2ee63664c65b2c12b.rb
index ccbf991..90e3db0 100644
--- a/lib/one_gadget/builds/libc-2.19-01e14462fc6097604edd54a2ee63664c65b2c12b.rb
+++ b/lib/one_gadget/builds/libc-2.19-01e14462fc6097604edd54a2ee63664c65b2c12b.rb
@@ -19,22 +19,31 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 248135,
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x38, environ)")
+OneGadget::Gadget.add(build_id, 248142,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x38, environ)")
OneGadget::Gadget.add(build_id, 248151,
- constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x38, environ)")
OneGadget::Gadget.add(build_id, 248187,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp+0x8])")
OneGadget::Gadget.add(build_id, 248191,
- constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])")
+OneGadget::Gadget.add(build_id, 408704,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"],
+ effect: "execl(\"/bin/sh\", \"sh\", eax)")
OneGadget::Gadget.add(build_id, 408708,
- constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"],
effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])")
OneGadget::Gadget.add(build_id, 408714,
- constraints: ["ebx is the GOT address of libc", "eax == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"],
effect: "execl(\"/bin/sh\", eax)")
OneGadget::Gadget.add(build_id, 408718,
- constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"],
effect: "execl(\"/bin/sh\", [esp+0x4])")
diff --git a/lib/one_gadget/builds/libc-2.19-01e23c38126dad7db569b176808a7c54db64a086.rb b/lib/one_gadget/builds/libc-2.19-01e23c38126dad7db569b176808a7c54db64a086.rb
index 747e912..56ac078 100644
--- a/lib/one_gadget/builds/libc-2.19-01e23c38126dad7db569b176808a7c54db64a086.rb
+++ b/lib/one_gadget/builds/libc-2.19-01e23c38126dad7db569b176808a7c54db64a086.rb
@@ -20,25 +20,28 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 274841,
+ constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 274848,
- constraints: ["rax == NULL"],
+ constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 274932,
- constraints: ["[rsp+0x30] == NULL"],
+ constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 755165,
- constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, r12)")
OneGadget::Gadget.add(build_id, 755244,
- constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL || [rbp-0x48] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", [rbp-0x48], r12)")
OneGadget::Gadget.add(build_id, 870272,
- constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", r9, rdx)")
OneGadget::Gadget.add(build_id, 874871,
- constraints: ["[rsp+0x70] == NULL"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x70, environ)")
OneGadget::Gadget.add(build_id, 874883,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rax])")
diff --git a/lib/one_gadget/builds/libc-2.19-02093f433808b294939b7a84c436c9eb4ec7f084.rb b/lib/one_gadget/builds/libc-2.19-02093f433808b294939b7a84c436c9eb4ec7f084.rb
index f09334c..7c0f479 100644
--- a/lib/one_gadget/builds/libc-2.19-02093f433808b294939b7a84c436c9eb4ec7f084.rb
+++ b/lib/one_gadget/builds/libc-2.19-02093f433808b294939b7a84c436c9eb4ec7f084.rb
@@ -19,21 +19,27 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 454764,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
+OneGadget::Gadget.add(build_id, 454786,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
+ effect: "execve(\"/bin/sh\", esp+0x30, [esp+0x8])")
OneGadget::Gadget.add(build_id, 454790,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp+0x8])")
OneGadget::Gadget.add(build_id, 454794,
- constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])")
+OneGadget::Gadget.add(build_id, 610067,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"],
+ effect: "execl(\"/bin/sh\", \"sh\", eax)")
OneGadget::Gadget.add(build_id, 610071,
- constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"],
effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])")
OneGadget::Gadget.add(build_id, 610077,
- constraints: ["ebx is the GOT address of libc", "eax == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"],
effect: "execl(\"/bin/sh\", eax)")
OneGadget::Gadget.add(build_id, 610081,
- constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"],
effect: "execl(\"/bin/sh\", [esp+0x4])")
diff --git a/lib/one_gadget/builds/libc-2.19-0301225d38bb881df8962a45d8c7f97449628511.rb b/lib/one_gadget/builds/libc-2.19-0301225d38bb881df8962a45d8c7f97449628511.rb
index d5a17b3..feda9da 100644
--- a/lib/one_gadget/builds/libc-2.19-0301225d38bb881df8962a45d8c7f97449628511.rb
+++ b/lib/one_gadget/builds/libc-2.19-0301225d38bb881df8962a45d8c7f97449628511.rb
@@ -20,22 +20,31 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 261567,
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x34, environ)")
+OneGadget::Gadget.add(build_id, 261574,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 261583,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 261619,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp+0x8])")
OneGadget::Gadget.add(build_id, 261623,
- constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])")
+OneGadget::Gadget.add(build_id, 415184,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"],
+ effect: "execl(\"/bin/sh\", \"sh\", eax)")
OneGadget::Gadget.add(build_id, 415188,
- constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"],
effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])")
OneGadget::Gadget.add(build_id, 415194,
- constraints: ["ebx is the GOT address of libc", "eax == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"],
effect: "execl(\"/bin/sh\", eax)")
OneGadget::Gadget.add(build_id, 415198,
- constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"],
effect: "execl(\"/bin/sh\", [esp+0x4])")
diff --git a/lib/one_gadget/builds/libc-2.19-036830b8f13a440ab4f419e46889b60e6e2b4211.rb b/lib/one_gadget/builds/libc-2.19-036830b8f13a440ab4f419e46889b60e6e2b4211.rb
index 2c290f2..0c67883 100644
--- a/lib/one_gadget/builds/libc-2.19-036830b8f13a440ab4f419e46889b60e6e2b4211.rb
+++ b/lib/one_gadget/builds/libc-2.19-036830b8f13a440ab4f419e46889b60e6e2b4211.rb
@@ -19,22 +19,31 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 248167,
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x38, environ)")
+OneGadget::Gadget.add(build_id, 248174,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x38, environ)")
OneGadget::Gadget.add(build_id, 248183,
- constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x38, environ)")
OneGadget::Gadget.add(build_id, 248219,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp+0x8])")
OneGadget::Gadget.add(build_id, 248223,
- constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])")
+OneGadget::Gadget.add(build_id, 406672,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"],
+ effect: "execl(\"/bin/sh\", \"sh\", eax)")
OneGadget::Gadget.add(build_id, 406676,
- constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"],
effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])")
OneGadget::Gadget.add(build_id, 406682,
- constraints: ["ebx is the GOT address of libc", "eax == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"],
effect: "execl(\"/bin/sh\", eax)")
OneGadget::Gadget.add(build_id, 406686,
- constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"],
effect: "execl(\"/bin/sh\", [esp+0x4])")
diff --git a/lib/one_gadget/builds/libc-2.19-03913aa050d557a99cc18f7b10e35f06e7c9265e.rb b/lib/one_gadget/builds/libc-2.19-03913aa050d557a99cc18f7b10e35f06e7c9265e.rb
index 724853f..0eecf26 100644
--- a/lib/one_gadget/builds/libc-2.19-03913aa050d557a99cc18f7b10e35f06e7c9265e.rb
+++ b/lib/one_gadget/builds/libc-2.19-03913aa050d557a99cc18f7b10e35f06e7c9265e.rb
@@ -20,25 +20,28 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 267273,
+ constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 267280,
- constraints: ["rax == NULL"],
+ constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 267364,
- constraints: ["[rsp+0x30] == NULL"],
+ constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 752861,
- constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, r12)")
OneGadget::Gadget.add(build_id, 752940,
- constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL || [rbp-0x48] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", [rbp-0x48], r12)")
OneGadget::Gadget.add(build_id, 868503,
- constraints: ["[rsp+0x70] == NULL"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x70, environ)")
OneGadget::Gadget.add(build_id, 868515,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rax])")
OneGadget::Gadget.add(build_id, 883824,
- constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", r9, rdx)")
diff --git a/lib/one_gadget/builds/libc-2.19-05438cea9c1f9b3bbca9d9718319ee3742937f2e.rb b/lib/one_gadget/builds/libc-2.19-05438cea9c1f9b3bbca9d9718319ee3742937f2e.rb
index 149fe7e..06b1d68 100644
--- a/lib/one_gadget/builds/libc-2.19-05438cea9c1f9b3bbca9d9718319ee3742937f2e.rb
+++ b/lib/one_gadget/builds/libc-2.19-05438cea9c1f9b3bbca9d9718319ee3742937f2e.rb
@@ -19,22 +19,31 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 248407,
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x38, environ)")
+OneGadget::Gadget.add(build_id, 248414,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x38, environ)")
OneGadget::Gadget.add(build_id, 248423,
- constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x38, environ)")
OneGadget::Gadget.add(build_id, 248459,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp+0x8])")
OneGadget::Gadget.add(build_id, 248463,
- constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])")
+OneGadget::Gadget.add(build_id, 406240,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"],
+ effect: "execl(\"/bin/sh\", \"sh\", eax)")
OneGadget::Gadget.add(build_id, 406244,
- constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"],
effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])")
OneGadget::Gadget.add(build_id, 406250,
- constraints: ["ebx is the GOT address of libc", "eax == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"],
effect: "execl(\"/bin/sh\", eax)")
OneGadget::Gadget.add(build_id, 406254,
- constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"],
effect: "execl(\"/bin/sh\", [esp+0x4])")
diff --git a/lib/one_gadget/builds/libc-2.19-05d284a054b0c444fe40e91b25155a637b5cd35b.rb b/lib/one_gadget/builds/libc-2.19-05d284a054b0c444fe40e91b25155a637b5cd35b.rb
index 57b3e48..e3e95c8 100644
--- a/lib/one_gadget/builds/libc-2.19-05d284a054b0c444fe40e91b25155a637b5cd35b.rb
+++ b/lib/one_gadget/builds/libc-2.19-05d284a054b0c444fe40e91b25155a637b5cd35b.rb
@@ -20,22 +20,31 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 254311,
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x34, environ)")
+OneGadget::Gadget.add(build_id, 254318,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 254327,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 254363,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp+0x8])")
OneGadget::Gadget.add(build_id, 254367,
- constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])")
+OneGadget::Gadget.add(build_id, 414519,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"],
+ effect: "execl(\"/bin/sh\", \"sh\", eax)")
OneGadget::Gadget.add(build_id, 414523,
- constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"],
effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])")
OneGadget::Gadget.add(build_id, 414529,
- constraints: ["ebx is the GOT address of libc", "eax == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"],
effect: "execl(\"/bin/sh\", eax)")
OneGadget::Gadget.add(build_id, 414533,
- constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"],
effect: "execl(\"/bin/sh\", [esp+0x4])")
diff --git a/lib/one_gadget/builds/libc-2.19-081d1ade5e735e7bbd0d2c1655a1eb7a0ab546ad.rb b/lib/one_gadget/builds/libc-2.19-081d1ade5e735e7bbd0d2c1655a1eb7a0ab546ad.rb
index 9469efa..0cb5612 100644
--- a/lib/one_gadget/builds/libc-2.19-081d1ade5e735e7bbd0d2c1655a1eb7a0ab546ad.rb
+++ b/lib/one_gadget/builds/libc-2.19-081d1ade5e735e7bbd0d2c1655a1eb7a0ab546ad.rb
@@ -20,22 +20,31 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 261399,
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x34, environ)")
+OneGadget::Gadget.add(build_id, 261406,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 261415,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 261451,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp+0x8])")
OneGadget::Gadget.add(build_id, 261455,
- constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])")
+OneGadget::Gadget.add(build_id, 412768,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"],
+ effect: "execl(\"/bin/sh\", \"sh\", eax)")
OneGadget::Gadget.add(build_id, 412772,
- constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"],
effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])")
OneGadget::Gadget.add(build_id, 412778,
- constraints: ["ebx is the GOT address of libc", "eax == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"],
effect: "execl(\"/bin/sh\", eax)")
OneGadget::Gadget.add(build_id, 412782,
- constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"],
effect: "execl(\"/bin/sh\", [esp+0x4])")
diff --git a/lib/one_gadget/builds/libc-2.19-09aa28fd1054ee91085a7e13da58891c2d22058d.rb b/lib/one_gadget/builds/libc-2.19-09aa28fd1054ee91085a7e13da58891c2d22058d.rb
index a38f3a5..7d655fa 100644
--- a/lib/one_gadget/builds/libc-2.19-09aa28fd1054ee91085a7e13da58891c2d22058d.rb
+++ b/lib/one_gadget/builds/libc-2.19-09aa28fd1054ee91085a7e13da58891c2d22058d.rb
@@ -19,25 +19,28 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 263451,
+ constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbp, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 263458,
- constraints: ["rax == NULL"],
+ constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbp, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 263542,
- constraints: ["[rsp+0x30] == NULL"],
+ constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 701565,
- constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, r12)")
OneGadget::Gadget.add(build_id, 701644,
- constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL || [rbp-0x48] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", [rbp-0x48], r12)")
OneGadget::Gadget.add(build_id, 823243,
- constraints: ["[rsp+0x70] == NULL"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x70, environ)")
OneGadget::Gadget.add(build_id, 823255,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rax])")
OneGadget::Gadget.add(build_id, 838384,
- constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", r9, rdx)")
diff --git a/lib/one_gadget/builds/libc-2.19-0b3a9eb5ffbd93527a046585e2eb0c8ae804498b.rb b/lib/one_gadget/builds/libc-2.19-0b3a9eb5ffbd93527a046585e2eb0c8ae804498b.rb
index 701be68..12d520f 100644
--- a/lib/one_gadget/builds/libc-2.19-0b3a9eb5ffbd93527a046585e2eb0c8ae804498b.rb
+++ b/lib/one_gadget/builds/libc-2.19-0b3a9eb5ffbd93527a046585e2eb0c8ae804498b.rb
@@ -20,22 +20,31 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 254471,
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x34, environ)")
+OneGadget::Gadget.add(build_id, 254478,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 254487,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 254523,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp+0x8])")
OneGadget::Gadget.add(build_id, 254527,
- constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])")
+OneGadget::Gadget.add(build_id, 412615,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"],
+ effect: "execl(\"/bin/sh\", \"sh\", eax)")
OneGadget::Gadget.add(build_id, 412619,
- constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"],
effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])")
OneGadget::Gadget.add(build_id, 412625,
- constraints: ["ebx is the GOT address of libc", "eax == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"],
effect: "execl(\"/bin/sh\", eax)")
OneGadget::Gadget.add(build_id, 412629,
- constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"],
effect: "execl(\"/bin/sh\", [esp+0x4])")
diff --git a/lib/one_gadget/builds/libc-2.19-0ca781d9dae5d7689f112aa047b949ba253a1a24.rb b/lib/one_gadget/builds/libc-2.19-0ca781d9dae5d7689f112aa047b949ba253a1a24.rb
index e0f365c..1964904 100644
--- a/lib/one_gadget/builds/libc-2.19-0ca781d9dae5d7689f112aa047b949ba253a1a24.rb
+++ b/lib/one_gadget/builds/libc-2.19-0ca781d9dae5d7689f112aa047b949ba253a1a24.rb
@@ -20,22 +20,31 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 253767,
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x34, environ)")
+OneGadget::Gadget.add(build_id, 253774,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 253783,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 253819,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp+0x8])")
OneGadget::Gadget.add(build_id, 253823,
- constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])")
+OneGadget::Gadget.add(build_id, 414439,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"],
+ effect: "execl(\"/bin/sh\", \"sh\", eax)")
OneGadget::Gadget.add(build_id, 414443,
- constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"],
effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])")
OneGadget::Gadget.add(build_id, 414449,
- constraints: ["ebx is the GOT address of libc", "eax == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"],
effect: "execl(\"/bin/sh\", eax)")
OneGadget::Gadget.add(build_id, 414453,
- constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"],
effect: "execl(\"/bin/sh\", [esp+0x4])")
diff --git a/lib/one_gadget/builds/libc-2.19-0cfe51d12d5ffdc0b80469a74e6e5afb8130cafb.rb b/lib/one_gadget/builds/libc-2.19-0cfe51d12d5ffdc0b80469a74e6e5afb8130cafb.rb
index f595bed..19465c9 100644
--- a/lib/one_gadget/builds/libc-2.19-0cfe51d12d5ffdc0b80469a74e6e5afb8130cafb.rb
+++ b/lib/one_gadget/builds/libc-2.19-0cfe51d12d5ffdc0b80469a74e6e5afb8130cafb.rb
@@ -20,25 +20,28 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 275065,
+ constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 275072,
- constraints: ["rax == NULL"],
+ constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 275156,
- constraints: ["[rsp+0x30] == NULL"],
+ constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 756589,
- constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, r12)")
OneGadget::Gadget.add(build_id, 756668,
- constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL || [rbp-0x48] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", [rbp-0x48], r12)")
OneGadget::Gadget.add(build_id, 871776,
- constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", r9, rdx)")
OneGadget::Gadget.add(build_id, 876463,
- constraints: ["[rsp+0x70] == NULL"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x70, environ)")
OneGadget::Gadget.add(build_id, 876475,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rax])")
diff --git a/lib/one_gadget/builds/libc-2.19-0dd7691bd47c4270c2ce9343dff1fbe0e27ad9f3.rb b/lib/one_gadget/builds/libc-2.19-0dd7691bd47c4270c2ce9343dff1fbe0e27ad9f3.rb
index 3774e30..ee9e0cb 100644
--- a/lib/one_gadget/builds/libc-2.19-0dd7691bd47c4270c2ce9343dff1fbe0e27ad9f3.rb
+++ b/lib/one_gadget/builds/libc-2.19-0dd7691bd47c4270c2ce9343dff1fbe0e27ad9f3.rb
@@ -19,21 +19,27 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 454556,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
+OneGadget::Gadget.add(build_id, 454578,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
+ effect: "execve(\"/bin/sh\", esp+0x30, [esp+0x8])")
OneGadget::Gadget.add(build_id, 454582,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp+0x8])")
OneGadget::Gadget.add(build_id, 454586,
- constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])")
+OneGadget::Gadget.add(build_id, 609880,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"],
+ effect: "execl(\"/bin/sh\", \"sh\", eax)")
OneGadget::Gadget.add(build_id, 609884,
- constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"],
effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])")
OneGadget::Gadget.add(build_id, 609890,
- constraints: ["ebx is the GOT address of libc", "eax == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"],
effect: "execl(\"/bin/sh\", eax)")
OneGadget::Gadget.add(build_id, 609894,
- constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"],
effect: "execl(\"/bin/sh\", [esp+0x4])")
diff --git a/lib/one_gadget/builds/libc-2.19-0e1a9dd2ea0a174b53ad15979b049628cb2d7fd0.rb b/lib/one_gadget/builds/libc-2.19-0e1a9dd2ea0a174b53ad15979b049628cb2d7fd0.rb
index 2b14f89..1f52922 100644
--- a/lib/one_gadget/builds/libc-2.19-0e1a9dd2ea0a174b53ad15979b049628cb2d7fd0.rb
+++ b/lib/one_gadget/builds/libc-2.19-0e1a9dd2ea0a174b53ad15979b049628cb2d7fd0.rb
@@ -20,22 +20,31 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 260991,
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x34, environ)")
+OneGadget::Gadget.add(build_id, 260998,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 261007,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 261043,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp+0x8])")
OneGadget::Gadget.add(build_id, 261047,
- constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])")
+OneGadget::Gadget.add(build_id, 412368,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"],
+ effect: "execl(\"/bin/sh\", \"sh\", eax)")
OneGadget::Gadget.add(build_id, 412372,
- constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"],
effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])")
OneGadget::Gadget.add(build_id, 412378,
- constraints: ["ebx is the GOT address of libc", "eax == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"],
effect: "execl(\"/bin/sh\", eax)")
OneGadget::Gadget.add(build_id, 412382,
- constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"],
effect: "execl(\"/bin/sh\", [esp+0x4])")
diff --git a/lib/one_gadget/builds/libc-2.19-0fe755222a275227e03414bf80fe98560038cf7e.rb b/lib/one_gadget/builds/libc-2.19-0fe755222a275227e03414bf80fe98560038cf7e.rb
index ca644d1..edd0234 100644
--- a/lib/one_gadget/builds/libc-2.19-0fe755222a275227e03414bf80fe98560038cf7e.rb
+++ b/lib/one_gadget/builds/libc-2.19-0fe755222a275227e03414bf80fe98560038cf7e.rb
@@ -20,22 +20,31 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 254471,
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x34, environ)")
+OneGadget::Gadget.add(build_id, 254478,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 254487,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 254523,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp+0x8])")
OneGadget::Gadget.add(build_id, 254527,
- constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])")
+OneGadget::Gadget.add(build_id, 412615,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"],
+ effect: "execl(\"/bin/sh\", \"sh\", eax)")
OneGadget::Gadget.add(build_id, 412619,
- constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"],
effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])")
OneGadget::Gadget.add(build_id, 412625,
- constraints: ["ebx is the GOT address of libc", "eax == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"],
effect: "execl(\"/bin/sh\", eax)")
OneGadget::Gadget.add(build_id, 412629,
- constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"],
effect: "execl(\"/bin/sh\", [esp+0x4])")
diff --git a/lib/one_gadget/builds/libc-2.19-10c913aa6554f3128781afb7846ac481b64c10b6.rb b/lib/one_gadget/builds/libc-2.19-10c913aa6554f3128781afb7846ac481b64c10b6.rb
index 7a50e01..73745da 100644
--- a/lib/one_gadget/builds/libc-2.19-10c913aa6554f3128781afb7846ac481b64c10b6.rb
+++ b/lib/one_gadget/builds/libc-2.19-10c913aa6554f3128781afb7846ac481b64c10b6.rb
@@ -19,21 +19,27 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 454556,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
+OneGadget::Gadget.add(build_id, 454578,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
+ effect: "execve(\"/bin/sh\", esp+0x30, [esp+0x8])")
OneGadget::Gadget.add(build_id, 454582,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp+0x8])")
OneGadget::Gadget.add(build_id, 454586,
- constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])")
+OneGadget::Gadget.add(build_id, 609859,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"],
+ effect: "execl(\"/bin/sh\", \"sh\", eax)")
OneGadget::Gadget.add(build_id, 609863,
- constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"],
effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])")
OneGadget::Gadget.add(build_id, 609869,
- constraints: ["ebx is the GOT address of libc", "eax == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"],
effect: "execl(\"/bin/sh\", eax)")
OneGadget::Gadget.add(build_id, 609873,
- constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"],
effect: "execl(\"/bin/sh\", [esp+0x4])")
diff --git a/lib/one_gadget/builds/libc-2.19-1142f4753ddff69c217e1e539272eaaf7d75da4c.rb b/lib/one_gadget/builds/libc-2.19-1142f4753ddff69c217e1e539272eaaf7d75da4c.rb
index 4472b4c..bba2f71 100644
--- a/lib/one_gadget/builds/libc-2.19-1142f4753ddff69c217e1e539272eaaf7d75da4c.rb
+++ b/lib/one_gadget/builds/libc-2.19-1142f4753ddff69c217e1e539272eaaf7d75da4c.rb
@@ -20,22 +20,31 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 261639,
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x34, environ)")
+OneGadget::Gadget.add(build_id, 261646,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 261655,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 261691,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp+0x8])")
OneGadget::Gadget.add(build_id, 261695,
- constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])")
+OneGadget::Gadget.add(build_id, 414983,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"],
+ effect: "execl(\"/bin/sh\", \"sh\", eax)")
OneGadget::Gadget.add(build_id, 414987,
- constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"],
effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])")
OneGadget::Gadget.add(build_id, 414993,
- constraints: ["ebx is the GOT address of libc", "eax == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"],
effect: "execl(\"/bin/sh\", eax)")
OneGadget::Gadget.add(build_id, 414997,
- constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"],
effect: "execl(\"/bin/sh\", [esp+0x4])")
diff --git a/lib/one_gadget/builds/libc-2.19-12d7f074b08cab569614830552b5fe8a32707295.rb b/lib/one_gadget/builds/libc-2.19-12d7f074b08cab569614830552b5fe8a32707295.rb
index 2c8c2ef..c9993bc 100644
--- a/lib/one_gadget/builds/libc-2.19-12d7f074b08cab569614830552b5fe8a32707295.rb
+++ b/lib/one_gadget/builds/libc-2.19-12d7f074b08cab569614830552b5fe8a32707295.rb
@@ -20,25 +20,28 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 267129,
+ constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 267136,
- constraints: ["rax == NULL"],
+ constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 267220,
- constraints: ["[rsp+0x30] == NULL"],
+ constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 754893,
- constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, r12)")
OneGadget::Gadget.add(build_id, 754972,
- constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL || [rbp-0x48] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", [rbp-0x48], r12)")
OneGadget::Gadget.add(build_id, 870503,
- constraints: ["[rsp+0x70] == NULL"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x70, environ)")
OneGadget::Gadget.add(build_id, 870515,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rax])")
OneGadget::Gadget.add(build_id, 885616,
- constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", r9, rdx)")
diff --git a/lib/one_gadget/builds/libc-2.19-145bd51d758bf9c3e3b45949a2023cbaa0941e37.rb b/lib/one_gadget/builds/libc-2.19-145bd51d758bf9c3e3b45949a2023cbaa0941e37.rb
index 540c7c5..bbcd14a 100644
--- a/lib/one_gadget/builds/libc-2.19-145bd51d758bf9c3e3b45949a2023cbaa0941e37.rb
+++ b/lib/one_gadget/builds/libc-2.19-145bd51d758bf9c3e3b45949a2023cbaa0941e37.rb
@@ -20,25 +20,28 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 267081,
+ constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 267088,
- constraints: ["rax == NULL"],
+ constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 267172,
- constraints: ["[rsp+0x30] == NULL"],
+ constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 754733,
- constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, r12)")
OneGadget::Gadget.add(build_id, 754812,
- constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL || [rbp-0x48] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", [rbp-0x48], r12)")
OneGadget::Gadget.add(build_id, 870615,
- constraints: ["[rsp+0x70] == NULL"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x70, environ)")
OneGadget::Gadget.add(build_id, 870627,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rax])")
OneGadget::Gadget.add(build_id, 885936,
- constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", r9, rdx)")
diff --git a/lib/one_gadget/builds/libc-2.19-15b6f6d06e3435a22c15398ce99c3d649112f576.rb b/lib/one_gadget/builds/libc-2.19-15b6f6d06e3435a22c15398ce99c3d649112f576.rb
index a2430e2..59f40ab 100644
--- a/lib/one_gadget/builds/libc-2.19-15b6f6d06e3435a22c15398ce99c3d649112f576.rb
+++ b/lib/one_gadget/builds/libc-2.19-15b6f6d06e3435a22c15398ce99c3d649112f576.rb
@@ -20,25 +20,28 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 274185,
+ constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 274192,
- constraints: ["rax == NULL"],
+ constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 274276,
- constraints: ["[rsp+0x30] == NULL"],
+ constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 753293,
- constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, r12)")
OneGadget::Gadget.add(build_id, 753372,
- constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL || [rbp-0x48] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", [rbp-0x48], r12)")
OneGadget::Gadget.add(build_id, 868592,
- constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", r9, rdx)")
OneGadget::Gadget.add(build_id, 873336,
- constraints: ["[rsp+0x70] == NULL"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x70, environ)")
OneGadget::Gadget.add(build_id, 873348,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rax])")
diff --git a/lib/one_gadget/builds/libc-2.19-15c42742a61d7b2fe40dca9ca659a8f8f8ffea32.rb b/lib/one_gadget/builds/libc-2.19-15c42742a61d7b2fe40dca9ca659a8f8f8ffea32.rb
index 13b29be..9c8711e 100644
--- a/lib/one_gadget/builds/libc-2.19-15c42742a61d7b2fe40dca9ca659a8f8f8ffea32.rb
+++ b/lib/one_gadget/builds/libc-2.19-15c42742a61d7b2fe40dca9ca659a8f8f8ffea32.rb
@@ -20,25 +20,28 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 267129,
+ constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 267136,
- constraints: ["rax == NULL"],
+ constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 267220,
- constraints: ["[rsp+0x30] == NULL"],
+ constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 754781,
- constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, r12)")
OneGadget::Gadget.add(build_id, 754860,
- constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL || [rbp-0x48] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", [rbp-0x48], r12)")
OneGadget::Gadget.add(build_id, 870663,
- constraints: ["[rsp+0x70] == NULL"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x70, environ)")
OneGadget::Gadget.add(build_id, 870675,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rax])")
OneGadget::Gadget.add(build_id, 885984,
- constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", r9, rdx)")
diff --git a/lib/one_gadget/builds/libc-2.19-1606a4f3d8e807c5bf9b273ab202901115aa7a1e.rb b/lib/one_gadget/builds/libc-2.19-1606a4f3d8e807c5bf9b273ab202901115aa7a1e.rb
index a77d12f..84b4483 100644
--- a/lib/one_gadget/builds/libc-2.19-1606a4f3d8e807c5bf9b273ab202901115aa7a1e.rb
+++ b/lib/one_gadget/builds/libc-2.19-1606a4f3d8e807c5bf9b273ab202901115aa7a1e.rb
@@ -19,22 +19,31 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 248407,
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x38, environ)")
+OneGadget::Gadget.add(build_id, 248414,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x38, environ)")
OneGadget::Gadget.add(build_id, 248423,
- constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x38, environ)")
OneGadget::Gadget.add(build_id, 248459,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp+0x8])")
OneGadget::Gadget.add(build_id, 248463,
- constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])")
+OneGadget::Gadget.add(build_id, 406240,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"],
+ effect: "execl(\"/bin/sh\", \"sh\", eax)")
OneGadget::Gadget.add(build_id, 406244,
- constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"],
effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])")
OneGadget::Gadget.add(build_id, 406250,
- constraints: ["ebx is the GOT address of libc", "eax == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"],
effect: "execl(\"/bin/sh\", eax)")
OneGadget::Gadget.add(build_id, 406254,
- constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"],
effect: "execl(\"/bin/sh\", [esp+0x4])")
diff --git a/lib/one_gadget/builds/libc-2.19-17e8467dfe433c3622e6874d5795f6ac8edc8951.rb b/lib/one_gadget/builds/libc-2.19-17e8467dfe433c3622e6874d5795f6ac8edc8951.rb
index b3ad67f..bad7069 100644
--- a/lib/one_gadget/builds/libc-2.19-17e8467dfe433c3622e6874d5795f6ac8edc8951.rb
+++ b/lib/one_gadget/builds/libc-2.19-17e8467dfe433c3622e6874d5795f6ac8edc8951.rb
@@ -20,22 +20,31 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 254471,
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x34, environ)")
+OneGadget::Gadget.add(build_id, 254478,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 254487,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 254523,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp+0x8])")
OneGadget::Gadget.add(build_id, 254527,
- constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])")
+OneGadget::Gadget.add(build_id, 412647,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"],
+ effect: "execl(\"/bin/sh\", \"sh\", eax)")
OneGadget::Gadget.add(build_id, 412651,
- constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"],
effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])")
OneGadget::Gadget.add(build_id, 412657,
- constraints: ["ebx is the GOT address of libc", "eax == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"],
effect: "execl(\"/bin/sh\", eax)")
OneGadget::Gadget.add(build_id, 412661,
- constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"],
effect: "execl(\"/bin/sh\", [esp+0x4])")
diff --git a/lib/one_gadget/builds/libc-2.19-1d7ac0a26e8dd7a9b8443fe4a5f59e46ee16ce74.rb b/lib/one_gadget/builds/libc-2.19-1d7ac0a26e8dd7a9b8443fe4a5f59e46ee16ce74.rb
index 74e137a..4436429 100644
--- a/lib/one_gadget/builds/libc-2.19-1d7ac0a26e8dd7a9b8443fe4a5f59e46ee16ce74.rb
+++ b/lib/one_gadget/builds/libc-2.19-1d7ac0a26e8dd7a9b8443fe4a5f59e46ee16ce74.rb
@@ -19,21 +19,27 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 454364,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
+OneGadget::Gadget.add(build_id, 454386,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
+ effect: "execve(\"/bin/sh\", esp+0x30, [esp+0x8])")
OneGadget::Gadget.add(build_id, 454390,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp+0x8])")
OneGadget::Gadget.add(build_id, 454394,
- constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])")
+OneGadget::Gadget.add(build_id, 607443,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"],
+ effect: "execl(\"/bin/sh\", \"sh\", eax)")
OneGadget::Gadget.add(build_id, 607447,
- constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"],
effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])")
OneGadget::Gadget.add(build_id, 607453,
- constraints: ["ebx is the GOT address of libc", "eax == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"],
effect: "execl(\"/bin/sh\", eax)")
OneGadget::Gadget.add(build_id, 607457,
- constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"],
effect: "execl(\"/bin/sh\", [esp+0x4])")
diff --git a/lib/one_gadget/builds/libc-2.19-1dae2bc5818d22b565ed441211d0e2df6e942c25.rb b/lib/one_gadget/builds/libc-2.19-1dae2bc5818d22b565ed441211d0e2df6e942c25.rb
index 1fcd405..7c7b857 100644
--- a/lib/one_gadget/builds/libc-2.19-1dae2bc5818d22b565ed441211d0e2df6e942c25.rb
+++ b/lib/one_gadget/builds/libc-2.19-1dae2bc5818d22b565ed441211d0e2df6e942c25.rb
@@ -19,21 +19,27 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 460812,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
+OneGadget::Gadget.add(build_id, 460834,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
+ effect: "execve(\"/bin/sh\", esp+0x30, [esp+0x8])")
OneGadget::Gadget.add(build_id, 460838,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp+0x8])")
OneGadget::Gadget.add(build_id, 460842,
- constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])")
+OneGadget::Gadget.add(build_id, 610008,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"],
+ effect: "execl(\"/bin/sh\", \"sh\", eax)")
OneGadget::Gadget.add(build_id, 610012,
- constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"],
effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])")
OneGadget::Gadget.add(build_id, 610018,
- constraints: ["ebx is the GOT address of libc", "eax == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"],
effect: "execl(\"/bin/sh\", eax)")
OneGadget::Gadget.add(build_id, 610022,
- constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"],
effect: "execl(\"/bin/sh\", [esp+0x4])")
diff --git a/lib/one_gadget/builds/libc-2.19-1db2291c040579630f551b3568d0bc8758aa25d7.rb b/lib/one_gadget/builds/libc-2.19-1db2291c040579630f551b3568d0bc8758aa25d7.rb
index 6bd43d0..205a920 100644
--- a/lib/one_gadget/builds/libc-2.19-1db2291c040579630f551b3568d0bc8758aa25d7.rb
+++ b/lib/one_gadget/builds/libc-2.19-1db2291c040579630f551b3568d0bc8758aa25d7.rb
@@ -20,25 +20,28 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 262991,
+ constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 262998,
- constraints: ["rax == NULL"],
+ constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 263082,
- constraints: ["[rsp+0x30] == NULL"],
+ constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 759648,
- constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, r12)")
OneGadget::Gadget.add(build_id, 759868,
- constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL || [rbp-0x40] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", [rbp-0x40], r12)")
OneGadget::Gadget.add(build_id, 883580,
- constraints: ["[rsp+0x70] == NULL"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x70, environ)")
OneGadget::Gadget.add(build_id, 883592,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rax])")
OneGadget::Gadget.add(build_id, 898673,
- constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", r9, rdx)")
diff --git a/lib/one_gadget/builds/libc-2.19-1dcad38451d0f4e339ac91079d6a20e40015d7f4.rb b/lib/one_gadget/builds/libc-2.19-1dcad38451d0f4e339ac91079d6a20e40015d7f4.rb
index fba96b5..f167352 100644
--- a/lib/one_gadget/builds/libc-2.19-1dcad38451d0f4e339ac91079d6a20e40015d7f4.rb
+++ b/lib/one_gadget/builds/libc-2.19-1dcad38451d0f4e339ac91079d6a20e40015d7f4.rb
@@ -19,22 +19,31 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 249047,
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x38, environ)")
+OneGadget::Gadget.add(build_id, 249054,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x38, environ)")
OneGadget::Gadget.add(build_id, 249063,
- constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x38, environ)")
OneGadget::Gadget.add(build_id, 249099,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp+0x8])")
OneGadget::Gadget.add(build_id, 249103,
- constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])")
+OneGadget::Gadget.add(build_id, 409632,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"],
+ effect: "execl(\"/bin/sh\", \"sh\", eax)")
OneGadget::Gadget.add(build_id, 409636,
- constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"],
effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])")
OneGadget::Gadget.add(build_id, 409642,
- constraints: ["ebx is the GOT address of libc", "eax == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"],
effect: "execl(\"/bin/sh\", eax)")
OneGadget::Gadget.add(build_id, 409646,
- constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"],
effect: "execl(\"/bin/sh\", [esp+0x4])")
diff --git a/lib/one_gadget/builds/libc-2.19-20f983ed5f4a8d177a9839b4abe44ffa35e1eade.rb b/lib/one_gadget/builds/libc-2.19-20f983ed5f4a8d177a9839b4abe44ffa35e1eade.rb
index e0aeae2..ff983ec 100644
--- a/lib/one_gadget/builds/libc-2.19-20f983ed5f4a8d177a9839b4abe44ffa35e1eade.rb
+++ b/lib/one_gadget/builds/libc-2.19-20f983ed5f4a8d177a9839b4abe44ffa35e1eade.rb
@@ -19,22 +19,31 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 256039,
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x38, environ)")
+OneGadget::Gadget.add(build_id, 256046,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x38, environ)")
OneGadget::Gadget.add(build_id, 256055,
- constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x38, environ)")
OneGadget::Gadget.add(build_id, 256091,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp+0x8])")
OneGadget::Gadget.add(build_id, 256095,
- constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])")
+OneGadget::Gadget.add(build_id, 409184,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"],
+ effect: "execl(\"/bin/sh\", \"sh\", eax)")
OneGadget::Gadget.add(build_id, 409188,
- constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"],
effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])")
OneGadget::Gadget.add(build_id, 409194,
- constraints: ["ebx is the GOT address of libc", "eax == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"],
effect: "execl(\"/bin/sh\", eax)")
OneGadget::Gadget.add(build_id, 409198,
- constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"],
effect: "execl(\"/bin/sh\", [esp+0x4])")
diff --git a/lib/one_gadget/builds/libc-2.19-21f20ffd821a693d32e258aa6a64e6bde5c5bdaf.rb b/lib/one_gadget/builds/libc-2.19-21f20ffd821a693d32e258aa6a64e6bde5c5bdaf.rb
index 49af62a..a807f34 100644
--- a/lib/one_gadget/builds/libc-2.19-21f20ffd821a693d32e258aa6a64e6bde5c5bdaf.rb
+++ b/lib/one_gadget/builds/libc-2.19-21f20ffd821a693d32e258aa6a64e6bde5c5bdaf.rb
@@ -19,21 +19,27 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 460812,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
+OneGadget::Gadget.add(build_id, 460834,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
+ effect: "execve(\"/bin/sh\", esp+0x30, [esp+0x8])")
OneGadget::Gadget.add(build_id, 460838,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp+0x8])")
OneGadget::Gadget.add(build_id, 460842,
- constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])")
+OneGadget::Gadget.add(build_id, 610008,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"],
+ effect: "execl(\"/bin/sh\", \"sh\", eax)")
OneGadget::Gadget.add(build_id, 610012,
- constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"],
effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])")
OneGadget::Gadget.add(build_id, 610018,
- constraints: ["ebx is the GOT address of libc", "eax == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"],
effect: "execl(\"/bin/sh\", eax)")
OneGadget::Gadget.add(build_id, 610022,
- constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"],
effect: "execl(\"/bin/sh\", [esp+0x4])")
diff --git a/lib/one_gadget/builds/libc-2.19-22325505e6f257ab00ca32d46cd444c903d5dc89.rb b/lib/one_gadget/builds/libc-2.19-22325505e6f257ab00ca32d46cd444c903d5dc89.rb
index 8a63b5f..121a23f 100644
--- a/lib/one_gadget/builds/libc-2.19-22325505e6f257ab00ca32d46cd444c903d5dc89.rb
+++ b/lib/one_gadget/builds/libc-2.19-22325505e6f257ab00ca32d46cd444c903d5dc89.rb
@@ -20,22 +20,31 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 262187,
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x34, environ)")
+OneGadget::Gadget.add(build_id, 262194,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 262203,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 262239,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp+0x8])")
OneGadget::Gadget.add(build_id, 262243,
- constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])")
+OneGadget::Gadget.add(build_id, 414981,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"],
+ effect: "execl(\"/bin/sh\", \"sh\", eax)")
OneGadget::Gadget.add(build_id, 414985,
- constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"],
effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])")
OneGadget::Gadget.add(build_id, 414991,
- constraints: ["ebx is the GOT address of libc", "eax == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"],
effect: "execl(\"/bin/sh\", eax)")
OneGadget::Gadget.add(build_id, 414995,
- constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"],
effect: "execl(\"/bin/sh\", [esp+0x4])")
diff --git a/lib/one_gadget/builds/libc-2.19-22ea459c5bf13179544fc0bc92372ebe52792f53.rb b/lib/one_gadget/builds/libc-2.19-22ea459c5bf13179544fc0bc92372ebe52792f53.rb
index dc03bea..73a29b0 100644
--- a/lib/one_gadget/builds/libc-2.19-22ea459c5bf13179544fc0bc92372ebe52792f53.rb
+++ b/lib/one_gadget/builds/libc-2.19-22ea459c5bf13179544fc0bc92372ebe52792f53.rb
@@ -19,22 +19,31 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 248599,
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x38, environ)")
+OneGadget::Gadget.add(build_id, 248606,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x38, environ)")
OneGadget::Gadget.add(build_id, 248615,
- constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x38, environ)")
OneGadget::Gadget.add(build_id, 248651,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp+0x8])")
OneGadget::Gadget.add(build_id, 248655,
- constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])")
+OneGadget::Gadget.add(build_id, 406400,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"],
+ effect: "execl(\"/bin/sh\", \"sh\", eax)")
OneGadget::Gadget.add(build_id, 406404,
- constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"],
effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])")
OneGadget::Gadget.add(build_id, 406410,
- constraints: ["ebx is the GOT address of libc", "eax == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"],
effect: "execl(\"/bin/sh\", eax)")
OneGadget::Gadget.add(build_id, 406414,
- constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"],
effect: "execl(\"/bin/sh\", [esp+0x4])")
diff --git a/lib/one_gadget/builds/libc-2.19-267899ea9a83d7e5bd2ae3e53943cd57da6a01e7.rb b/lib/one_gadget/builds/libc-2.19-267899ea9a83d7e5bd2ae3e53943cd57da6a01e7.rb
index 47920a3..31ca101 100644
--- a/lib/one_gadget/builds/libc-2.19-267899ea9a83d7e5bd2ae3e53943cd57da6a01e7.rb
+++ b/lib/one_gadget/builds/libc-2.19-267899ea9a83d7e5bd2ae3e53943cd57da6a01e7.rb
@@ -20,25 +20,28 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 267081,
+ constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 267088,
- constraints: ["rax == NULL"],
+ constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 267172,
- constraints: ["[rsp+0x30] == NULL"],
+ constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 754733,
- constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, r12)")
OneGadget::Gadget.add(build_id, 754812,
- constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL || [rbp-0x48] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", [rbp-0x48], r12)")
OneGadget::Gadget.add(build_id, 870631,
- constraints: ["[rsp+0x70] == NULL"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x70, environ)")
OneGadget::Gadget.add(build_id, 870643,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rax])")
OneGadget::Gadget.add(build_id, 885952,
- constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", r9, rdx)")
diff --git a/lib/one_gadget/builds/libc-2.19-26d70c7187d46c01bea7c22e8428fd6569d0f29c.rb b/lib/one_gadget/builds/libc-2.19-26d70c7187d46c01bea7c22e8428fd6569d0f29c.rb
index aa56363..2f38f49 100644
--- a/lib/one_gadget/builds/libc-2.19-26d70c7187d46c01bea7c22e8428fd6569d0f29c.rb
+++ b/lib/one_gadget/builds/libc-2.19-26d70c7187d46c01bea7c22e8428fd6569d0f29c.rb
@@ -20,22 +20,31 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 254471,
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x34, environ)")
+OneGadget::Gadget.add(build_id, 254478,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 254487,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 254523,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp+0x8])")
OneGadget::Gadget.add(build_id, 254527,
- constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])")
+OneGadget::Gadget.add(build_id, 412647,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"],
+ effect: "execl(\"/bin/sh\", \"sh\", eax)")
OneGadget::Gadget.add(build_id, 412651,
- constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"],
effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])")
OneGadget::Gadget.add(build_id, 412657,
- constraints: ["ebx is the GOT address of libc", "eax == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"],
effect: "execl(\"/bin/sh\", eax)")
OneGadget::Gadget.add(build_id, 412661,
- constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"],
effect: "execl(\"/bin/sh\", [esp+0x4])")
diff --git a/lib/one_gadget/builds/libc-2.19-27ae159e7958021d9c784daa60ac582aeb2e380c.rb b/lib/one_gadget/builds/libc-2.19-27ae159e7958021d9c784daa60ac582aeb2e380c.rb
index fe7f450..3781da9 100644
--- a/lib/one_gadget/builds/libc-2.19-27ae159e7958021d9c784daa60ac582aeb2e380c.rb
+++ b/lib/one_gadget/builds/libc-2.19-27ae159e7958021d9c784daa60ac582aeb2e380c.rb
@@ -20,22 +20,31 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 254967,
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x34, environ)")
+OneGadget::Gadget.add(build_id, 254974,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 254983,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 255019,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp+0x8])")
OneGadget::Gadget.add(build_id, 255023,
- constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])")
+OneGadget::Gadget.add(build_id, 415207,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"],
+ effect: "execl(\"/bin/sh\", \"sh\", eax)")
OneGadget::Gadget.add(build_id, 415211,
- constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"],
effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])")
OneGadget::Gadget.add(build_id, 415217,
- constraints: ["ebx is the GOT address of libc", "eax == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"],
effect: "execl(\"/bin/sh\", eax)")
OneGadget::Gadget.add(build_id, 415221,
- constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"],
effect: "execl(\"/bin/sh\", [esp+0x4])")
diff --git a/lib/one_gadget/builds/libc-2.19-286f68616b18ea86201b1bd81c4e39ab441a876f.rb b/lib/one_gadget/builds/libc-2.19-286f68616b18ea86201b1bd81c4e39ab441a876f.rb
index 14228a6..26f5cc4 100644
--- a/lib/one_gadget/builds/libc-2.19-286f68616b18ea86201b1bd81c4e39ab441a876f.rb
+++ b/lib/one_gadget/builds/libc-2.19-286f68616b18ea86201b1bd81c4e39ab441a876f.rb
@@ -20,22 +20,31 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 254967,
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x34, environ)")
+OneGadget::Gadget.add(build_id, 254974,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 254983,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 255019,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp+0x8])")
OneGadget::Gadget.add(build_id, 255023,
- constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])")
+OneGadget::Gadget.add(build_id, 415175,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"],
+ effect: "execl(\"/bin/sh\", \"sh\", eax)")
OneGadget::Gadget.add(build_id, 415179,
- constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"],
effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])")
OneGadget::Gadget.add(build_id, 415185,
- constraints: ["ebx is the GOT address of libc", "eax == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"],
effect: "execl(\"/bin/sh\", eax)")
OneGadget::Gadget.add(build_id, 415189,
- constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"],
effect: "execl(\"/bin/sh\", [esp+0x4])")
diff --git a/lib/one_gadget/builds/libc-2.19-29ad0fae22588909ae24075cf3d30123d3563a3c.rb b/lib/one_gadget/builds/libc-2.19-29ad0fae22588909ae24075cf3d30123d3563a3c.rb
index e240e1c..b328a51 100644
--- a/lib/one_gadget/builds/libc-2.19-29ad0fae22588909ae24075cf3d30123d3563a3c.rb
+++ b/lib/one_gadget/builds/libc-2.19-29ad0fae22588909ae24075cf3d30123d3563a3c.rb
@@ -19,25 +19,28 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 262555,
+ constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbp, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 262562,
- constraints: ["rax == NULL"],
+ constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbp, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 262646,
- constraints: ["[rsp+0x30] == NULL"],
+ constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 701405,
- constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, r12)")
OneGadget::Gadget.add(build_id, 701484,
- constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL || [rbp-0x48] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", [rbp-0x48], r12)")
OneGadget::Gadget.add(build_id, 823359,
- constraints: ["[rsp+0x70] == NULL"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x70, environ)")
OneGadget::Gadget.add(build_id, 823371,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rax])")
OneGadget::Gadget.add(build_id, 838688,
- constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", r9, rdx)")
diff --git a/lib/one_gadget/builds/libc-2.19-29c9abe596db30c86fe28d30dc275485c7e3f240.rb b/lib/one_gadget/builds/libc-2.19-29c9abe596db30c86fe28d30dc275485c7e3f240.rb
index ece70e6..5b2d16e 100644
--- a/lib/one_gadget/builds/libc-2.19-29c9abe596db30c86fe28d30dc275485c7e3f240.rb
+++ b/lib/one_gadget/builds/libc-2.19-29c9abe596db30c86fe28d30dc275485c7e3f240.rb
@@ -20,22 +20,31 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 254471,
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x34, environ)")
+OneGadget::Gadget.add(build_id, 254478,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 254487,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 254523,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp+0x8])")
OneGadget::Gadget.add(build_id, 254527,
- constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])")
+OneGadget::Gadget.add(build_id, 412647,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"],
+ effect: "execl(\"/bin/sh\", \"sh\", eax)")
OneGadget::Gadget.add(build_id, 412651,
- constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"],
effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])")
OneGadget::Gadget.add(build_id, 412657,
- constraints: ["ebx is the GOT address of libc", "eax == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"],
effect: "execl(\"/bin/sh\", eax)")
OneGadget::Gadget.add(build_id, 412661,
- constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"],
effect: "execl(\"/bin/sh\", [esp+0x4])")
diff --git a/lib/one_gadget/builds/libc-2.19-2aebf61fd92ce11ccbc35f4f5e1da8843415ff2f.rb b/lib/one_gadget/builds/libc-2.19-2aebf61fd92ce11ccbc35f4f5e1da8843415ff2f.rb
index 3c25d43..aaadb77 100644
--- a/lib/one_gadget/builds/libc-2.19-2aebf61fd92ce11ccbc35f4f5e1da8843415ff2f.rb
+++ b/lib/one_gadget/builds/libc-2.19-2aebf61fd92ce11ccbc35f4f5e1da8843415ff2f.rb
@@ -20,25 +20,28 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 274841,
+ constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 274848,
- constraints: ["rax == NULL"],
+ constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 274932,
- constraints: ["[rsp+0x30] == NULL"],
+ constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 755165,
- constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, r12)")
OneGadget::Gadget.add(build_id, 755244,
- constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL || [rbp-0x48] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", [rbp-0x48], r12)")
OneGadget::Gadget.add(build_id, 870176,
- constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", r9, rdx)")
OneGadget::Gadget.add(build_id, 874775,
- constraints: ["[rsp+0x70] == NULL"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x70, environ)")
OneGadget::Gadget.add(build_id, 874787,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rax])")
diff --git a/lib/one_gadget/builds/libc-2.19-2b7794adc3efbe94dd7f17bb28382f42415ef32c.rb b/lib/one_gadget/builds/libc-2.19-2b7794adc3efbe94dd7f17bb28382f42415ef32c.rb
index cfa7c45..06a919d 100644
--- a/lib/one_gadget/builds/libc-2.19-2b7794adc3efbe94dd7f17bb28382f42415ef32c.rb
+++ b/lib/one_gadget/builds/libc-2.19-2b7794adc3efbe94dd7f17bb28382f42415ef32c.rb
@@ -19,21 +19,27 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 452940,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
+OneGadget::Gadget.add(build_id, 452962,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
+ effect: "execve(\"/bin/sh\", esp+0x30, [esp+0x8])")
OneGadget::Gadget.add(build_id, 452966,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp+0x8])")
OneGadget::Gadget.add(build_id, 452970,
- constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])")
+OneGadget::Gadget.add(build_id, 606899,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"],
+ effect: "execl(\"/bin/sh\", \"sh\", eax)")
OneGadget::Gadget.add(build_id, 606903,
- constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"],
effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])")
OneGadget::Gadget.add(build_id, 606909,
- constraints: ["ebx is the GOT address of libc", "eax == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"],
effect: "execl(\"/bin/sh\", eax)")
OneGadget::Gadget.add(build_id, 606913,
- constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"],
effect: "execl(\"/bin/sh\", [esp+0x4])")
diff --git a/lib/one_gadget/builds/libc-2.19-2bb9296b7b2843ef007f7de1b2995bc33ec8294d.rb b/lib/one_gadget/builds/libc-2.19-2bb9296b7b2843ef007f7de1b2995bc33ec8294d.rb
index 2538190..2cc3ff4 100644
--- a/lib/one_gadget/builds/libc-2.19-2bb9296b7b2843ef007f7de1b2995bc33ec8294d.rb
+++ b/lib/one_gadget/builds/libc-2.19-2bb9296b7b2843ef007f7de1b2995bc33ec8294d.rb
@@ -20,22 +20,31 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 254471,
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x34, environ)")
+OneGadget::Gadget.add(build_id, 254478,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 254487,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 254523,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp+0x8])")
OneGadget::Gadget.add(build_id, 254527,
- constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])")
+OneGadget::Gadget.add(build_id, 412615,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"],
+ effect: "execl(\"/bin/sh\", \"sh\", eax)")
OneGadget::Gadget.add(build_id, 412619,
- constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"],
effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])")
OneGadget::Gadget.add(build_id, 412625,
- constraints: ["ebx is the GOT address of libc", "eax == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"],
effect: "execl(\"/bin/sh\", eax)")
OneGadget::Gadget.add(build_id, 412629,
- constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"],
effect: "execl(\"/bin/sh\", [esp+0x4])")
diff --git a/lib/one_gadget/builds/libc-2.19-2bba9d358bac63ff81597767b5bc229316bd12e0.rb b/lib/one_gadget/builds/libc-2.19-2bba9d358bac63ff81597767b5bc229316bd12e0.rb
index f17ada9..4926898 100644
--- a/lib/one_gadget/builds/libc-2.19-2bba9d358bac63ff81597767b5bc229316bd12e0.rb
+++ b/lib/one_gadget/builds/libc-2.19-2bba9d358bac63ff81597767b5bc229316bd12e0.rb
@@ -20,25 +20,28 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 267033,
+ constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 267040,
- constraints: ["rax == NULL"],
+ constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 267124,
- constraints: ["[rsp+0x30] == NULL"],
+ constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 765053,
- constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, r12)")
OneGadget::Gadget.add(build_id, 765132,
- constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL || [rbp-0x48] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", [rbp-0x48], r12)")
OneGadget::Gadget.add(build_id, 880919,
- constraints: ["[rsp+0x70] == NULL"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x70, environ)")
OneGadget::Gadget.add(build_id, 880931,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rax])")
OneGadget::Gadget.add(build_id, 896240,
- constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", r9, rdx)")
diff --git a/lib/one_gadget/builds/libc-2.19-2dad3f021a0e10d56a36a3e6e83c641013bb8d0d.rb b/lib/one_gadget/builds/libc-2.19-2dad3f021a0e10d56a36a3e6e83c641013bb8d0d.rb
index 33eda5d..5852812 100644
--- a/lib/one_gadget/builds/libc-2.19-2dad3f021a0e10d56a36a3e6e83c641013bb8d0d.rb
+++ b/lib/one_gadget/builds/libc-2.19-2dad3f021a0e10d56a36a3e6e83c641013bb8d0d.rb
@@ -20,25 +20,28 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 262991,
+ constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 262998,
- constraints: ["rax == NULL"],
+ constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 263082,
- constraints: ["[rsp+0x30] == NULL"],
+ constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 759648,
- constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, r12)")
OneGadget::Gadget.add(build_id, 759868,
- constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL || [rbp-0x40] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", [rbp-0x40], r12)")
OneGadget::Gadget.add(build_id, 883580,
- constraints: ["[rsp+0x70] == NULL"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x70, environ)")
OneGadget::Gadget.add(build_id, 883592,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rax])")
OneGadget::Gadget.add(build_id, 898673,
- constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", r9, rdx)")
diff --git a/lib/one_gadget/builds/libc-2.19-2dc3a77a63a29cdfce5000c5e562da4574560802.rb b/lib/one_gadget/builds/libc-2.19-2dc3a77a63a29cdfce5000c5e562da4574560802.rb
index 3fe9f62..0466a66 100644
--- a/lib/one_gadget/builds/libc-2.19-2dc3a77a63a29cdfce5000c5e562da4574560802.rb
+++ b/lib/one_gadget/builds/libc-2.19-2dc3a77a63a29cdfce5000c5e562da4574560802.rb
@@ -19,22 +19,31 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 248599,
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x38, environ)")
+OneGadget::Gadget.add(build_id, 248606,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x38, environ)")
OneGadget::Gadget.add(build_id, 248615,
- constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x38, environ)")
OneGadget::Gadget.add(build_id, 248651,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp+0x8])")
OneGadget::Gadget.add(build_id, 248655,
- constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])")
+OneGadget::Gadget.add(build_id, 406400,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"],
+ effect: "execl(\"/bin/sh\", \"sh\", eax)")
OneGadget::Gadget.add(build_id, 406404,
- constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"],
effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])")
OneGadget::Gadget.add(build_id, 406410,
- constraints: ["ebx is the GOT address of libc", "eax == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"],
effect: "execl(\"/bin/sh\", eax)")
OneGadget::Gadget.add(build_id, 406414,
- constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"],
effect: "execl(\"/bin/sh\", [esp+0x4])")
diff --git a/lib/one_gadget/builds/libc-2.19-2ee2c632ffc91afb8662573f6870c70a03fecaad.rb b/lib/one_gadget/builds/libc-2.19-2ee2c632ffc91afb8662573f6870c70a03fecaad.rb
index 9f48af7..155ffd8 100644
--- a/lib/one_gadget/builds/libc-2.19-2ee2c632ffc91afb8662573f6870c70a03fecaad.rb
+++ b/lib/one_gadget/builds/libc-2.19-2ee2c632ffc91afb8662573f6870c70a03fecaad.rb
@@ -19,21 +19,27 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 453852,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
+OneGadget::Gadget.add(build_id, 453874,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
+ effect: "execve(\"/bin/sh\", esp+0x30, [esp+0x8])")
OneGadget::Gadget.add(build_id, 453878,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp+0x8])")
OneGadget::Gadget.add(build_id, 453882,
- constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])")
+OneGadget::Gadget.add(build_id, 610323,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"],
+ effect: "execl(\"/bin/sh\", \"sh\", eax)")
OneGadget::Gadget.add(build_id, 610327,
- constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"],
effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])")
OneGadget::Gadget.add(build_id, 610333,
- constraints: ["ebx is the GOT address of libc", "eax == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"],
effect: "execl(\"/bin/sh\", eax)")
OneGadget::Gadget.add(build_id, 610337,
- constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"],
effect: "execl(\"/bin/sh\", [esp+0x4])")
diff --git a/lib/one_gadget/builds/libc-2.19-2fc2eb810e87cbb9d2a9c79bb1aa31c3b84330c0.rb b/lib/one_gadget/builds/libc-2.19-2fc2eb810e87cbb9d2a9c79bb1aa31c3b84330c0.rb
index b622381..b0c47ab 100644
--- a/lib/one_gadget/builds/libc-2.19-2fc2eb810e87cbb9d2a9c79bb1aa31c3b84330c0.rb
+++ b/lib/one_gadget/builds/libc-2.19-2fc2eb810e87cbb9d2a9c79bb1aa31c3b84330c0.rb
@@ -19,22 +19,31 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 256039,
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x38, environ)")
+OneGadget::Gadget.add(build_id, 256046,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x38, environ)")
OneGadget::Gadget.add(build_id, 256055,
- constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x38, environ)")
OneGadget::Gadget.add(build_id, 256091,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp+0x8])")
OneGadget::Gadget.add(build_id, 256095,
- constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])")
+OneGadget::Gadget.add(build_id, 409184,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"],
+ effect: "execl(\"/bin/sh\", \"sh\", eax)")
OneGadget::Gadget.add(build_id, 409188,
- constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"],
effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])")
OneGadget::Gadget.add(build_id, 409194,
- constraints: ["ebx is the GOT address of libc", "eax == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"],
effect: "execl(\"/bin/sh\", eax)")
OneGadget::Gadget.add(build_id, 409198,
- constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"],
effect: "execl(\"/bin/sh\", [esp+0x4])")
diff --git a/lib/one_gadget/builds/libc-2.19-309303fe5b44867525d535b4b8df1d9890128765.rb b/lib/one_gadget/builds/libc-2.19-309303fe5b44867525d535b4b8df1d9890128765.rb
index 644fbcc..813c21e 100644
--- a/lib/one_gadget/builds/libc-2.19-309303fe5b44867525d535b4b8df1d9890128765.rb
+++ b/lib/one_gadget/builds/libc-2.19-309303fe5b44867525d535b4b8df1d9890128765.rb
@@ -20,25 +20,28 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 274185,
+ constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 274192,
- constraints: ["rax == NULL"],
+ constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 274276,
- constraints: ["[rsp+0x30] == NULL"],
+ constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 764189,
- constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, r12)")
OneGadget::Gadget.add(build_id, 764268,
- constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL || [rbp-0x48] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", [rbp-0x48], r12)")
OneGadget::Gadget.add(build_id, 878784,
- constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", r9, rdx)")
OneGadget::Gadget.add(build_id, 883528,
- constraints: ["[rsp+0x70] == NULL"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x70, environ)")
OneGadget::Gadget.add(build_id, 883540,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rax])")
diff --git a/lib/one_gadget/builds/libc-2.19-30c94dc66a1fe95180c3d68d2b89e576d5ae213c.rb b/lib/one_gadget/builds/libc-2.19-30c94dc66a1fe95180c3d68d2b89e576d5ae213c.rb
index f2637e8..91bf4f8 100644
--- a/lib/one_gadget/builds/libc-2.19-30c94dc66a1fe95180c3d68d2b89e576d5ae213c.rb
+++ b/lib/one_gadget/builds/libc-2.19-30c94dc66a1fe95180c3d68d2b89e576d5ae213c.rb
@@ -20,28 +20,31 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 287953,
+ constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 287960,
- constraints: ["rax == NULL"],
+ constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 288044,
- constraints: ["[rsp+0x30] == NULL"],
+ constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 793843,
- constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, r12)")
OneGadget::Gadget.add(build_id, 793922,
- constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL || [rbp-0x48] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", [rbp-0x48], r12)")
OneGadget::Gadget.add(build_id, 936648,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rbp-0xf0]] == NULL || [rbp-0xf0] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rbp-0xf0]] == NULL || [rbp-0xf0] == NULL || [rbp-0xf0] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rbp-0xf0])")
OneGadget::Gadget.add(build_id, 940229,
- constraints: ["[rsp+0x50] == NULL"],
+ constraints: ["[rsp+0x50] == NULL || {[rsp+0x50], [rsp+0x58], [rsp+0x60], [rsp+0x68], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x50, environ)")
OneGadget::Gadget.add(build_id, 940241,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rax])")
OneGadget::Gadget.add(build_id, 944157,
- constraints: ["[rsp+0x70] == NULL"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x70, environ)")
diff --git a/lib/one_gadget/builds/libc-2.19-30d456d1974436ca70141610c206bbd4e9ac127f.rb b/lib/one_gadget/builds/libc-2.19-30d456d1974436ca70141610c206bbd4e9ac127f.rb
index 2860a7b..23c85b9 100644
--- a/lib/one_gadget/builds/libc-2.19-30d456d1974436ca70141610c206bbd4e9ac127f.rb
+++ b/lib/one_gadget/builds/libc-2.19-30d456d1974436ca70141610c206bbd4e9ac127f.rb
@@ -20,22 +20,31 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 254471,
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x34, environ)")
+OneGadget::Gadget.add(build_id, 254478,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 254487,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 254523,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp+0x8])")
OneGadget::Gadget.add(build_id, 254527,
- constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])")
+OneGadget::Gadget.add(build_id, 412615,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"],
+ effect: "execl(\"/bin/sh\", \"sh\", eax)")
OneGadget::Gadget.add(build_id, 412619,
- constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"],
effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])")
OneGadget::Gadget.add(build_id, 412625,
- constraints: ["ebx is the GOT address of libc", "eax == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"],
effect: "execl(\"/bin/sh\", eax)")
OneGadget::Gadget.add(build_id, 412629,
- constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"],
effect: "execl(\"/bin/sh\", [esp+0x4])")
diff --git a/lib/one_gadget/builds/libc-2.19-30dfa78b54091b3517212562fbe71c82031135df.rb b/lib/one_gadget/builds/libc-2.19-30dfa78b54091b3517212562fbe71c82031135df.rb
index 11eff74..5841316 100644
--- a/lib/one_gadget/builds/libc-2.19-30dfa78b54091b3517212562fbe71c82031135df.rb
+++ b/lib/one_gadget/builds/libc-2.19-30dfa78b54091b3517212562fbe71c82031135df.rb
@@ -20,22 +20,31 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 262523,
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x34, environ)")
+OneGadget::Gadget.add(build_id, 262530,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 262539,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 262575,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp+0x8])")
OneGadget::Gadget.add(build_id, 262579,
- constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])")
+OneGadget::Gadget.add(build_id, 415317,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"],
+ effect: "execl(\"/bin/sh\", \"sh\", eax)")
OneGadget::Gadget.add(build_id, 415321,
- constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"],
effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])")
OneGadget::Gadget.add(build_id, 415327,
- constraints: ["ebx is the GOT address of libc", "eax == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"],
effect: "execl(\"/bin/sh\", eax)")
OneGadget::Gadget.add(build_id, 415331,
- constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"],
effect: "execl(\"/bin/sh\", [esp+0x4])")
diff --git a/lib/one_gadget/builds/libc-2.19-319d6e67364b59468f00c62003e31f9698590885.rb b/lib/one_gadget/builds/libc-2.19-319d6e67364b59468f00c62003e31f9698590885.rb
index 094e3f5..d979fb7 100644
--- a/lib/one_gadget/builds/libc-2.19-319d6e67364b59468f00c62003e31f9698590885.rb
+++ b/lib/one_gadget/builds/libc-2.19-319d6e67364b59468f00c62003e31f9698590885.rb
@@ -20,22 +20,31 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 261015,
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x34, environ)")
+OneGadget::Gadget.add(build_id, 261022,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 261031,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 261067,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp+0x8])")
OneGadget::Gadget.add(build_id, 261071,
- constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])")
+OneGadget::Gadget.add(build_id, 414247,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"],
+ effect: "execl(\"/bin/sh\", \"sh\", eax)")
OneGadget::Gadget.add(build_id, 414251,
- constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"],
effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])")
OneGadget::Gadget.add(build_id, 414257,
- constraints: ["ebx is the GOT address of libc", "eax == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"],
effect: "execl(\"/bin/sh\", eax)")
OneGadget::Gadget.add(build_id, 414261,
- constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"],
effect: "execl(\"/bin/sh\", [esp+0x4])")
diff --git a/lib/one_gadget/builds/libc-2.19-325f373d48d6e3eb950fb4a1841cee80adf696e4.rb b/lib/one_gadget/builds/libc-2.19-325f373d48d6e3eb950fb4a1841cee80adf696e4.rb
index 415962e..965ebcf 100644
--- a/lib/one_gadget/builds/libc-2.19-325f373d48d6e3eb950fb4a1841cee80adf696e4.rb
+++ b/lib/one_gadget/builds/libc-2.19-325f373d48d6e3eb950fb4a1841cee80adf696e4.rb
@@ -20,22 +20,31 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 254967,
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x34, environ)")
+OneGadget::Gadget.add(build_id, 254974,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 254983,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 255019,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp+0x8])")
OneGadget::Gadget.add(build_id, 255023,
- constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])")
+OneGadget::Gadget.add(build_id, 415207,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"],
+ effect: "execl(\"/bin/sh\", \"sh\", eax)")
OneGadget::Gadget.add(build_id, 415211,
- constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"],
effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])")
OneGadget::Gadget.add(build_id, 415217,
- constraints: ["ebx is the GOT address of libc", "eax == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"],
effect: "execl(\"/bin/sh\", eax)")
OneGadget::Gadget.add(build_id, 415221,
- constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"],
effect: "execl(\"/bin/sh\", [esp+0x4])")
diff --git a/lib/one_gadget/builds/libc-2.19-335b30edc15f874730295594b30528ba178aeca7.rb b/lib/one_gadget/builds/libc-2.19-335b30edc15f874730295594b30528ba178aeca7.rb
index 887fed4..92b83de 100644
--- a/lib/one_gadget/builds/libc-2.19-335b30edc15f874730295594b30528ba178aeca7.rb
+++ b/lib/one_gadget/builds/libc-2.19-335b30edc15f874730295594b30528ba178aeca7.rb
@@ -19,25 +19,28 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 262523,
+ constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbp, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 262530,
- constraints: ["rax == NULL"],
+ constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbp, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 262614,
- constraints: ["[rsp+0x30] == NULL"],
+ constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 700557,
- constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, r12)")
OneGadget::Gadget.add(build_id, 700636,
- constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL || [rbp-0x48] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", [rbp-0x48], r12)")
OneGadget::Gadget.add(build_id, 822267,
- constraints: ["[rsp+0x70] == NULL"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x70, environ)")
OneGadget::Gadget.add(build_id, 822279,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rax])")
OneGadget::Gadget.add(build_id, 837408,
- constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", r9, rdx)")
diff --git a/lib/one_gadget/builds/libc-2.19-33adc3316a61d4db3e78e167be8f2d1c8b4a0474.rb b/lib/one_gadget/builds/libc-2.19-33adc3316a61d4db3e78e167be8f2d1c8b4a0474.rb
index 673853d..9b201e3 100644
--- a/lib/one_gadget/builds/libc-2.19-33adc3316a61d4db3e78e167be8f2d1c8b4a0474.rb
+++ b/lib/one_gadget/builds/libc-2.19-33adc3316a61d4db3e78e167be8f2d1c8b4a0474.rb
@@ -20,22 +20,31 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 261639,
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x34, environ)")
+OneGadget::Gadget.add(build_id, 261646,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 261655,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 261691,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp+0x8])")
OneGadget::Gadget.add(build_id, 261695,
- constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])")
+OneGadget::Gadget.add(build_id, 414983,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"],
+ effect: "execl(\"/bin/sh\", \"sh\", eax)")
OneGadget::Gadget.add(build_id, 414987,
- constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"],
effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])")
OneGadget::Gadget.add(build_id, 414993,
- constraints: ["ebx is the GOT address of libc", "eax == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"],
effect: "execl(\"/bin/sh\", eax)")
OneGadget::Gadget.add(build_id, 414997,
- constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"],
effect: "execl(\"/bin/sh\", [esp+0x4])")
diff --git a/lib/one_gadget/builds/libc-2.19-34eca1b0e54755d19a70d3a74b744911f746902a.rb b/lib/one_gadget/builds/libc-2.19-34eca1b0e54755d19a70d3a74b744911f746902a.rb
index 12edccc..dae7ae9 100644
--- a/lib/one_gadget/builds/libc-2.19-34eca1b0e54755d19a70d3a74b744911f746902a.rb
+++ b/lib/one_gadget/builds/libc-2.19-34eca1b0e54755d19a70d3a74b744911f746902a.rb
@@ -20,22 +20,31 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 262563,
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x34, environ)")
+OneGadget::Gadget.add(build_id, 262570,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 262579,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 262615,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp+0x8])")
OneGadget::Gadget.add(build_id, 262619,
- constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])")
+OneGadget::Gadget.add(build_id, 415381,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"],
+ effect: "execl(\"/bin/sh\", \"sh\", eax)")
OneGadget::Gadget.add(build_id, 415385,
- constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"],
effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])")
OneGadget::Gadget.add(build_id, 415391,
- constraints: ["ebx is the GOT address of libc", "eax == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"],
effect: "execl(\"/bin/sh\", eax)")
OneGadget::Gadget.add(build_id, 415395,
- constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"],
effect: "execl(\"/bin/sh\", [esp+0x4])")
diff --git a/lib/one_gadget/builds/libc-2.19-35597c5d9140178626b2989b0f3049c825f17249.rb b/lib/one_gadget/builds/libc-2.19-35597c5d9140178626b2989b0f3049c825f17249.rb
index 8f8344c..c2d43e7 100644
--- a/lib/one_gadget/builds/libc-2.19-35597c5d9140178626b2989b0f3049c825f17249.rb
+++ b/lib/one_gadget/builds/libc-2.19-35597c5d9140178626b2989b0f3049c825f17249.rb
@@ -19,22 +19,31 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 248167,
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x38, environ)")
+OneGadget::Gadget.add(build_id, 248174,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x38, environ)")
OneGadget::Gadget.add(build_id, 248183,
- constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x38, environ)")
OneGadget::Gadget.add(build_id, 248219,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp+0x8])")
OneGadget::Gadget.add(build_id, 248223,
- constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])")
+OneGadget::Gadget.add(build_id, 408992,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"],
+ effect: "execl(\"/bin/sh\", \"sh\", eax)")
OneGadget::Gadget.add(build_id, 408996,
- constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"],
effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])")
OneGadget::Gadget.add(build_id, 409002,
- constraints: ["ebx is the GOT address of libc", "eax == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"],
effect: "execl(\"/bin/sh\", eax)")
OneGadget::Gadget.add(build_id, 409006,
- constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"],
effect: "execl(\"/bin/sh\", [esp+0x4])")
diff --git a/lib/one_gadget/builds/libc-2.19-3565b3bf199d386bd0188a3690135b2ef82a559e.rb b/lib/one_gadget/builds/libc-2.19-3565b3bf199d386bd0188a3690135b2ef82a559e.rb
index 2b31411..c45439e 100644
--- a/lib/one_gadget/builds/libc-2.19-3565b3bf199d386bd0188a3690135b2ef82a559e.rb
+++ b/lib/one_gadget/builds/libc-2.19-3565b3bf199d386bd0188a3690135b2ef82a559e.rb
@@ -19,21 +19,27 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 454092,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
+OneGadget::Gadget.add(build_id, 454114,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
+ effect: "execve(\"/bin/sh\", esp+0x30, [esp+0x8])")
OneGadget::Gadget.add(build_id, 454118,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp+0x8])")
OneGadget::Gadget.add(build_id, 454122,
- constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])")
+OneGadget::Gadget.add(build_id, 609347,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"],
+ effect: "execl(\"/bin/sh\", \"sh\", eax)")
OneGadget::Gadget.add(build_id, 609351,
- constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"],
effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])")
OneGadget::Gadget.add(build_id, 609357,
- constraints: ["ebx is the GOT address of libc", "eax == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"],
effect: "execl(\"/bin/sh\", eax)")
OneGadget::Gadget.add(build_id, 609361,
- constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"],
effect: "execl(\"/bin/sh\", [esp+0x4])")
diff --git a/lib/one_gadget/builds/libc-2.19-365c74dde459303730e276b4d6022f1eacda06fd.rb b/lib/one_gadget/builds/libc-2.19-365c74dde459303730e276b4d6022f1eacda06fd.rb
index f8cac2e..d37a9e0 100644
--- a/lib/one_gadget/builds/libc-2.19-365c74dde459303730e276b4d6022f1eacda06fd.rb
+++ b/lib/one_gadget/builds/libc-2.19-365c74dde459303730e276b4d6022f1eacda06fd.rb
@@ -19,22 +19,31 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 248407,
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x38, environ)")
+OneGadget::Gadget.add(build_id, 248414,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x38, environ)")
OneGadget::Gadget.add(build_id, 248423,
- constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x38, environ)")
OneGadget::Gadget.add(build_id, 248459,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp+0x8])")
OneGadget::Gadget.add(build_id, 248463,
- constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])")
+OneGadget::Gadget.add(build_id, 406240,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"],
+ effect: "execl(\"/bin/sh\", \"sh\", eax)")
OneGadget::Gadget.add(build_id, 406244,
- constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"],
effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])")
OneGadget::Gadget.add(build_id, 406250,
- constraints: ["ebx is the GOT address of libc", "eax == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"],
effect: "execl(\"/bin/sh\", eax)")
OneGadget::Gadget.add(build_id, 406254,
- constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"],
effect: "execl(\"/bin/sh\", [esp+0x4])")
diff --git a/lib/one_gadget/builds/libc-2.19-3691e2c3b9f75fbaf99c93f201c86a2df07a98d2.rb b/lib/one_gadget/builds/libc-2.19-3691e2c3b9f75fbaf99c93f201c86a2df07a98d2.rb
index 947c707..4446810 100644
--- a/lib/one_gadget/builds/libc-2.19-3691e2c3b9f75fbaf99c93f201c86a2df07a98d2.rb
+++ b/lib/one_gadget/builds/libc-2.19-3691e2c3b9f75fbaf99c93f201c86a2df07a98d2.rb
@@ -20,22 +20,31 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 260991,
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x34, environ)")
+OneGadget::Gadget.add(build_id, 260998,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 261007,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 261043,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp+0x8])")
OneGadget::Gadget.add(build_id, 261047,
- constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])")
+OneGadget::Gadget.add(build_id, 412368,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"],
+ effect: "execl(\"/bin/sh\", \"sh\", eax)")
OneGadget::Gadget.add(build_id, 412372,
- constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"],
effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])")
OneGadget::Gadget.add(build_id, 412378,
- constraints: ["ebx is the GOT address of libc", "eax == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"],
effect: "execl(\"/bin/sh\", eax)")
OneGadget::Gadget.add(build_id, 412382,
- constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"],
effect: "execl(\"/bin/sh\", [esp+0x4])")
diff --git a/lib/one_gadget/builds/libc-2.19-3701aa1820d0a1dc12ac27ffde0ca8c63c50ab4a.rb b/lib/one_gadget/builds/libc-2.19-3701aa1820d0a1dc12ac27ffde0ca8c63c50ab4a.rb
index 4af6436..89dc2b4 100644
--- a/lib/one_gadget/builds/libc-2.19-3701aa1820d0a1dc12ac27ffde0ca8c63c50ab4a.rb
+++ b/lib/one_gadget/builds/libc-2.19-3701aa1820d0a1dc12ac27ffde0ca8c63c50ab4a.rb
@@ -20,22 +20,31 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 254599,
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x34, environ)")
+OneGadget::Gadget.add(build_id, 254606,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 254615,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 254651,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp+0x8])")
OneGadget::Gadget.add(build_id, 254655,
- constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])")
+OneGadget::Gadget.add(build_id, 412775,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"],
+ effect: "execl(\"/bin/sh\", \"sh\", eax)")
OneGadget::Gadget.add(build_id, 412779,
- constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"],
effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])")
OneGadget::Gadget.add(build_id, 412785,
- constraints: ["ebx is the GOT address of libc", "eax == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"],
effect: "execl(\"/bin/sh\", eax)")
OneGadget::Gadget.add(build_id, 412789,
- constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"],
effect: "execl(\"/bin/sh\", [esp+0x4])")
diff --git a/lib/one_gadget/builds/libc-2.19-3883c7733b2a0819e0c7c2dcbadfdac26e0e2b72.rb b/lib/one_gadget/builds/libc-2.19-3883c7733b2a0819e0c7c2dcbadfdac26e0e2b72.rb
index 4714a6f..cf2967e 100644
--- a/lib/one_gadget/builds/libc-2.19-3883c7733b2a0819e0c7c2dcbadfdac26e0e2b72.rb
+++ b/lib/one_gadget/builds/libc-2.19-3883c7733b2a0819e0c7c2dcbadfdac26e0e2b72.rb
@@ -19,21 +19,27 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 454092,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
+OneGadget::Gadget.add(build_id, 454114,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
+ effect: "execve(\"/bin/sh\", esp+0x30, [esp+0x8])")
OneGadget::Gadget.add(build_id, 454118,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp+0x8])")
OneGadget::Gadget.add(build_id, 454122,
- constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])")
+OneGadget::Gadget.add(build_id, 607171,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"],
+ effect: "execl(\"/bin/sh\", \"sh\", eax)")
OneGadget::Gadget.add(build_id, 607175,
- constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"],
effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])")
OneGadget::Gadget.add(build_id, 607181,
- constraints: ["ebx is the GOT address of libc", "eax == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"],
effect: "execl(\"/bin/sh\", eax)")
OneGadget::Gadget.add(build_id, 607185,
- constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"],
effect: "execl(\"/bin/sh\", [esp+0x4])")
diff --git a/lib/one_gadget/builds/libc-2.19-395c995bb2028f96efb60a6ebce75ed51d58c0b0.rb b/lib/one_gadget/builds/libc-2.19-395c995bb2028f96efb60a6ebce75ed51d58c0b0.rb
index 1d62193..b57ceb5 100644
--- a/lib/one_gadget/builds/libc-2.19-395c995bb2028f96efb60a6ebce75ed51d58c0b0.rb
+++ b/lib/one_gadget/builds/libc-2.19-395c995bb2028f96efb60a6ebce75ed51d58c0b0.rb
@@ -19,21 +19,27 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 453196,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
+OneGadget::Gadget.add(build_id, 453218,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
+ effect: "execve(\"/bin/sh\", esp+0x30, [esp+0x8])")
OneGadget::Gadget.add(build_id, 453222,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp+0x8])")
OneGadget::Gadget.add(build_id, 453226,
- constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])")
+OneGadget::Gadget.add(build_id, 607139,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"],
+ effect: "execl(\"/bin/sh\", \"sh\", eax)")
OneGadget::Gadget.add(build_id, 607143,
- constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"],
effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])")
OneGadget::Gadget.add(build_id, 607149,
- constraints: ["ebx is the GOT address of libc", "eax == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"],
effect: "execl(\"/bin/sh\", eax)")
OneGadget::Gadget.add(build_id, 607153,
- constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"],
effect: "execl(\"/bin/sh\", [esp+0x4])")
diff --git a/lib/one_gadget/builds/libc-2.19-39612ce36adeb6f7e92658cd62c737bc3a260586.rb b/lib/one_gadget/builds/libc-2.19-39612ce36adeb6f7e92658cd62c737bc3a260586.rb
index 2d1f9f3..e4f7db9 100644
--- a/lib/one_gadget/builds/libc-2.19-39612ce36adeb6f7e92658cd62c737bc3a260586.rb
+++ b/lib/one_gadget/builds/libc-2.19-39612ce36adeb6f7e92658cd62c737bc3a260586.rb
@@ -19,22 +19,31 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 248567,
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x38, environ)")
+OneGadget::Gadget.add(build_id, 248574,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x38, environ)")
OneGadget::Gadget.add(build_id, 248583,
- constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x38, environ)")
OneGadget::Gadget.add(build_id, 248619,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp+0x8])")
OneGadget::Gadget.add(build_id, 248623,
- constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])")
+OneGadget::Gadget.add(build_id, 408528,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"],
+ effect: "execl(\"/bin/sh\", \"sh\", eax)")
OneGadget::Gadget.add(build_id, 408532,
- constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"],
effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])")
OneGadget::Gadget.add(build_id, 408538,
- constraints: ["ebx is the GOT address of libc", "eax == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"],
effect: "execl(\"/bin/sh\", eax)")
OneGadget::Gadget.add(build_id, 408542,
- constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"],
effect: "execl(\"/bin/sh\", [esp+0x4])")
diff --git a/lib/one_gadget/builds/libc-2.19-397c84e78c14cbffba39a48184db482211df9fb3.rb b/lib/one_gadget/builds/libc-2.19-397c84e78c14cbffba39a48184db482211df9fb3.rb
index 6549c88..71879cf 100644
--- a/lib/one_gadget/builds/libc-2.19-397c84e78c14cbffba39a48184db482211df9fb3.rb
+++ b/lib/one_gadget/builds/libc-2.19-397c84e78c14cbffba39a48184db482211df9fb3.rb
@@ -20,19 +20,22 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 261720,
+ constraints: ["writable: x21+0x2e0", "{\"sh\", \"-c\", x22, x1, ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", sp+0x68, environ)")
OneGadget::Gadget.add(build_id, 261724,
- constraints: ["writable: x21+0x2e0", "x3+0x9e0 == NULL"],
+ constraints: ["writable: x21+0x2e0", "x3+0x9e0 == NULL || {x3+0x9e0, \"-c\", x22, x1, ...} is a valid argv"],
effect: "execve(\"/bin/sh\", sp+0x68, environ)")
OneGadget::Gadget.add(build_id, 261732,
- constraints: ["writable: x20", "writable: x21+0x2e0", "[x20] == NULL || x20 == NULL"],
+ constraints: ["writable: x20", "writable: x21+0x2e0", "[x20] == NULL || x20 == NULL || x20 is a valid argv"],
effect: "execve(\"/bin/sh\", x20, environ)")
OneGadget::Gadget.add(build_id, 261808,
- constraints: ["writable: x21+0x2e0", "writable: x24+0x4", "[x20] == NULL || x20 == NULL"],
+ constraints: ["writable: x21+0x2e0", "writable: x24+0x4", "[x20] == NULL || x20 == NULL || x20 is a valid argv"],
effect: "execve(\"/bin/sh\", x20, environ)")
OneGadget::Gadget.add(build_id, 261820,
- constraints: ["writable: x21+0x2e0", "writable: x24+0x4", "[x1] == NULL || x1 == NULL", "[[x0]] == NULL || [x0] == NULL"],
+ constraints: ["writable: x21+0x2e0", "writable: x24+0x4", "[x1] == NULL || x1 == NULL || x1 is a valid argv", "[[x0]] == NULL || [x0] == NULL || [x0] is a valid envp"],
effect: "execve(\"/bin/sh\", x1, [x0])")
OneGadget::Gadget.add(build_id, 261824,
- constraints: ["writable: x21+0x2e0", "writable: x24+0x4", "[x1] == NULL || x1 == NULL", "[x2] == NULL || x2 == NULL"],
+ constraints: ["writable: x21+0x2e0", "writable: x24+0x4", "[x1] == NULL || x1 == NULL || x1 is a valid argv", "[x2] == NULL || x2 == NULL || x2 is a valid envp"],
effect: "execve(\"/bin/sh\", x1, x2)")
diff --git a/lib/one_gadget/builds/libc-2.19-39f403e178f6c4db89f200bae5afd6c55f61e34b.rb b/lib/one_gadget/builds/libc-2.19-39f403e178f6c4db89f200bae5afd6c55f61e34b.rb
index f6ded99..31245b4 100644
--- a/lib/one_gadget/builds/libc-2.19-39f403e178f6c4db89f200bae5afd6c55f61e34b.rb
+++ b/lib/one_gadget/builds/libc-2.19-39f403e178f6c4db89f200bae5afd6c55f61e34b.rb
@@ -19,22 +19,31 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 255911,
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x38, environ)")
+OneGadget::Gadget.add(build_id, 255918,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x38, environ)")
OneGadget::Gadget.add(build_id, 255927,
- constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x38, environ)")
OneGadget::Gadget.add(build_id, 255963,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp+0x8])")
OneGadget::Gadget.add(build_id, 255967,
- constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])")
+OneGadget::Gadget.add(build_id, 409056,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"],
+ effect: "execl(\"/bin/sh\", \"sh\", eax)")
OneGadget::Gadget.add(build_id, 409060,
- constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"],
effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])")
OneGadget::Gadget.add(build_id, 409066,
- constraints: ["ebx is the GOT address of libc", "eax == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"],
effect: "execl(\"/bin/sh\", eax)")
OneGadget::Gadget.add(build_id, 409070,
- constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"],
effect: "execl(\"/bin/sh\", [esp+0x4])")
diff --git a/lib/one_gadget/builds/libc-2.19-3bbdc31d826a2bd8af0919d958620342c295c557.rb b/lib/one_gadget/builds/libc-2.19-3bbdc31d826a2bd8af0919d958620342c295c557.rb
index 55303af..6388f80 100644
--- a/lib/one_gadget/builds/libc-2.19-3bbdc31d826a2bd8af0919d958620342c295c557.rb
+++ b/lib/one_gadget/builds/libc-2.19-3bbdc31d826a2bd8af0919d958620342c295c557.rb
@@ -20,25 +20,28 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 266985,
+ constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 266992,
- constraints: ["rax == NULL"],
+ constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 267076,
- constraints: ["[rsp+0x30] == NULL"],
+ constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 765005,
- constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, r12)")
OneGadget::Gadget.add(build_id, 765084,
- constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL || [rbp-0x48] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", [rbp-0x48], r12)")
OneGadget::Gadget.add(build_id, 880871,
- constraints: ["[rsp+0x70] == NULL"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x70, environ)")
OneGadget::Gadget.add(build_id, 880883,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rax])")
OneGadget::Gadget.add(build_id, 896192,
- constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", r9, rdx)")
diff --git a/lib/one_gadget/builds/libc-2.19-3ea89e2234c5203ef245cd4146b515794079ceac.rb b/lib/one_gadget/builds/libc-2.19-3ea89e2234c5203ef245cd4146b515794079ceac.rb
index 9a40bd2..f925a77 100644
--- a/lib/one_gadget/builds/libc-2.19-3ea89e2234c5203ef245cd4146b515794079ceac.rb
+++ b/lib/one_gadget/builds/libc-2.19-3ea89e2234c5203ef245cd4146b515794079ceac.rb
@@ -20,22 +20,31 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 254471,
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x34, environ)")
+OneGadget::Gadget.add(build_id, 254478,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 254487,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 254523,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp+0x8])")
OneGadget::Gadget.add(build_id, 254527,
- constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])")
+OneGadget::Gadget.add(build_id, 412647,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"],
+ effect: "execl(\"/bin/sh\", \"sh\", eax)")
OneGadget::Gadget.add(build_id, 412651,
- constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"],
effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])")
OneGadget::Gadget.add(build_id, 412657,
- constraints: ["ebx is the GOT address of libc", "eax == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"],
effect: "execl(\"/bin/sh\", eax)")
OneGadget::Gadget.add(build_id, 412661,
- constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"],
effect: "execl(\"/bin/sh\", [esp+0x4])")
diff --git a/lib/one_gadget/builds/libc-2.19-3f8df0a32477b9b5c8521116e4d554f4dd784e9c.rb b/lib/one_gadget/builds/libc-2.19-3f8df0a32477b9b5c8521116e4d554f4dd784e9c.rb
index 8c7fa9a..64ce0ac 100644
--- a/lib/one_gadget/builds/libc-2.19-3f8df0a32477b9b5c8521116e4d554f4dd784e9c.rb
+++ b/lib/one_gadget/builds/libc-2.19-3f8df0a32477b9b5c8521116e4d554f4dd784e9c.rb
@@ -20,25 +20,28 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 267897,
+ constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 267904,
- constraints: ["rax == NULL"],
+ constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 267988,
- constraints: ["[rsp+0x30] == NULL"],
+ constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 755149,
- constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, r12)")
OneGadget::Gadget.add(build_id, 755228,
- constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL || [rbp-0x48] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", [rbp-0x48], r12)")
OneGadget::Gadget.add(build_id, 870775,
- constraints: ["[rsp+0x70] == NULL"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x70, environ)")
OneGadget::Gadget.add(build_id, 870787,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rax])")
OneGadget::Gadget.add(build_id, 885888,
- constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", r9, rdx)")
diff --git a/lib/one_gadget/builds/libc-2.19-40410c37ab2b3867bcc1efa841c4bd990bbaced6.rb b/lib/one_gadget/builds/libc-2.19-40410c37ab2b3867bcc1efa841c4bd990bbaced6.rb
index ac708c9..ebea4eb 100644
--- a/lib/one_gadget/builds/libc-2.19-40410c37ab2b3867bcc1efa841c4bd990bbaced6.rb
+++ b/lib/one_gadget/builds/libc-2.19-40410c37ab2b3867bcc1efa841c4bd990bbaced6.rb
@@ -20,25 +20,28 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 274313,
+ constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 274320,
- constraints: ["rax == NULL"],
+ constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 274404,
- constraints: ["[rsp+0x30] == NULL"],
+ constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 753661,
- constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, r12)")
OneGadget::Gadget.add(build_id, 753740,
- constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL || [rbp-0x48] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", [rbp-0x48], r12)")
OneGadget::Gadget.add(build_id, 868944,
- constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", r9, rdx)")
OneGadget::Gadget.add(build_id, 873688,
- constraints: ["[rsp+0x70] == NULL"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x70, environ)")
OneGadget::Gadget.add(build_id, 873700,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rax])")
diff --git a/lib/one_gadget/builds/libc-2.19-40443517ebed72833c0cea4364db0346c422be75.rb b/lib/one_gadget/builds/libc-2.19-40443517ebed72833c0cea4364db0346c422be75.rb
index 2510e10..faae6e6 100644
--- a/lib/one_gadget/builds/libc-2.19-40443517ebed72833c0cea4364db0346c422be75.rb
+++ b/lib/one_gadget/builds/libc-2.19-40443517ebed72833c0cea4364db0346c422be75.rb
@@ -20,22 +20,31 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 254471,
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x34, environ)")
+OneGadget::Gadget.add(build_id, 254478,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 254487,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 254523,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp+0x8])")
OneGadget::Gadget.add(build_id, 254527,
- constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])")
+OneGadget::Gadget.add(build_id, 412615,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"],
+ effect: "execl(\"/bin/sh\", \"sh\", eax)")
OneGadget::Gadget.add(build_id, 412619,
- constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"],
effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])")
OneGadget::Gadget.add(build_id, 412625,
- constraints: ["ebx is the GOT address of libc", "eax == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"],
effect: "execl(\"/bin/sh\", eax)")
OneGadget::Gadget.add(build_id, 412629,
- constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"],
effect: "execl(\"/bin/sh\", [esp+0x4])")
diff --git a/lib/one_gadget/builds/libc-2.19-410c538cbb80e04ba67f8f93ead7c915cb8b151e.rb b/lib/one_gadget/builds/libc-2.19-410c538cbb80e04ba67f8f93ead7c915cb8b151e.rb
index 177f857..8f1d68c 100644
--- a/lib/one_gadget/builds/libc-2.19-410c538cbb80e04ba67f8f93ead7c915cb8b151e.rb
+++ b/lib/one_gadget/builds/libc-2.19-410c538cbb80e04ba67f8f93ead7c915cb8b151e.rb
@@ -20,22 +20,31 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 255467,
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x34, environ)")
+OneGadget::Gadget.add(build_id, 255474,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 255483,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 255519,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp+0x8])")
OneGadget::Gadget.add(build_id, 255523,
- constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])")
+OneGadget::Gadget.add(build_id, 417007,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"],
+ effect: "execl(\"/bin/sh\", \"sh\", eax)")
OneGadget::Gadget.add(build_id, 417011,
- constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"],
effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])")
OneGadget::Gadget.add(build_id, 417017,
- constraints: ["ebx is the GOT address of libc", "eax == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"],
effect: "execl(\"/bin/sh\", eax)")
OneGadget::Gadget.add(build_id, 417021,
- constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"],
effect: "execl(\"/bin/sh\", [esp+0x4])")
diff --git a/lib/one_gadget/builds/libc-2.19-410c5d16e862678b3263a8250ad936b99554050c.rb b/lib/one_gadget/builds/libc-2.19-410c5d16e862678b3263a8250ad936b99554050c.rb
index 38a2c04..837b56b 100644
--- a/lib/one_gadget/builds/libc-2.19-410c5d16e862678b3263a8250ad936b99554050c.rb
+++ b/lib/one_gadget/builds/libc-2.19-410c5d16e862678b3263a8250ad936b99554050c.rb
@@ -20,22 +20,31 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 254567,
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x34, environ)")
+OneGadget::Gadget.add(build_id, 254574,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 254583,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 254619,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp+0x8])")
OneGadget::Gadget.add(build_id, 254623,
- constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])")
+OneGadget::Gadget.add(build_id, 412743,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"],
+ effect: "execl(\"/bin/sh\", \"sh\", eax)")
OneGadget::Gadget.add(build_id, 412747,
- constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"],
effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])")
OneGadget::Gadget.add(build_id, 412753,
- constraints: ["ebx is the GOT address of libc", "eax == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"],
effect: "execl(\"/bin/sh\", eax)")
OneGadget::Gadget.add(build_id, 412757,
- constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"],
effect: "execl(\"/bin/sh\", [esp+0x4])")
diff --git a/lib/one_gadget/builds/libc-2.19-42150628cea5ef0a4f7f48267f0d6fd206d7bef4.rb b/lib/one_gadget/builds/libc-2.19-42150628cea5ef0a4f7f48267f0d6fd206d7bef4.rb
index f5125e8..49aae05 100644
--- a/lib/one_gadget/builds/libc-2.19-42150628cea5ef0a4f7f48267f0d6fd206d7bef4.rb
+++ b/lib/one_gadget/builds/libc-2.19-42150628cea5ef0a4f7f48267f0d6fd206d7bef4.rb
@@ -20,22 +20,31 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 254471,
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x34, environ)")
+OneGadget::Gadget.add(build_id, 254478,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 254487,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 254523,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp+0x8])")
OneGadget::Gadget.add(build_id, 254527,
- constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])")
+OneGadget::Gadget.add(build_id, 414711,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"],
+ effect: "execl(\"/bin/sh\", \"sh\", eax)")
OneGadget::Gadget.add(build_id, 414715,
- constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"],
effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])")
OneGadget::Gadget.add(build_id, 414721,
- constraints: ["ebx is the GOT address of libc", "eax == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"],
effect: "execl(\"/bin/sh\", eax)")
OneGadget::Gadget.add(build_id, 414725,
- constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"],
effect: "execl(\"/bin/sh\", [esp+0x4])")
diff --git a/lib/one_gadget/builds/libc-2.19-4315ee2103b2f1797d8d18ef03714dbdc4417095.rb b/lib/one_gadget/builds/libc-2.19-4315ee2103b2f1797d8d18ef03714dbdc4417095.rb
index 7b4f1b4..27b36a0 100644
--- a/lib/one_gadget/builds/libc-2.19-4315ee2103b2f1797d8d18ef03714dbdc4417095.rb
+++ b/lib/one_gadget/builds/libc-2.19-4315ee2103b2f1797d8d18ef03714dbdc4417095.rb
@@ -19,21 +19,27 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 454076,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
+OneGadget::Gadget.add(build_id, 454098,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
+ effect: "execve(\"/bin/sh\", esp+0x30, [esp+0x8])")
OneGadget::Gadget.add(build_id, 454102,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp+0x8])")
OneGadget::Gadget.add(build_id, 454106,
- constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])")
+OneGadget::Gadget.add(build_id, 607155,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"],
+ effect: "execl(\"/bin/sh\", \"sh\", eax)")
OneGadget::Gadget.add(build_id, 607159,
- constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"],
effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])")
OneGadget::Gadget.add(build_id, 607165,
- constraints: ["ebx is the GOT address of libc", "eax == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"],
effect: "execl(\"/bin/sh\", eax)")
OneGadget::Gadget.add(build_id, 607169,
- constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"],
effect: "execl(\"/bin/sh\", [esp+0x4])")
diff --git a/lib/one_gadget/builds/libc-2.19-4360063303905bf941489398b5601c5e2bc6c3a7.rb b/lib/one_gadget/builds/libc-2.19-4360063303905bf941489398b5601c5e2bc6c3a7.rb
index 1546214..b5bbe41 100644
--- a/lib/one_gadget/builds/libc-2.19-4360063303905bf941489398b5601c5e2bc6c3a7.rb
+++ b/lib/one_gadget/builds/libc-2.19-4360063303905bf941489398b5601c5e2bc6c3a7.rb
@@ -20,25 +20,28 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 267865,
+ constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 267872,
- constraints: ["rax == NULL"],
+ constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 267956,
- constraints: ["[rsp+0x30] == NULL"],
+ constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 754877,
- constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, r12)")
OneGadget::Gadget.add(build_id, 754956,
- constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL || [rbp-0x48] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", [rbp-0x48], r12)")
OneGadget::Gadget.add(build_id, 870503,
- constraints: ["[rsp+0x70] == NULL"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x70, environ)")
OneGadget::Gadget.add(build_id, 870515,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rax])")
OneGadget::Gadget.add(build_id, 885520,
- constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", r9, rdx)")
diff --git a/lib/one_gadget/builds/libc-2.19-441d0bc3f372750187a7cc29528fca0f2fa4297d.rb b/lib/one_gadget/builds/libc-2.19-441d0bc3f372750187a7cc29528fca0f2fa4297d.rb
index 8fc6a84..acdc14e 100644
--- a/lib/one_gadget/builds/libc-2.19-441d0bc3f372750187a7cc29528fca0f2fa4297d.rb
+++ b/lib/one_gadget/builds/libc-2.19-441d0bc3f372750187a7cc29528fca0f2fa4297d.rb
@@ -19,21 +19,27 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 454092,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
+OneGadget::Gadget.add(build_id, 454114,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
+ effect: "execve(\"/bin/sh\", esp+0x30, [esp+0x8])")
OneGadget::Gadget.add(build_id, 454118,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp+0x8])")
OneGadget::Gadget.add(build_id, 454122,
- constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])")
+OneGadget::Gadget.add(build_id, 606995,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"],
+ effect: "execl(\"/bin/sh\", \"sh\", eax)")
OneGadget::Gadget.add(build_id, 606999,
- constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"],
effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])")
OneGadget::Gadget.add(build_id, 607005,
- constraints: ["ebx is the GOT address of libc", "eax == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"],
effect: "execl(\"/bin/sh\", eax)")
OneGadget::Gadget.add(build_id, 607009,
- constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"],
effect: "execl(\"/bin/sh\", [esp+0x4])")
diff --git a/lib/one_gadget/builds/libc-2.19-444c5eaa7cb665ed9b90d3edc47e07c9eeb22c49.rb b/lib/one_gadget/builds/libc-2.19-444c5eaa7cb665ed9b90d3edc47e07c9eeb22c49.rb
index 00c08b1..d2354a5 100644
--- a/lib/one_gadget/builds/libc-2.19-444c5eaa7cb665ed9b90d3edc47e07c9eeb22c49.rb
+++ b/lib/one_gadget/builds/libc-2.19-444c5eaa7cb665ed9b90d3edc47e07c9eeb22c49.rb
@@ -20,22 +20,31 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 254471,
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x34, environ)")
+OneGadget::Gadget.add(build_id, 254478,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 254487,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 254523,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp+0x8])")
OneGadget::Gadget.add(build_id, 254527,
- constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])")
+OneGadget::Gadget.add(build_id, 412647,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"],
+ effect: "execl(\"/bin/sh\", \"sh\", eax)")
OneGadget::Gadget.add(build_id, 412651,
- constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"],
effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])")
OneGadget::Gadget.add(build_id, 412657,
- constraints: ["ebx is the GOT address of libc", "eax == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"],
effect: "execl(\"/bin/sh\", eax)")
OneGadget::Gadget.add(build_id, 412661,
- constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"],
effect: "execl(\"/bin/sh\", [esp+0x4])")
diff --git a/lib/one_gadget/builds/libc-2.19-458c7913f032820ce7610496892f79a4779b0224.rb b/lib/one_gadget/builds/libc-2.19-458c7913f032820ce7610496892f79a4779b0224.rb
index a95a811..e1000b3 100644
--- a/lib/one_gadget/builds/libc-2.19-458c7913f032820ce7610496892f79a4779b0224.rb
+++ b/lib/one_gadget/builds/libc-2.19-458c7913f032820ce7610496892f79a4779b0224.rb
@@ -20,22 +20,31 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 254599,
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x34, environ)")
+OneGadget::Gadget.add(build_id, 254606,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 254615,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 254651,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp+0x8])")
OneGadget::Gadget.add(build_id, 254655,
- constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])")
+OneGadget::Gadget.add(build_id, 412775,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"],
+ effect: "execl(\"/bin/sh\", \"sh\", eax)")
OneGadget::Gadget.add(build_id, 412779,
- constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"],
effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])")
OneGadget::Gadget.add(build_id, 412785,
- constraints: ["ebx is the GOT address of libc", "eax == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"],
effect: "execl(\"/bin/sh\", eax)")
OneGadget::Gadget.add(build_id, 412789,
- constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"],
effect: "execl(\"/bin/sh\", [esp+0x4])")
diff --git a/lib/one_gadget/builds/libc-2.19-460355a265c134c0c801820ab5e80e37e2cd9b00.rb b/lib/one_gadget/builds/libc-2.19-460355a265c134c0c801820ab5e80e37e2cd9b00.rb
index 5690040..7c41752 100644
--- a/lib/one_gadget/builds/libc-2.19-460355a265c134c0c801820ab5e80e37e2cd9b00.rb
+++ b/lib/one_gadget/builds/libc-2.19-460355a265c134c0c801820ab5e80e37e2cd9b00.rb
@@ -19,21 +19,27 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 460812,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
+OneGadget::Gadget.add(build_id, 460834,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
+ effect: "execve(\"/bin/sh\", esp+0x30, [esp+0x8])")
OneGadget::Gadget.add(build_id, 460838,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp+0x8])")
OneGadget::Gadget.add(build_id, 460842,
- constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])")
+OneGadget::Gadget.add(build_id, 610008,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"],
+ effect: "execl(\"/bin/sh\", \"sh\", eax)")
OneGadget::Gadget.add(build_id, 610012,
- constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"],
effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])")
OneGadget::Gadget.add(build_id, 610018,
- constraints: ["ebx is the GOT address of libc", "eax == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"],
effect: "execl(\"/bin/sh\", eax)")
OneGadget::Gadget.add(build_id, 610022,
- constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"],
effect: "execl(\"/bin/sh\", [esp+0x4])")
diff --git a/lib/one_gadget/builds/libc-2.19-47411da31c1af33c897d1646f68d4443c3a156f2.rb b/lib/one_gadget/builds/libc-2.19-47411da31c1af33c897d1646f68d4443c3a156f2.rb
index 278defa..d15be75 100644
--- a/lib/one_gadget/builds/libc-2.19-47411da31c1af33c897d1646f68d4443c3a156f2.rb
+++ b/lib/one_gadget/builds/libc-2.19-47411da31c1af33c897d1646f68d4443c3a156f2.rb
@@ -20,25 +20,28 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 266985,
+ constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 266992,
- constraints: ["rax == NULL"],
+ constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 267076,
- constraints: ["[rsp+0x30] == NULL"],
+ constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 765005,
- constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, r12)")
OneGadget::Gadget.add(build_id, 765084,
- constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL || [rbp-0x48] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", [rbp-0x48], r12)")
OneGadget::Gadget.add(build_id, 880199,
- constraints: ["[rsp+0x70] == NULL"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x70, environ)")
OneGadget::Gadget.add(build_id, 880211,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rax])")
OneGadget::Gadget.add(build_id, 895520,
- constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", r9, rdx)")
diff --git a/lib/one_gadget/builds/libc-2.19-482a813d828d5fe257838e679dff9b7be56bf4fb.rb b/lib/one_gadget/builds/libc-2.19-482a813d828d5fe257838e679dff9b7be56bf4fb.rb
index 470b6e4..56e1e0f 100644
--- a/lib/one_gadget/builds/libc-2.19-482a813d828d5fe257838e679dff9b7be56bf4fb.rb
+++ b/lib/one_gadget/builds/libc-2.19-482a813d828d5fe257838e679dff9b7be56bf4fb.rb
@@ -20,25 +20,28 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 267913,
+ constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 267920,
- constraints: ["rax == NULL"],
+ constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 268004,
- constraints: ["[rsp+0x30] == NULL"],
+ constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 755165,
- constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, r12)")
OneGadget::Gadget.add(build_id, 755244,
- constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL || [rbp-0x48] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", [rbp-0x48], r12)")
OneGadget::Gadget.add(build_id, 870791,
- constraints: ["[rsp+0x70] == NULL"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x70, environ)")
OneGadget::Gadget.add(build_id, 870803,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rax])")
OneGadget::Gadget.add(build_id, 885904,
- constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", r9, rdx)")
diff --git a/lib/one_gadget/builds/libc-2.19-484428905d6e138e0b88e97107732ace68c12752.rb b/lib/one_gadget/builds/libc-2.19-484428905d6e138e0b88e97107732ace68c12752.rb
index 71e2861..bbf8688 100644
--- a/lib/one_gadget/builds/libc-2.19-484428905d6e138e0b88e97107732ace68c12752.rb
+++ b/lib/one_gadget/builds/libc-2.19-484428905d6e138e0b88e97107732ace68c12752.rb
@@ -19,21 +19,27 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 452940,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
+OneGadget::Gadget.add(build_id, 452962,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
+ effect: "execve(\"/bin/sh\", esp+0x30, [esp+0x8])")
OneGadget::Gadget.add(build_id, 452966,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp+0x8])")
OneGadget::Gadget.add(build_id, 452970,
- constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])")
+OneGadget::Gadget.add(build_id, 606899,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"],
+ effect: "execl(\"/bin/sh\", \"sh\", eax)")
OneGadget::Gadget.add(build_id, 606903,
- constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"],
effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])")
OneGadget::Gadget.add(build_id, 606909,
- constraints: ["ebx is the GOT address of libc", "eax == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"],
effect: "execl(\"/bin/sh\", eax)")
OneGadget::Gadget.add(build_id, 606913,
- constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"],
effect: "execl(\"/bin/sh\", [esp+0x4])")
diff --git a/lib/one_gadget/builds/libc-2.19-4866fc3ad424dfb788e9ad11039b7759f3b51574.rb b/lib/one_gadget/builds/libc-2.19-4866fc3ad424dfb788e9ad11039b7759f3b51574.rb
index 8177121..594e8c9 100644
--- a/lib/one_gadget/builds/libc-2.19-4866fc3ad424dfb788e9ad11039b7759f3b51574.rb
+++ b/lib/one_gadget/builds/libc-2.19-4866fc3ad424dfb788e9ad11039b7759f3b51574.rb
@@ -20,25 +20,28 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 266937,
+ constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 266944,
- constraints: ["rax == NULL"],
+ constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 267028,
- constraints: ["[rsp+0x30] == NULL"],
+ constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 754125,
- constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, r12)")
OneGadget::Gadget.add(build_id, 754204,
- constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL || [rbp-0x48] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", [rbp-0x48], r12)")
OneGadget::Gadget.add(build_id, 869735,
- constraints: ["[rsp+0x70] == NULL"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x70, environ)")
OneGadget::Gadget.add(build_id, 869747,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rax])")
OneGadget::Gadget.add(build_id, 884848,
- constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", r9, rdx)")
diff --git a/lib/one_gadget/builds/libc-2.19-48b333aa64a86c31334714305379a6c1f1701c69.rb b/lib/one_gadget/builds/libc-2.19-48b333aa64a86c31334714305379a6c1f1701c69.rb
index 4b0cdf5..7e068d0 100644
--- a/lib/one_gadget/builds/libc-2.19-48b333aa64a86c31334714305379a6c1f1701c69.rb
+++ b/lib/one_gadget/builds/libc-2.19-48b333aa64a86c31334714305379a6c1f1701c69.rb
@@ -19,21 +19,27 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 452940,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
+OneGadget::Gadget.add(build_id, 452962,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
+ effect: "execve(\"/bin/sh\", esp+0x30, [esp+0x8])")
OneGadget::Gadget.add(build_id, 452966,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp+0x8])")
OneGadget::Gadget.add(build_id, 452970,
- constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])")
+OneGadget::Gadget.add(build_id, 606899,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"],
+ effect: "execl(\"/bin/sh\", \"sh\", eax)")
OneGadget::Gadget.add(build_id, 606903,
- constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"],
effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])")
OneGadget::Gadget.add(build_id, 606909,
- constraints: ["ebx is the GOT address of libc", "eax == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"],
effect: "execl(\"/bin/sh\", eax)")
OneGadget::Gadget.add(build_id, 606913,
- constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"],
effect: "execl(\"/bin/sh\", [esp+0x4])")
diff --git a/lib/one_gadget/builds/libc-2.19-49f3ac15a25f78f0258283b3a207017e51ced583.rb b/lib/one_gadget/builds/libc-2.19-49f3ac15a25f78f0258283b3a207017e51ced583.rb
index 435a93c..f34d916 100644
--- a/lib/one_gadget/builds/libc-2.19-49f3ac15a25f78f0258283b3a207017e51ced583.rb
+++ b/lib/one_gadget/builds/libc-2.19-49f3ac15a25f78f0258283b3a207017e51ced583.rb
@@ -19,22 +19,31 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 248599,
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x38, environ)")
+OneGadget::Gadget.add(build_id, 248606,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x38, environ)")
OneGadget::Gadget.add(build_id, 248615,
- constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x38, environ)")
OneGadget::Gadget.add(build_id, 248651,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp+0x8])")
OneGadget::Gadget.add(build_id, 248655,
- constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])")
+OneGadget::Gadget.add(build_id, 406400,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"],
+ effect: "execl(\"/bin/sh\", \"sh\", eax)")
OneGadget::Gadget.add(build_id, 406404,
- constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"],
effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])")
OneGadget::Gadget.add(build_id, 406410,
- constraints: ["ebx is the GOT address of libc", "eax == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"],
effect: "execl(\"/bin/sh\", eax)")
OneGadget::Gadget.add(build_id, 406414,
- constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"],
effect: "execl(\"/bin/sh\", [esp+0x4])")
diff --git a/lib/one_gadget/builds/libc-2.19-4a384b8c751de6c0e2652261310104bf1b2127d5.rb b/lib/one_gadget/builds/libc-2.19-4a384b8c751de6c0e2652261310104bf1b2127d5.rb
index ff90d48..d6df1fc 100644
--- a/lib/one_gadget/builds/libc-2.19-4a384b8c751de6c0e2652261310104bf1b2127d5.rb
+++ b/lib/one_gadget/builds/libc-2.19-4a384b8c751de6c0e2652261310104bf1b2127d5.rb
@@ -20,22 +20,31 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 254295,
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x34, environ)")
+OneGadget::Gadget.add(build_id, 254302,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 254311,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 254347,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp+0x8])")
OneGadget::Gadget.add(build_id, 254351,
- constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])")
+OneGadget::Gadget.add(build_id, 414559,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"],
+ effect: "execl(\"/bin/sh\", \"sh\", eax)")
OneGadget::Gadget.add(build_id, 414563,
- constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"],
effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])")
OneGadget::Gadget.add(build_id, 414569,
- constraints: ["ebx is the GOT address of libc", "eax == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"],
effect: "execl(\"/bin/sh\", eax)")
OneGadget::Gadget.add(build_id, 414573,
- constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"],
effect: "execl(\"/bin/sh\", [esp+0x4])")
diff --git a/lib/one_gadget/builds/libc-2.19-4a5eeadb796e6dba8f289a90de2b53e71c8e8788.rb b/lib/one_gadget/builds/libc-2.19-4a5eeadb796e6dba8f289a90de2b53e71c8e8788.rb
index 1934a09..2cf9f35 100644
--- a/lib/one_gadget/builds/libc-2.19-4a5eeadb796e6dba8f289a90de2b53e71c8e8788.rb
+++ b/lib/one_gadget/builds/libc-2.19-4a5eeadb796e6dba8f289a90de2b53e71c8e8788.rb
@@ -19,22 +19,31 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 248567,
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x38, environ)")
+OneGadget::Gadget.add(build_id, 248574,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x38, environ)")
OneGadget::Gadget.add(build_id, 248583,
- constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x38, environ)")
OneGadget::Gadget.add(build_id, 248619,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp+0x8])")
OneGadget::Gadget.add(build_id, 248623,
- constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])")
+OneGadget::Gadget.add(build_id, 408560,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"],
+ effect: "execl(\"/bin/sh\", \"sh\", eax)")
OneGadget::Gadget.add(build_id, 408564,
- constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"],
effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])")
OneGadget::Gadget.add(build_id, 408570,
- constraints: ["ebx is the GOT address of libc", "eax == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"],
effect: "execl(\"/bin/sh\", eax)")
OneGadget::Gadget.add(build_id, 408574,
- constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"],
effect: "execl(\"/bin/sh\", [esp+0x4])")
diff --git a/lib/one_gadget/builds/libc-2.19-4daad26169c5c868b8ae90587fff76cc28e7b309.rb b/lib/one_gadget/builds/libc-2.19-4daad26169c5c868b8ae90587fff76cc28e7b309.rb
index 96a7ced..b5292d3 100644
--- a/lib/one_gadget/builds/libc-2.19-4daad26169c5c868b8ae90587fff76cc28e7b309.rb
+++ b/lib/one_gadget/builds/libc-2.19-4daad26169c5c868b8ae90587fff76cc28e7b309.rb
@@ -19,22 +19,31 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 255911,
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x38, environ)")
+OneGadget::Gadget.add(build_id, 255918,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x38, environ)")
OneGadget::Gadget.add(build_id, 255927,
- constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x38, environ)")
OneGadget::Gadget.add(build_id, 255963,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp+0x8])")
OneGadget::Gadget.add(build_id, 255967,
- constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])")
+OneGadget::Gadget.add(build_id, 409024,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"],
+ effect: "execl(\"/bin/sh\", \"sh\", eax)")
OneGadget::Gadget.add(build_id, 409028,
- constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"],
effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])")
OneGadget::Gadget.add(build_id, 409034,
- constraints: ["ebx is the GOT address of libc", "eax == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"],
effect: "execl(\"/bin/sh\", eax)")
OneGadget::Gadget.add(build_id, 409038,
- constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"],
effect: "execl(\"/bin/sh\", [esp+0x4])")
diff --git a/lib/one_gadget/builds/libc-2.19-4e304f78f3cfb52dd521bd6fd8ae7a0c7400104e.rb b/lib/one_gadget/builds/libc-2.19-4e304f78f3cfb52dd521bd6fd8ae7a0c7400104e.rb
index 83f6698..a41a727 100644
--- a/lib/one_gadget/builds/libc-2.19-4e304f78f3cfb52dd521bd6fd8ae7a0c7400104e.rb
+++ b/lib/one_gadget/builds/libc-2.19-4e304f78f3cfb52dd521bd6fd8ae7a0c7400104e.rb
@@ -20,22 +20,31 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 254567,
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x34, environ)")
+OneGadget::Gadget.add(build_id, 254574,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 254583,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 254619,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp+0x8])")
OneGadget::Gadget.add(build_id, 254623,
- constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])")
+OneGadget::Gadget.add(build_id, 412711,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"],
+ effect: "execl(\"/bin/sh\", \"sh\", eax)")
OneGadget::Gadget.add(build_id, 412715,
- constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"],
effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])")
OneGadget::Gadget.add(build_id, 412721,
- constraints: ["ebx is the GOT address of libc", "eax == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"],
effect: "execl(\"/bin/sh\", eax)")
OneGadget::Gadget.add(build_id, 412725,
- constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"],
effect: "execl(\"/bin/sh\", [esp+0x4])")
diff --git a/lib/one_gadget/builds/libc-2.19-4e9b0243eb28ea1a14539448a5317d6215fa13fa.rb b/lib/one_gadget/builds/libc-2.19-4e9b0243eb28ea1a14539448a5317d6215fa13fa.rb
index cd4a00b..9feb7be 100644
--- a/lib/one_gadget/builds/libc-2.19-4e9b0243eb28ea1a14539448a5317d6215fa13fa.rb
+++ b/lib/one_gadget/builds/libc-2.19-4e9b0243eb28ea1a14539448a5317d6215fa13fa.rb
@@ -19,22 +19,31 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 248599,
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x38, environ)")
+OneGadget::Gadget.add(build_id, 248606,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x38, environ)")
OneGadget::Gadget.add(build_id, 248615,
- constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x38, environ)")
OneGadget::Gadget.add(build_id, 248651,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp+0x8])")
OneGadget::Gadget.add(build_id, 248655,
- constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])")
+OneGadget::Gadget.add(build_id, 406432,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"],
+ effect: "execl(\"/bin/sh\", \"sh\", eax)")
OneGadget::Gadget.add(build_id, 406436,
- constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"],
effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])")
OneGadget::Gadget.add(build_id, 406442,
- constraints: ["ebx is the GOT address of libc", "eax == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"],
effect: "execl(\"/bin/sh\", eax)")
OneGadget::Gadget.add(build_id, 406446,
- constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"],
effect: "execl(\"/bin/sh\", [esp+0x4])")
diff --git a/lib/one_gadget/builds/libc-2.19-4eda8ff01be3fba1c7bdd442a8690c3dc7397b6a.rb b/lib/one_gadget/builds/libc-2.19-4eda8ff01be3fba1c7bdd442a8690c3dc7397b6a.rb
index 6753d25..7e84658 100644
--- a/lib/one_gadget/builds/libc-2.19-4eda8ff01be3fba1c7bdd442a8690c3dc7397b6a.rb
+++ b/lib/one_gadget/builds/libc-2.19-4eda8ff01be3fba1c7bdd442a8690c3dc7397b6a.rb
@@ -20,25 +20,28 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 274185,
+ constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 274192,
- constraints: ["rax == NULL"],
+ constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 274276,
- constraints: ["[rsp+0x30] == NULL"],
+ constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 764189,
- constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, r12)")
OneGadget::Gadget.add(build_id, 764268,
- constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL || [rbp-0x48] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", [rbp-0x48], r12)")
OneGadget::Gadget.add(build_id, 878784,
- constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", r9, rdx)")
OneGadget::Gadget.add(build_id, 883528,
- constraints: ["[rsp+0x70] == NULL"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x70, environ)")
OneGadget::Gadget.add(build_id, 883540,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rax])")
diff --git a/lib/one_gadget/builds/libc-2.19-4f953c59dca85d439af86c6564c9fdb07cccafd5.rb b/lib/one_gadget/builds/libc-2.19-4f953c59dca85d439af86c6564c9fdb07cccafd5.rb
index 5691ad6..d17d955 100644
--- a/lib/one_gadget/builds/libc-2.19-4f953c59dca85d439af86c6564c9fdb07cccafd5.rb
+++ b/lib/one_gadget/builds/libc-2.19-4f953c59dca85d439af86c6564c9fdb07cccafd5.rb
@@ -20,22 +20,31 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 254471,
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x34, environ)")
+OneGadget::Gadget.add(build_id, 254478,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 254487,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 254523,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp+0x8])")
OneGadget::Gadget.add(build_id, 254527,
- constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])")
+OneGadget::Gadget.add(build_id, 412615,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"],
+ effect: "execl(\"/bin/sh\", \"sh\", eax)")
OneGadget::Gadget.add(build_id, 412619,
- constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"],
effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])")
OneGadget::Gadget.add(build_id, 412625,
- constraints: ["ebx is the GOT address of libc", "eax == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"],
effect: "execl(\"/bin/sh\", eax)")
OneGadget::Gadget.add(build_id, 412629,
- constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"],
effect: "execl(\"/bin/sh\", [esp+0x4])")
diff --git a/lib/one_gadget/builds/libc-2.19-509ee0c9616c4c3ed81951501a8950e1f529bbff.rb b/lib/one_gadget/builds/libc-2.19-509ee0c9616c4c3ed81951501a8950e1f529bbff.rb
index e990ad5..bd37967 100644
--- a/lib/one_gadget/builds/libc-2.19-509ee0c9616c4c3ed81951501a8950e1f529bbff.rb
+++ b/lib/one_gadget/builds/libc-2.19-509ee0c9616c4c3ed81951501a8950e1f529bbff.rb
@@ -20,19 +20,22 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 261528,
+ constraints: ["writable: x21+0x2d8", "{\"sh\", \"-c\", x22, x1, ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", sp+0x68, environ)")
OneGadget::Gadget.add(build_id, 261532,
- constraints: ["writable: x21+0x2d8", "x3+0x6c0 == NULL"],
+ constraints: ["writable: x21+0x2d8", "x3+0x6c0 == NULL || {x3+0x6c0, \"-c\", x22, x1, ...} is a valid argv"],
effect: "execve(\"/bin/sh\", sp+0x68, environ)")
OneGadget::Gadget.add(build_id, 261540,
- constraints: ["writable: x20", "writable: x21+0x2d8", "[x20] == NULL || x20 == NULL"],
+ constraints: ["writable: x20", "writable: x21+0x2d8", "[x20] == NULL || x20 == NULL || x20 is a valid argv"],
effect: "execve(\"/bin/sh\", x20, environ)")
OneGadget::Gadget.add(build_id, 261616,
- constraints: ["writable: x21+0x2d8", "writable: x24+0x4", "[x20] == NULL || x20 == NULL"],
+ constraints: ["writable: x21+0x2d8", "writable: x24+0x4", "[x20] == NULL || x20 == NULL || x20 is a valid argv"],
effect: "execve(\"/bin/sh\", x20, environ)")
OneGadget::Gadget.add(build_id, 261628,
- constraints: ["writable: x21+0x2d8", "writable: x24+0x4", "[x1] == NULL || x1 == NULL", "[[x0]] == NULL || [x0] == NULL"],
+ constraints: ["writable: x21+0x2d8", "writable: x24+0x4", "[x1] == NULL || x1 == NULL || x1 is a valid argv", "[[x0]] == NULL || [x0] == NULL || [x0] is a valid envp"],
effect: "execve(\"/bin/sh\", x1, [x0])")
OneGadget::Gadget.add(build_id, 261632,
- constraints: ["writable: x21+0x2d8", "writable: x24+0x4", "[x1] == NULL || x1 == NULL", "[x2] == NULL || x2 == NULL"],
+ constraints: ["writable: x21+0x2d8", "writable: x24+0x4", "[x1] == NULL || x1 == NULL || x1 is a valid argv", "[x2] == NULL || x2 == NULL || x2 is a valid envp"],
effect: "execve(\"/bin/sh\", x1, x2)")
diff --git a/lib/one_gadget/builds/libc-2.19-50c2ed4707152ba59bfacfd4e1fabc3b28ddc140.rb b/lib/one_gadget/builds/libc-2.19-50c2ed4707152ba59bfacfd4e1fabc3b28ddc140.rb
index 0bf6bbe..06c5d46 100644
--- a/lib/one_gadget/builds/libc-2.19-50c2ed4707152ba59bfacfd4e1fabc3b28ddc140.rb
+++ b/lib/one_gadget/builds/libc-2.19-50c2ed4707152ba59bfacfd4e1fabc3b28ddc140.rb
@@ -20,22 +20,31 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 261647,
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x34, environ)")
+OneGadget::Gadget.add(build_id, 261654,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 261663,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 261699,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp+0x8])")
OneGadget::Gadget.add(build_id, 261703,
- constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])")
+OneGadget::Gadget.add(build_id, 414887,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"],
+ effect: "execl(\"/bin/sh\", \"sh\", eax)")
OneGadget::Gadget.add(build_id, 414891,
- constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"],
effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])")
OneGadget::Gadget.add(build_id, 414897,
- constraints: ["ebx is the GOT address of libc", "eax == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"],
effect: "execl(\"/bin/sh\", eax)")
OneGadget::Gadget.add(build_id, 414901,
- constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"],
effect: "execl(\"/bin/sh\", [esp+0x4])")
diff --git a/lib/one_gadget/builds/libc-2.19-50e2c3560712d3d9f7af3d155cdeb69687045dd2.rb b/lib/one_gadget/builds/libc-2.19-50e2c3560712d3d9f7af3d155cdeb69687045dd2.rb
index 2ef707d..8fdf226 100644
--- a/lib/one_gadget/builds/libc-2.19-50e2c3560712d3d9f7af3d155cdeb69687045dd2.rb
+++ b/lib/one_gadget/builds/libc-2.19-50e2c3560712d3d9f7af3d155cdeb69687045dd2.rb
@@ -20,25 +20,28 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 267081,
+ constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 267088,
- constraints: ["rax == NULL"],
+ constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 267172,
- constraints: ["[rsp+0x30] == NULL"],
+ constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 754717,
- constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, r12)")
OneGadget::Gadget.add(build_id, 754796,
- constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL || [rbp-0x48] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", [rbp-0x48], r12)")
OneGadget::Gadget.add(build_id, 870583,
- constraints: ["[rsp+0x70] == NULL"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x70, environ)")
OneGadget::Gadget.add(build_id, 870595,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rax])")
OneGadget::Gadget.add(build_id, 885904,
- constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", r9, rdx)")
diff --git a/lib/one_gadget/builds/libc-2.19-512993e1c66001e0ad11feea73ddfc22f9c0767b.rb b/lib/one_gadget/builds/libc-2.19-512993e1c66001e0ad11feea73ddfc22f9c0767b.rb
index dfd065e..8215e7f 100644
--- a/lib/one_gadget/builds/libc-2.19-512993e1c66001e0ad11feea73ddfc22f9c0767b.rb
+++ b/lib/one_gadget/builds/libc-2.19-512993e1c66001e0ad11feea73ddfc22f9c0767b.rb
@@ -20,22 +20,31 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 254599,
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x34, environ)")
+OneGadget::Gadget.add(build_id, 254606,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 254615,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 254651,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp+0x8])")
OneGadget::Gadget.add(build_id, 254655,
- constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])")
+OneGadget::Gadget.add(build_id, 412743,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"],
+ effect: "execl(\"/bin/sh\", \"sh\", eax)")
OneGadget::Gadget.add(build_id, 412747,
- constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"],
effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])")
OneGadget::Gadget.add(build_id, 412753,
- constraints: ["ebx is the GOT address of libc", "eax == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"],
effect: "execl(\"/bin/sh\", eax)")
OneGadget::Gadget.add(build_id, 412757,
- constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"],
effect: "execl(\"/bin/sh\", [esp+0x4])")
diff --git a/lib/one_gadget/builds/libc-2.19-515cd2920490d13129bbad0514c7c7c7e67c18bc.rb b/lib/one_gadget/builds/libc-2.19-515cd2920490d13129bbad0514c7c7c7e67c18bc.rb
index 99a7bcb..1e012d1 100644
--- a/lib/one_gadget/builds/libc-2.19-515cd2920490d13129bbad0514c7c7c7e67c18bc.rb
+++ b/lib/one_gadget/builds/libc-2.19-515cd2920490d13129bbad0514c7c7c7e67c18bc.rb
@@ -19,22 +19,31 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 255911,
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x38, environ)")
+OneGadget::Gadget.add(build_id, 255918,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x38, environ)")
OneGadget::Gadget.add(build_id, 255927,
- constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x38, environ)")
OneGadget::Gadget.add(build_id, 255963,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp+0x8])")
OneGadget::Gadget.add(build_id, 255967,
- constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])")
+OneGadget::Gadget.add(build_id, 409024,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"],
+ effect: "execl(\"/bin/sh\", \"sh\", eax)")
OneGadget::Gadget.add(build_id, 409028,
- constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"],
effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])")
OneGadget::Gadget.add(build_id, 409034,
- constraints: ["ebx is the GOT address of libc", "eax == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"],
effect: "execl(\"/bin/sh\", eax)")
OneGadget::Gadget.add(build_id, 409038,
- constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"],
effect: "execl(\"/bin/sh\", [esp+0x4])")
diff --git a/lib/one_gadget/builds/libc-2.19-51a7763b217be74d9da6fd006c32f82ef82477b5.rb b/lib/one_gadget/builds/libc-2.19-51a7763b217be74d9da6fd006c32f82ef82477b5.rb
index 2ae1b9e..b6bfe1d 100644
--- a/lib/one_gadget/builds/libc-2.19-51a7763b217be74d9da6fd006c32f82ef82477b5.rb
+++ b/lib/one_gadget/builds/libc-2.19-51a7763b217be74d9da6fd006c32f82ef82477b5.rb
@@ -19,21 +19,27 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 454092,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
+OneGadget::Gadget.add(build_id, 454114,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
+ effect: "execve(\"/bin/sh\", esp+0x30, [esp+0x8])")
OneGadget::Gadget.add(build_id, 454118,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp+0x8])")
OneGadget::Gadget.add(build_id, 454122,
- constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])")
+OneGadget::Gadget.add(build_id, 607171,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"],
+ effect: "execl(\"/bin/sh\", \"sh\", eax)")
OneGadget::Gadget.add(build_id, 607175,
- constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"],
effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])")
OneGadget::Gadget.add(build_id, 607181,
- constraints: ["ebx is the GOT address of libc", "eax == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"],
effect: "execl(\"/bin/sh\", eax)")
OneGadget::Gadget.add(build_id, 607185,
- constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"],
effect: "execl(\"/bin/sh\", [esp+0x4])")
diff --git a/lib/one_gadget/builds/libc-2.19-5382058b69031caa9b9996c11061cd164c9398ff.rb b/lib/one_gadget/builds/libc-2.19-5382058b69031caa9b9996c11061cd164c9398ff.rb
index 8a52f33..4cbea95 100644
--- a/lib/one_gadget/builds/libc-2.19-5382058b69031caa9b9996c11061cd164c9398ff.rb
+++ b/lib/one_gadget/builds/libc-2.19-5382058b69031caa9b9996c11061cd164c9398ff.rb
@@ -20,28 +20,31 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 287953,
+ constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 287960,
- constraints: ["rax == NULL"],
+ constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 288044,
- constraints: ["[rsp+0x30] == NULL"],
+ constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 793843,
- constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, r12)")
OneGadget::Gadget.add(build_id, 793922,
- constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL || [rbp-0x48] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", [rbp-0x48], r12)")
OneGadget::Gadget.add(build_id, 936648,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rbp-0xf0]] == NULL || [rbp-0xf0] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rbp-0xf0]] == NULL || [rbp-0xf0] == NULL || [rbp-0xf0] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rbp-0xf0])")
OneGadget::Gadget.add(build_id, 940229,
- constraints: ["[rsp+0x50] == NULL"],
+ constraints: ["[rsp+0x50] == NULL || {[rsp+0x50], [rsp+0x58], [rsp+0x60], [rsp+0x68], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x50, environ)")
OneGadget::Gadget.add(build_id, 940241,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rax])")
OneGadget::Gadget.add(build_id, 944157,
- constraints: ["[rsp+0x70] == NULL"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x70, environ)")
diff --git a/lib/one_gadget/builds/libc-2.19-5455f3eafe22e7a085c3568bebc324a2ade811ea.rb b/lib/one_gadget/builds/libc-2.19-5455f3eafe22e7a085c3568bebc324a2ade811ea.rb
index df0112b..c63aa29 100644
--- a/lib/one_gadget/builds/libc-2.19-5455f3eafe22e7a085c3568bebc324a2ade811ea.rb
+++ b/lib/one_gadget/builds/libc-2.19-5455f3eafe22e7a085c3568bebc324a2ade811ea.rb
@@ -19,22 +19,31 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 248567,
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x38, environ)")
+OneGadget::Gadget.add(build_id, 248574,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x38, environ)")
OneGadget::Gadget.add(build_id, 248583,
- constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x38, environ)")
OneGadget::Gadget.add(build_id, 248619,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp+0x8])")
OneGadget::Gadget.add(build_id, 248623,
- constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])")
+OneGadget::Gadget.add(build_id, 408528,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"],
+ effect: "execl(\"/bin/sh\", \"sh\", eax)")
OneGadget::Gadget.add(build_id, 408532,
- constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"],
effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])")
OneGadget::Gadget.add(build_id, 408538,
- constraints: ["ebx is the GOT address of libc", "eax == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"],
effect: "execl(\"/bin/sh\", eax)")
OneGadget::Gadget.add(build_id, 408542,
- constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"],
effect: "execl(\"/bin/sh\", [esp+0x4])")
diff --git a/lib/one_gadget/builds/libc-2.19-54b97c45aa9ce58ba4dea4eda316f49927e51cff.rb b/lib/one_gadget/builds/libc-2.19-54b97c45aa9ce58ba4dea4eda316f49927e51cff.rb
index 7e41a08..0a390e1 100644
--- a/lib/one_gadget/builds/libc-2.19-54b97c45aa9ce58ba4dea4eda316f49927e51cff.rb
+++ b/lib/one_gadget/builds/libc-2.19-54b97c45aa9ce58ba4dea4eda316f49927e51cff.rb
@@ -20,22 +20,31 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 254967,
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x34, environ)")
+OneGadget::Gadget.add(build_id, 254974,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 254983,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 255019,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp+0x8])")
OneGadget::Gadget.add(build_id, 255023,
- constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])")
+OneGadget::Gadget.add(build_id, 415175,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"],
+ effect: "execl(\"/bin/sh\", \"sh\", eax)")
OneGadget::Gadget.add(build_id, 415179,
- constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"],
effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])")
OneGadget::Gadget.add(build_id, 415185,
- constraints: ["ebx is the GOT address of libc", "eax == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"],
effect: "execl(\"/bin/sh\", eax)")
OneGadget::Gadget.add(build_id, 415189,
- constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"],
effect: "execl(\"/bin/sh\", [esp+0x4])")
diff --git a/lib/one_gadget/builds/libc-2.19-54fe99efd891702e87da514403a2d3d8cae8032b.rb b/lib/one_gadget/builds/libc-2.19-54fe99efd891702e87da514403a2d3d8cae8032b.rb
index 50d02eb..5de7fbc 100644
--- a/lib/one_gadget/builds/libc-2.19-54fe99efd891702e87da514403a2d3d8cae8032b.rb
+++ b/lib/one_gadget/builds/libc-2.19-54fe99efd891702e87da514403a2d3d8cae8032b.rb
@@ -19,22 +19,31 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 248599,
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x38, environ)")
+OneGadget::Gadget.add(build_id, 248606,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x38, environ)")
OneGadget::Gadget.add(build_id, 248615,
- constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x38, environ)")
OneGadget::Gadget.add(build_id, 248651,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp+0x8])")
OneGadget::Gadget.add(build_id, 248655,
- constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])")
+OneGadget::Gadget.add(build_id, 408800,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"],
+ effect: "execl(\"/bin/sh\", \"sh\", eax)")
OneGadget::Gadget.add(build_id, 408804,
- constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"],
effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])")
OneGadget::Gadget.add(build_id, 408810,
- constraints: ["ebx is the GOT address of libc", "eax == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"],
effect: "execl(\"/bin/sh\", eax)")
OneGadget::Gadget.add(build_id, 408814,
- constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"],
effect: "execl(\"/bin/sh\", [esp+0x4])")
diff --git a/lib/one_gadget/builds/libc-2.19-5537ab284321fdc6efd07276d6e4c524014bf069.rb b/lib/one_gadget/builds/libc-2.19-5537ab284321fdc6efd07276d6e4c524014bf069.rb
index 4ce01bd..da3d852 100644
--- a/lib/one_gadget/builds/libc-2.19-5537ab284321fdc6efd07276d6e4c524014bf069.rb
+++ b/lib/one_gadget/builds/libc-2.19-5537ab284321fdc6efd07276d6e4c524014bf069.rb
@@ -20,22 +20,31 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 254311,
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x34, environ)")
+OneGadget::Gadget.add(build_id, 254318,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 254327,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 254363,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp+0x8])")
OneGadget::Gadget.add(build_id, 254367,
- constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])")
+OneGadget::Gadget.add(build_id, 414519,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"],
+ effect: "execl(\"/bin/sh\", \"sh\", eax)")
OneGadget::Gadget.add(build_id, 414523,
- constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"],
effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])")
OneGadget::Gadget.add(build_id, 414529,
- constraints: ["ebx is the GOT address of libc", "eax == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"],
effect: "execl(\"/bin/sh\", eax)")
OneGadget::Gadget.add(build_id, 414533,
- constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"],
effect: "execl(\"/bin/sh\", [esp+0x4])")
diff --git a/lib/one_gadget/builds/libc-2.19-55e62f166b419389a0de90ceab52c337946ba643.rb b/lib/one_gadget/builds/libc-2.19-55e62f166b419389a0de90ceab52c337946ba643.rb
index 8c992d0..8434092 100644
--- a/lib/one_gadget/builds/libc-2.19-55e62f166b419389a0de90ceab52c337946ba643.rb
+++ b/lib/one_gadget/builds/libc-2.19-55e62f166b419389a0de90ceab52c337946ba643.rb
@@ -20,22 +20,31 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 254471,
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x34, environ)")
+OneGadget::Gadget.add(build_id, 254478,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 254487,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 254523,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp+0x8])")
OneGadget::Gadget.add(build_id, 254527,
- constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])")
+OneGadget::Gadget.add(build_id, 414711,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"],
+ effect: "execl(\"/bin/sh\", \"sh\", eax)")
OneGadget::Gadget.add(build_id, 414715,
- constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"],
effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])")
OneGadget::Gadget.add(build_id, 414721,
- constraints: ["ebx is the GOT address of libc", "eax == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"],
effect: "execl(\"/bin/sh\", eax)")
OneGadget::Gadget.add(build_id, 414725,
- constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"],
effect: "execl(\"/bin/sh\", [esp+0x4])")
diff --git a/lib/one_gadget/builds/libc-2.19-56338f83f1b656ee4395a8d3bddf810725151e91.rb b/lib/one_gadget/builds/libc-2.19-56338f83f1b656ee4395a8d3bddf810725151e91.rb
index 77d7d90..2a09e68 100644
--- a/lib/one_gadget/builds/libc-2.19-56338f83f1b656ee4395a8d3bddf810725151e91.rb
+++ b/lib/one_gadget/builds/libc-2.19-56338f83f1b656ee4395a8d3bddf810725151e91.rb
@@ -19,22 +19,31 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 248407,
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x38, environ)")
+OneGadget::Gadget.add(build_id, 248414,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x38, environ)")
OneGadget::Gadget.add(build_id, 248423,
- constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x38, environ)")
OneGadget::Gadget.add(build_id, 248459,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp+0x8])")
OneGadget::Gadget.add(build_id, 248463,
- constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])")
+OneGadget::Gadget.add(build_id, 406208,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"],
+ effect: "execl(\"/bin/sh\", \"sh\", eax)")
OneGadget::Gadget.add(build_id, 406212,
- constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"],
effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])")
OneGadget::Gadget.add(build_id, 406218,
- constraints: ["ebx is the GOT address of libc", "eax == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"],
effect: "execl(\"/bin/sh\", eax)")
OneGadget::Gadget.add(build_id, 406222,
- constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"],
effect: "execl(\"/bin/sh\", [esp+0x4])")
diff --git a/lib/one_gadget/builds/libc-2.19-58915015546da78c4116e45480be238bac4c59a7.rb b/lib/one_gadget/builds/libc-2.19-58915015546da78c4116e45480be238bac4c59a7.rb
index 0e454d8..67a92cf 100644
--- a/lib/one_gadget/builds/libc-2.19-58915015546da78c4116e45480be238bac4c59a7.rb
+++ b/lib/one_gadget/builds/libc-2.19-58915015546da78c4116e45480be238bac4c59a7.rb
@@ -19,21 +19,27 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 454092,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
+OneGadget::Gadget.add(build_id, 454114,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
+ effect: "execve(\"/bin/sh\", esp+0x30, [esp+0x8])")
OneGadget::Gadget.add(build_id, 454118,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp+0x8])")
OneGadget::Gadget.add(build_id, 454122,
- constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])")
+OneGadget::Gadget.add(build_id, 609347,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"],
+ effect: "execl(\"/bin/sh\", \"sh\", eax)")
OneGadget::Gadget.add(build_id, 609351,
- constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"],
effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])")
OneGadget::Gadget.add(build_id, 609357,
- constraints: ["ebx is the GOT address of libc", "eax == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"],
effect: "execl(\"/bin/sh\", eax)")
OneGadget::Gadget.add(build_id, 609361,
- constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"],
effect: "execl(\"/bin/sh\", [esp+0x4])")
diff --git a/lib/one_gadget/builds/libc-2.19-58cabb8c6f68b05a1c1c9a707a43f22c3a55a3e9.rb b/lib/one_gadget/builds/libc-2.19-58cabb8c6f68b05a1c1c9a707a43f22c3a55a3e9.rb
index ee31977..da48bfc 100644
--- a/lib/one_gadget/builds/libc-2.19-58cabb8c6f68b05a1c1c9a707a43f22c3a55a3e9.rb
+++ b/lib/one_gadget/builds/libc-2.19-58cabb8c6f68b05a1c1c9a707a43f22c3a55a3e9.rb
@@ -19,21 +19,27 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 452940,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
+OneGadget::Gadget.add(build_id, 452962,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
+ effect: "execve(\"/bin/sh\", esp+0x30, [esp+0x8])")
OneGadget::Gadget.add(build_id, 452966,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp+0x8])")
OneGadget::Gadget.add(build_id, 452970,
- constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])")
+OneGadget::Gadget.add(build_id, 606707,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"],
+ effect: "execl(\"/bin/sh\", \"sh\", eax)")
OneGadget::Gadget.add(build_id, 606711,
- constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"],
effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])")
OneGadget::Gadget.add(build_id, 606717,
- constraints: ["ebx is the GOT address of libc", "eax == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"],
effect: "execl(\"/bin/sh\", eax)")
OneGadget::Gadget.add(build_id, 606721,
- constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"],
effect: "execl(\"/bin/sh\", [esp+0x4])")
diff --git a/lib/one_gadget/builds/libc-2.19-5962ff0ec39da4ea3c572535d1da0c0d3b10cfe9.rb b/lib/one_gadget/builds/libc-2.19-5962ff0ec39da4ea3c572535d1da0c0d3b10cfe9.rb
index 6ffcd95..b56dfff 100644
--- a/lib/one_gadget/builds/libc-2.19-5962ff0ec39da4ea3c572535d1da0c0d3b10cfe9.rb
+++ b/lib/one_gadget/builds/libc-2.19-5962ff0ec39da4ea3c572535d1da0c0d3b10cfe9.rb
@@ -19,21 +19,27 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 452940,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
+OneGadget::Gadget.add(build_id, 452962,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
+ effect: "execve(\"/bin/sh\", esp+0x30, [esp+0x8])")
OneGadget::Gadget.add(build_id, 452966,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp+0x8])")
OneGadget::Gadget.add(build_id, 452970,
- constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])")
+OneGadget::Gadget.add(build_id, 608835,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"],
+ effect: "execl(\"/bin/sh\", \"sh\", eax)")
OneGadget::Gadget.add(build_id, 608839,
- constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"],
effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])")
OneGadget::Gadget.add(build_id, 608845,
- constraints: ["ebx is the GOT address of libc", "eax == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"],
effect: "execl(\"/bin/sh\", eax)")
OneGadget::Gadget.add(build_id, 608849,
- constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"],
effect: "execl(\"/bin/sh\", [esp+0x4])")
diff --git a/lib/one_gadget/builds/libc-2.19-5a49bf8def435ac3fe9208df3c6b5622fe347a97.rb b/lib/one_gadget/builds/libc-2.19-5a49bf8def435ac3fe9208df3c6b5622fe347a97.rb
index b20d87e..336270c 100644
--- a/lib/one_gadget/builds/libc-2.19-5a49bf8def435ac3fe9208df3c6b5622fe347a97.rb
+++ b/lib/one_gadget/builds/libc-2.19-5a49bf8def435ac3fe9208df3c6b5622fe347a97.rb
@@ -20,28 +20,31 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 287777,
+ constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 287784,
- constraints: ["rax == NULL"],
+ constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 287868,
- constraints: ["[rsp+0x30] == NULL"],
+ constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 809715,
- constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, r12)")
OneGadget::Gadget.add(build_id, 809794,
- constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL || [rbp-0x48] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", [rbp-0x48], r12)")
OneGadget::Gadget.add(build_id, 951832,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rbp-0xf0]] == NULL || [rbp-0xf0] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rbp-0xf0]] == NULL || [rbp-0xf0] == NULL || [rbp-0xf0] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rbp-0xf0])")
OneGadget::Gadget.add(build_id, 955413,
- constraints: ["[rsp+0x50] == NULL"],
+ constraints: ["[rsp+0x50] == NULL || {[rsp+0x50], [rsp+0x58], [rsp+0x60], [rsp+0x68], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x50, environ)")
OneGadget::Gadget.add(build_id, 955425,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rax])")
OneGadget::Gadget.add(build_id, 959341,
- constraints: ["[rsp+0x70] == NULL"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x70, environ)")
diff --git a/lib/one_gadget/builds/libc-2.19-5a49ee56df5b5ab48a6f5607bb46a0b92a3d1c34.rb b/lib/one_gadget/builds/libc-2.19-5a49ee56df5b5ab48a6f5607bb46a0b92a3d1c34.rb
index 923f106..c696d97 100644
--- a/lib/one_gadget/builds/libc-2.19-5a49ee56df5b5ab48a6f5607bb46a0b92a3d1c34.rb
+++ b/lib/one_gadget/builds/libc-2.19-5a49ee56df5b5ab48a6f5607bb46a0b92a3d1c34.rb
@@ -20,22 +20,31 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 262563,
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x34, environ)")
+OneGadget::Gadget.add(build_id, 262570,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 262579,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 262615,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp+0x8])")
OneGadget::Gadget.add(build_id, 262619,
- constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])")
+OneGadget::Gadget.add(build_id, 415381,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"],
+ effect: "execl(\"/bin/sh\", \"sh\", eax)")
OneGadget::Gadget.add(build_id, 415385,
- constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"],
effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])")
OneGadget::Gadget.add(build_id, 415391,
- constraints: ["ebx is the GOT address of libc", "eax == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"],
effect: "execl(\"/bin/sh\", eax)")
OneGadget::Gadget.add(build_id, 415395,
- constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"],
effect: "execl(\"/bin/sh\", [esp+0x4])")
diff --git a/lib/one_gadget/builds/libc-2.19-5a7a0413044f37bc4096c7bc4c33d1ea6880d856.rb b/lib/one_gadget/builds/libc-2.19-5a7a0413044f37bc4096c7bc4c33d1ea6880d856.rb
index 51fb62f..b2554d6 100644
--- a/lib/one_gadget/builds/libc-2.19-5a7a0413044f37bc4096c7bc4c33d1ea6880d856.rb
+++ b/lib/one_gadget/builds/libc-2.19-5a7a0413044f37bc4096c7bc4c33d1ea6880d856.rb
@@ -20,25 +20,28 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 267081,
+ constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 267088,
- constraints: ["rax == NULL"],
+ constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 267172,
- constraints: ["[rsp+0x30] == NULL"],
+ constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 754733,
- constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, r12)")
OneGadget::Gadget.add(build_id, 754812,
- constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL || [rbp-0x48] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", [rbp-0x48], r12)")
OneGadget::Gadget.add(build_id, 870615,
- constraints: ["[rsp+0x70] == NULL"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x70, environ)")
OneGadget::Gadget.add(build_id, 870627,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rax])")
OneGadget::Gadget.add(build_id, 885936,
- constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", r9, rdx)")
diff --git a/lib/one_gadget/builds/libc-2.19-5a968877a4a31019701f53ed38130c1313a5e0ad.rb b/lib/one_gadget/builds/libc-2.19-5a968877a4a31019701f53ed38130c1313a5e0ad.rb
index fe6d2fc..f7af776 100644
--- a/lib/one_gadget/builds/libc-2.19-5a968877a4a31019701f53ed38130c1313a5e0ad.rb
+++ b/lib/one_gadget/builds/libc-2.19-5a968877a4a31019701f53ed38130c1313a5e0ad.rb
@@ -20,22 +20,31 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 255467,
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x34, environ)")
+OneGadget::Gadget.add(build_id, 255474,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 255483,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 255519,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp+0x8])")
OneGadget::Gadget.add(build_id, 255523,
- constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])")
+OneGadget::Gadget.add(build_id, 417007,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"],
+ effect: "execl(\"/bin/sh\", \"sh\", eax)")
OneGadget::Gadget.add(build_id, 417011,
- constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"],
effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])")
OneGadget::Gadget.add(build_id, 417017,
- constraints: ["ebx is the GOT address of libc", "eax == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"],
effect: "execl(\"/bin/sh\", eax)")
OneGadget::Gadget.add(build_id, 417021,
- constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"],
effect: "execl(\"/bin/sh\", [esp+0x4])")
diff --git a/lib/one_gadget/builds/libc-2.19-5ab6a00d805f696b8aa6d0d2ee29d511b41499d1.rb b/lib/one_gadget/builds/libc-2.19-5ab6a00d805f696b8aa6d0d2ee29d511b41499d1.rb
index 188070e..69a2153 100644
--- a/lib/one_gadget/builds/libc-2.19-5ab6a00d805f696b8aa6d0d2ee29d511b41499d1.rb
+++ b/lib/one_gadget/builds/libc-2.19-5ab6a00d805f696b8aa6d0d2ee29d511b41499d1.rb
@@ -20,22 +20,31 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 254599,
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x34, environ)")
+OneGadget::Gadget.add(build_id, 254606,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 254615,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 254651,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp+0x8])")
OneGadget::Gadget.add(build_id, 254655,
- constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])")
+OneGadget::Gadget.add(build_id, 412775,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"],
+ effect: "execl(\"/bin/sh\", \"sh\", eax)")
OneGadget::Gadget.add(build_id, 412779,
- constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"],
effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])")
OneGadget::Gadget.add(build_id, 412785,
- constraints: ["ebx is the GOT address of libc", "eax == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"],
effect: "execl(\"/bin/sh\", eax)")
OneGadget::Gadget.add(build_id, 412789,
- constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"],
effect: "execl(\"/bin/sh\", [esp+0x4])")
diff --git a/lib/one_gadget/builds/libc-2.19-5b344bb54cc929c6849371987107f587bd9e0d48.rb b/lib/one_gadget/builds/libc-2.19-5b344bb54cc929c6849371987107f587bd9e0d48.rb
index 718f2b3..04f14f4 100644
--- a/lib/one_gadget/builds/libc-2.19-5b344bb54cc929c6849371987107f587bd9e0d48.rb
+++ b/lib/one_gadget/builds/libc-2.19-5b344bb54cc929c6849371987107f587bd9e0d48.rb
@@ -20,25 +20,28 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 267081,
+ constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 267088,
- constraints: ["rax == NULL"],
+ constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 267172,
- constraints: ["[rsp+0x30] == NULL"],
+ constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 754717,
- constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, r12)")
OneGadget::Gadget.add(build_id, 754796,
- constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL || [rbp-0x48] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", [rbp-0x48], r12)")
OneGadget::Gadget.add(build_id, 870583,
- constraints: ["[rsp+0x70] == NULL"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x70, environ)")
OneGadget::Gadget.add(build_id, 870595,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rax])")
OneGadget::Gadget.add(build_id, 885904,
- constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", r9, rdx)")
diff --git a/lib/one_gadget/builds/libc-2.19-5b60e04aabbebdb248f5c03dad0ca1a9fab8be5f.rb b/lib/one_gadget/builds/libc-2.19-5b60e04aabbebdb248f5c03dad0ca1a9fab8be5f.rb
index f2786c0..67d404c 100644
--- a/lib/one_gadget/builds/libc-2.19-5b60e04aabbebdb248f5c03dad0ca1a9fab8be5f.rb
+++ b/lib/one_gadget/builds/libc-2.19-5b60e04aabbebdb248f5c03dad0ca1a9fab8be5f.rb
@@ -19,22 +19,31 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 249239,
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x38, environ)")
+OneGadget::Gadget.add(build_id, 249246,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x38, environ)")
OneGadget::Gadget.add(build_id, 249255,
- constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x38, environ)")
OneGadget::Gadget.add(build_id, 249291,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp+0x8])")
OneGadget::Gadget.add(build_id, 249295,
- constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])")
+OneGadget::Gadget.add(build_id, 409216,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"],
+ effect: "execl(\"/bin/sh\", \"sh\", eax)")
OneGadget::Gadget.add(build_id, 409220,
- constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"],
effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])")
OneGadget::Gadget.add(build_id, 409226,
- constraints: ["ebx is the GOT address of libc", "eax == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"],
effect: "execl(\"/bin/sh\", eax)")
OneGadget::Gadget.add(build_id, 409230,
- constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"],
effect: "execl(\"/bin/sh\", [esp+0x4])")
diff --git a/lib/one_gadget/builds/libc-2.19-5ba8f97e1beb7f068474d473e2db786c07df8561.rb b/lib/one_gadget/builds/libc-2.19-5ba8f97e1beb7f068474d473e2db786c07df8561.rb
index 75d05f0..ac23d68 100644
--- a/lib/one_gadget/builds/libc-2.19-5ba8f97e1beb7f068474d473e2db786c07df8561.rb
+++ b/lib/one_gadget/builds/libc-2.19-5ba8f97e1beb7f068474d473e2db786c07df8561.rb
@@ -20,22 +20,31 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 254471,
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x34, environ)")
+OneGadget::Gadget.add(build_id, 254478,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 254487,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 254523,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp+0x8])")
OneGadget::Gadget.add(build_id, 254527,
- constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])")
+OneGadget::Gadget.add(build_id, 415095,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"],
+ effect: "execl(\"/bin/sh\", \"sh\", eax)")
OneGadget::Gadget.add(build_id, 415099,
- constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"],
effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])")
OneGadget::Gadget.add(build_id, 415105,
- constraints: ["ebx is the GOT address of libc", "eax == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"],
effect: "execl(\"/bin/sh\", eax)")
OneGadget::Gadget.add(build_id, 415109,
- constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"],
effect: "execl(\"/bin/sh\", [esp+0x4])")
diff --git a/lib/one_gadget/builds/libc-2.19-5c02e6b0e80785f5944265c698dc811862018d21.rb b/lib/one_gadget/builds/libc-2.19-5c02e6b0e80785f5944265c698dc811862018d21.rb
index da7fcfa..dc7b319 100644
--- a/lib/one_gadget/builds/libc-2.19-5c02e6b0e80785f5944265c698dc811862018d21.rb
+++ b/lib/one_gadget/builds/libc-2.19-5c02e6b0e80785f5944265c698dc811862018d21.rb
@@ -19,22 +19,31 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 249239,
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x38, environ)")
+OneGadget::Gadget.add(build_id, 249246,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x38, environ)")
OneGadget::Gadget.add(build_id, 249255,
- constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x38, environ)")
OneGadget::Gadget.add(build_id, 249291,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp+0x8])")
OneGadget::Gadget.add(build_id, 249295,
- constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])")
+OneGadget::Gadget.add(build_id, 409248,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"],
+ effect: "execl(\"/bin/sh\", \"sh\", eax)")
OneGadget::Gadget.add(build_id, 409252,
- constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"],
effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])")
OneGadget::Gadget.add(build_id, 409258,
- constraints: ["ebx is the GOT address of libc", "eax == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"],
effect: "execl(\"/bin/sh\", eax)")
OneGadget::Gadget.add(build_id, 409262,
- constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"],
effect: "execl(\"/bin/sh\", [esp+0x4])")
diff --git a/lib/one_gadget/builds/libc-2.19-5c14523f13f0fb9be3366f446e9e48165373ddf8.rb b/lib/one_gadget/builds/libc-2.19-5c14523f13f0fb9be3366f446e9e48165373ddf8.rb
index f303975..165775e 100644
--- a/lib/one_gadget/builds/libc-2.19-5c14523f13f0fb9be3366f446e9e48165373ddf8.rb
+++ b/lib/one_gadget/builds/libc-2.19-5c14523f13f0fb9be3366f446e9e48165373ddf8.rb
@@ -19,21 +19,27 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 452812,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
+OneGadget::Gadget.add(build_id, 452834,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
+ effect: "execve(\"/bin/sh\", esp+0x30, [esp+0x8])")
OneGadget::Gadget.add(build_id, 452838,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp+0x8])")
OneGadget::Gadget.add(build_id, 452842,
- constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])")
+OneGadget::Gadget.add(build_id, 609283,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"],
+ effect: "execl(\"/bin/sh\", \"sh\", eax)")
OneGadget::Gadget.add(build_id, 609287,
- constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"],
effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])")
OneGadget::Gadget.add(build_id, 609293,
- constraints: ["ebx is the GOT address of libc", "eax == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"],
effect: "execl(\"/bin/sh\", eax)")
OneGadget::Gadget.add(build_id, 609297,
- constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"],
effect: "execl(\"/bin/sh\", [esp+0x4])")
diff --git a/lib/one_gadget/builds/libc-2.19-5e1e27a45fbd02cfa9a95bf657fc4aa53af75421.rb b/lib/one_gadget/builds/libc-2.19-5e1e27a45fbd02cfa9a95bf657fc4aa53af75421.rb
index d3e8428..d56816e 100644
--- a/lib/one_gadget/builds/libc-2.19-5e1e27a45fbd02cfa9a95bf657fc4aa53af75421.rb
+++ b/lib/one_gadget/builds/libc-2.19-5e1e27a45fbd02cfa9a95bf657fc4aa53af75421.rb
@@ -20,25 +20,28 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 267081,
+ constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 267088,
- constraints: ["rax == NULL"],
+ constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 267172,
- constraints: ["[rsp+0x30] == NULL"],
+ constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 754717,
- constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, r12)")
OneGadget::Gadget.add(build_id, 754796,
- constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL || [rbp-0x48] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", [rbp-0x48], r12)")
OneGadget::Gadget.add(build_id, 870583,
- constraints: ["[rsp+0x70] == NULL"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x70, environ)")
OneGadget::Gadget.add(build_id, 870595,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rax])")
OneGadget::Gadget.add(build_id, 885904,
- constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", r9, rdx)")
diff --git a/lib/one_gadget/builds/libc-2.19-605a6d751871d12a83e34359ff4d73c895d6f4ce.rb b/lib/one_gadget/builds/libc-2.19-605a6d751871d12a83e34359ff4d73c895d6f4ce.rb
index 0643a6e..732884a 100644
--- a/lib/one_gadget/builds/libc-2.19-605a6d751871d12a83e34359ff4d73c895d6f4ce.rb
+++ b/lib/one_gadget/builds/libc-2.19-605a6d751871d12a83e34359ff4d73c895d6f4ce.rb
@@ -20,22 +20,31 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 261639,
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x34, environ)")
+OneGadget::Gadget.add(build_id, 261646,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 261655,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 261691,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp+0x8])")
OneGadget::Gadget.add(build_id, 261695,
- constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])")
+OneGadget::Gadget.add(build_id, 415015,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"],
+ effect: "execl(\"/bin/sh\", \"sh\", eax)")
OneGadget::Gadget.add(build_id, 415019,
- constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"],
effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])")
OneGadget::Gadget.add(build_id, 415025,
- constraints: ["ebx is the GOT address of libc", "eax == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"],
effect: "execl(\"/bin/sh\", eax)")
OneGadget::Gadget.add(build_id, 415029,
- constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"],
effect: "execl(\"/bin/sh\", [esp+0x4])")
diff --git a/lib/one_gadget/builds/libc-2.19-60b315c3b5a4b7e4bf699cf79a137d19a9a13d89.rb b/lib/one_gadget/builds/libc-2.19-60b315c3b5a4b7e4bf699cf79a137d19a9a13d89.rb
index 0ed4b83..3d118d8 100644
--- a/lib/one_gadget/builds/libc-2.19-60b315c3b5a4b7e4bf699cf79a137d19a9a13d89.rb
+++ b/lib/one_gadget/builds/libc-2.19-60b315c3b5a4b7e4bf699cf79a137d19a9a13d89.rb
@@ -21,22 +21,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 242675,
- constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x28, environ)")
OneGadget::Gadget.add(build_id, 242677,
- constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 242681,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 242688,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 242723,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 242724,
- constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 412260,
constraints: ["ebx is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.19-60c7d280d7c8af6758a3a951524487641f349460.rb b/lib/one_gadget/builds/libc-2.19-60c7d280d7c8af6758a3a951524487641f349460.rb
index 1f33a55..a2772c3 100644
--- a/lib/one_gadget/builds/libc-2.19-60c7d280d7c8af6758a3a951524487641f349460.rb
+++ b/lib/one_gadget/builds/libc-2.19-60c7d280d7c8af6758a3a951524487641f349460.rb
@@ -20,22 +20,31 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 262731,
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x34, environ)")
+OneGadget::Gadget.add(build_id, 262738,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 262747,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 262783,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp+0x8])")
OneGadget::Gadget.add(build_id, 262787,
- constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])")
+OneGadget::Gadget.add(build_id, 417861,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"],
+ effect: "execl(\"/bin/sh\", \"sh\", eax)")
OneGadget::Gadget.add(build_id, 417865,
- constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"],
effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])")
OneGadget::Gadget.add(build_id, 417871,
- constraints: ["ebx is the GOT address of libc", "eax == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"],
effect: "execl(\"/bin/sh\", eax)")
OneGadget::Gadget.add(build_id, 417875,
- constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"],
effect: "execl(\"/bin/sh\", [esp+0x4])")
diff --git a/lib/one_gadget/builds/libc-2.19-61eeda0c442c32c20f93008acbc978e28cca956d.rb b/lib/one_gadget/builds/libc-2.19-61eeda0c442c32c20f93008acbc978e28cca956d.rb
index 1ab0e79..e5b3fbb 100644
--- a/lib/one_gadget/builds/libc-2.19-61eeda0c442c32c20f93008acbc978e28cca956d.rb
+++ b/lib/one_gadget/builds/libc-2.19-61eeda0c442c32c20f93008acbc978e28cca956d.rb
@@ -19,21 +19,27 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 454076,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
+OneGadget::Gadget.add(build_id, 454098,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
+ effect: "execve(\"/bin/sh\", esp+0x30, [esp+0x8])")
OneGadget::Gadget.add(build_id, 454102,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp+0x8])")
OneGadget::Gadget.add(build_id, 454106,
- constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])")
+OneGadget::Gadget.add(build_id, 609331,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"],
+ effect: "execl(\"/bin/sh\", \"sh\", eax)")
OneGadget::Gadget.add(build_id, 609335,
- constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"],
effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])")
OneGadget::Gadget.add(build_id, 609341,
- constraints: ["ebx is the GOT address of libc", "eax == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"],
effect: "execl(\"/bin/sh\", eax)")
OneGadget::Gadget.add(build_id, 609345,
- constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"],
effect: "execl(\"/bin/sh\", [esp+0x4])")
diff --git a/lib/one_gadget/builds/libc-2.19-63b04eb27336fd6c68f7bd8ba76ccbcc8df1b46c.rb b/lib/one_gadget/builds/libc-2.19-63b04eb27336fd6c68f7bd8ba76ccbcc8df1b46c.rb
index e211bed..6b6dfb8 100644
--- a/lib/one_gadget/builds/libc-2.19-63b04eb27336fd6c68f7bd8ba76ccbcc8df1b46c.rb
+++ b/lib/one_gadget/builds/libc-2.19-63b04eb27336fd6c68f7bd8ba76ccbcc8df1b46c.rb
@@ -19,22 +19,31 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 248407,
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x38, environ)")
+OneGadget::Gadget.add(build_id, 248414,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x38, environ)")
OneGadget::Gadget.add(build_id, 248423,
- constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x38, environ)")
OneGadget::Gadget.add(build_id, 248459,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp+0x8])")
OneGadget::Gadget.add(build_id, 248463,
- constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])")
+OneGadget::Gadget.add(build_id, 406208,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"],
+ effect: "execl(\"/bin/sh\", \"sh\", eax)")
OneGadget::Gadget.add(build_id, 406212,
- constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"],
effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])")
OneGadget::Gadget.add(build_id, 406218,
- constraints: ["ebx is the GOT address of libc", "eax == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"],
effect: "execl(\"/bin/sh\", eax)")
OneGadget::Gadget.add(build_id, 406222,
- constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"],
effect: "execl(\"/bin/sh\", [esp+0x4])")
diff --git a/lib/one_gadget/builds/libc-2.19-6573062b2d3648b5970f82fbd63cd154c9d84661.rb b/lib/one_gadget/builds/libc-2.19-6573062b2d3648b5970f82fbd63cd154c9d84661.rb
index ca987da..ceecc95 100644
--- a/lib/one_gadget/builds/libc-2.19-6573062b2d3648b5970f82fbd63cd154c9d84661.rb
+++ b/lib/one_gadget/builds/libc-2.19-6573062b2d3648b5970f82fbd63cd154c9d84661.rb
@@ -19,22 +19,31 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 248599,
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x38, environ)")
+OneGadget::Gadget.add(build_id, 248606,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x38, environ)")
OneGadget::Gadget.add(build_id, 248615,
- constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x38, environ)")
OneGadget::Gadget.add(build_id, 248651,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp+0x8])")
OneGadget::Gadget.add(build_id, 248655,
- constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])")
+OneGadget::Gadget.add(build_id, 406432,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"],
+ effect: "execl(\"/bin/sh\", \"sh\", eax)")
OneGadget::Gadget.add(build_id, 406436,
- constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"],
effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])")
OneGadget::Gadget.add(build_id, 406442,
- constraints: ["ebx is the GOT address of libc", "eax == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"],
effect: "execl(\"/bin/sh\", eax)")
OneGadget::Gadget.add(build_id, 406446,
- constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"],
effect: "execl(\"/bin/sh\", [esp+0x4])")
diff --git a/lib/one_gadget/builds/libc-2.19-6573e7dbcbb6179989e2308746f65b95c4117485.rb b/lib/one_gadget/builds/libc-2.19-6573e7dbcbb6179989e2308746f65b95c4117485.rb
index baf98d8..8e37522 100644
--- a/lib/one_gadget/builds/libc-2.19-6573e7dbcbb6179989e2308746f65b95c4117485.rb
+++ b/lib/one_gadget/builds/libc-2.19-6573e7dbcbb6179989e2308746f65b95c4117485.rb
@@ -19,21 +19,27 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 452940,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
+OneGadget::Gadget.add(build_id, 452962,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
+ effect: "execve(\"/bin/sh\", esp+0x30, [esp+0x8])")
OneGadget::Gadget.add(build_id, 452966,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp+0x8])")
OneGadget::Gadget.add(build_id, 452970,
- constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])")
+OneGadget::Gadget.add(build_id, 606899,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"],
+ effect: "execl(\"/bin/sh\", \"sh\", eax)")
OneGadget::Gadget.add(build_id, 606903,
- constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"],
effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])")
OneGadget::Gadget.add(build_id, 606909,
- constraints: ["ebx is the GOT address of libc", "eax == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"],
effect: "execl(\"/bin/sh\", eax)")
OneGadget::Gadget.add(build_id, 606913,
- constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"],
effect: "execl(\"/bin/sh\", [esp+0x4])")
diff --git a/lib/one_gadget/builds/libc-2.19-6850f318041a1a5a202ab0512dda55e80ff19ec8.rb b/lib/one_gadget/builds/libc-2.19-6850f318041a1a5a202ab0512dda55e80ff19ec8.rb
index f7eb518..d4088ed 100644
--- a/lib/one_gadget/builds/libc-2.19-6850f318041a1a5a202ab0512dda55e80ff19ec8.rb
+++ b/lib/one_gadget/builds/libc-2.19-6850f318041a1a5a202ab0512dda55e80ff19ec8.rb
@@ -19,21 +19,27 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 453772,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
+OneGadget::Gadget.add(build_id, 453794,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
+ effect: "execve(\"/bin/sh\", esp+0x30, [esp+0x8])")
OneGadget::Gadget.add(build_id, 453798,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp+0x8])")
OneGadget::Gadget.add(build_id, 453802,
- constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])")
+OneGadget::Gadget.add(build_id, 609027,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"],
+ effect: "execl(\"/bin/sh\", \"sh\", eax)")
OneGadget::Gadget.add(build_id, 609031,
- constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"],
effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])")
OneGadget::Gadget.add(build_id, 609037,
- constraints: ["ebx is the GOT address of libc", "eax == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"],
effect: "execl(\"/bin/sh\", eax)")
OneGadget::Gadget.add(build_id, 609041,
- constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"],
effect: "execl(\"/bin/sh\", [esp+0x4])")
diff --git a/lib/one_gadget/builds/libc-2.19-68977b6661c8b646d7d88e32d81916937e346001.rb b/lib/one_gadget/builds/libc-2.19-68977b6661c8b646d7d88e32d81916937e346001.rb
index 3eed460..6d6337d 100644
--- a/lib/one_gadget/builds/libc-2.19-68977b6661c8b646d7d88e32d81916937e346001.rb
+++ b/lib/one_gadget/builds/libc-2.19-68977b6661c8b646d7d88e32d81916937e346001.rb
@@ -19,21 +19,27 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 453596,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
+OneGadget::Gadget.add(build_id, 453618,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
+ effect: "execve(\"/bin/sh\", esp+0x30, [esp+0x8])")
OneGadget::Gadget.add(build_id, 453622,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp+0x8])")
OneGadget::Gadget.add(build_id, 453626,
- constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])")
+OneGadget::Gadget.add(build_id, 610147,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"],
+ effect: "execl(\"/bin/sh\", \"sh\", eax)")
OneGadget::Gadget.add(build_id, 610151,
- constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"],
effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])")
OneGadget::Gadget.add(build_id, 610157,
- constraints: ["ebx is the GOT address of libc", "eax == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"],
effect: "execl(\"/bin/sh\", eax)")
OneGadget::Gadget.add(build_id, 610161,
- constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"],
effect: "execl(\"/bin/sh\", [esp+0x4])")
diff --git a/lib/one_gadget/builds/libc-2.19-69673214041206e0eee5b9b5b47fd12d733127e1.rb b/lib/one_gadget/builds/libc-2.19-69673214041206e0eee5b9b5b47fd12d733127e1.rb
index 31e4141..306fd30 100644
--- a/lib/one_gadget/builds/libc-2.19-69673214041206e0eee5b9b5b47fd12d733127e1.rb
+++ b/lib/one_gadget/builds/libc-2.19-69673214041206e0eee5b9b5b47fd12d733127e1.rb
@@ -19,25 +19,28 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 262555,
+ constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbp, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 262562,
- constraints: ["rax == NULL"],
+ constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbp, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 262646,
- constraints: ["[rsp+0x30] == NULL"],
+ constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 701405,
- constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, r12)")
OneGadget::Gadget.add(build_id, 701484,
- constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL || [rbp-0x48] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", [rbp-0x48], r12)")
OneGadget::Gadget.add(build_id, 823359,
- constraints: ["[rsp+0x70] == NULL"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x70, environ)")
OneGadget::Gadget.add(build_id, 823371,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rax])")
OneGadget::Gadget.add(build_id, 838688,
- constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", r9, rdx)")
diff --git a/lib/one_gadget/builds/libc-2.19-6a6d6625087a1de6139a620795ef8b2360a06592.rb b/lib/one_gadget/builds/libc-2.19-6a6d6625087a1de6139a620795ef8b2360a06592.rb
index dd01853..51d96f8 100644
--- a/lib/one_gadget/builds/libc-2.19-6a6d6625087a1de6139a620795ef8b2360a06592.rb
+++ b/lib/one_gadget/builds/libc-2.19-6a6d6625087a1de6139a620795ef8b2360a06592.rb
@@ -19,21 +19,27 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 454076,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
+OneGadget::Gadget.add(build_id, 454098,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
+ effect: "execve(\"/bin/sh\", esp+0x30, [esp+0x8])")
OneGadget::Gadget.add(build_id, 454102,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp+0x8])")
OneGadget::Gadget.add(build_id, 454106,
- constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])")
+OneGadget::Gadget.add(build_id, 609331,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"],
+ effect: "execl(\"/bin/sh\", \"sh\", eax)")
OneGadget::Gadget.add(build_id, 609335,
- constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"],
effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])")
OneGadget::Gadget.add(build_id, 609341,
- constraints: ["ebx is the GOT address of libc", "eax == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"],
effect: "execl(\"/bin/sh\", eax)")
OneGadget::Gadget.add(build_id, 609345,
- constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"],
effect: "execl(\"/bin/sh\", [esp+0x4])")
diff --git a/lib/one_gadget/builds/libc-2.19-6abcb030391dbadd0fda38c3975ad6dcfe7fe20c.rb b/lib/one_gadget/builds/libc-2.19-6abcb030391dbadd0fda38c3975ad6dcfe7fe20c.rb
index 69b6a49..f42029a 100644
--- a/lib/one_gadget/builds/libc-2.19-6abcb030391dbadd0fda38c3975ad6dcfe7fe20c.rb
+++ b/lib/one_gadget/builds/libc-2.19-6abcb030391dbadd0fda38c3975ad6dcfe7fe20c.rb
@@ -19,22 +19,31 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 255911,
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x38, environ)")
+OneGadget::Gadget.add(build_id, 255918,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x38, environ)")
OneGadget::Gadget.add(build_id, 255927,
- constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x38, environ)")
OneGadget::Gadget.add(build_id, 255963,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp+0x8])")
OneGadget::Gadget.add(build_id, 255967,
- constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])")
+OneGadget::Gadget.add(build_id, 409056,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"],
+ effect: "execl(\"/bin/sh\", \"sh\", eax)")
OneGadget::Gadget.add(build_id, 409060,
- constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"],
effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])")
OneGadget::Gadget.add(build_id, 409066,
- constraints: ["ebx is the GOT address of libc", "eax == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"],
effect: "execl(\"/bin/sh\", eax)")
OneGadget::Gadget.add(build_id, 409070,
- constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"],
effect: "execl(\"/bin/sh\", [esp+0x4])")
diff --git a/lib/one_gadget/builds/libc-2.19-6aff6d091954955fe931bb720a17708513aabda7.rb b/lib/one_gadget/builds/libc-2.19-6aff6d091954955fe931bb720a17708513aabda7.rb
index 8163f52..12277fc 100644
--- a/lib/one_gadget/builds/libc-2.19-6aff6d091954955fe931bb720a17708513aabda7.rb
+++ b/lib/one_gadget/builds/libc-2.19-6aff6d091954955fe931bb720a17708513aabda7.rb
@@ -20,22 +20,31 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 261399,
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x34, environ)")
+OneGadget::Gadget.add(build_id, 261406,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 261415,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 261451,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp+0x8])")
OneGadget::Gadget.add(build_id, 261455,
- constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])")
+OneGadget::Gadget.add(build_id, 412768,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"],
+ effect: "execl(\"/bin/sh\", \"sh\", eax)")
OneGadget::Gadget.add(build_id, 412772,
- constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"],
effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])")
OneGadget::Gadget.add(build_id, 412778,
- constraints: ["ebx is the GOT address of libc", "eax == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"],
effect: "execl(\"/bin/sh\", eax)")
OneGadget::Gadget.add(build_id, 412782,
- constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"],
effect: "execl(\"/bin/sh\", [esp+0x4])")
diff --git a/lib/one_gadget/builds/libc-2.19-6b536aa43eabd040e5117034f582d1c0374980cd.rb b/lib/one_gadget/builds/libc-2.19-6b536aa43eabd040e5117034f582d1c0374980cd.rb
index ffb8df8..f37c666 100644
--- a/lib/one_gadget/builds/libc-2.19-6b536aa43eabd040e5117034f582d1c0374980cd.rb
+++ b/lib/one_gadget/builds/libc-2.19-6b536aa43eabd040e5117034f582d1c0374980cd.rb
@@ -20,22 +20,31 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 261639,
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x34, environ)")
+OneGadget::Gadget.add(build_id, 261646,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 261655,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 261691,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp+0x8])")
OneGadget::Gadget.add(build_id, 261695,
- constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])")
+OneGadget::Gadget.add(build_id, 414983,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"],
+ effect: "execl(\"/bin/sh\", \"sh\", eax)")
OneGadget::Gadget.add(build_id, 414987,
- constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"],
effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])")
OneGadget::Gadget.add(build_id, 414993,
- constraints: ["ebx is the GOT address of libc", "eax == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"],
effect: "execl(\"/bin/sh\", eax)")
OneGadget::Gadget.add(build_id, 414997,
- constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"],
effect: "execl(\"/bin/sh\", [esp+0x4])")
diff --git a/lib/one_gadget/builds/libc-2.19-6d7e55c204d097c75f6b89717876c17f0dc1779a.rb b/lib/one_gadget/builds/libc-2.19-6d7e55c204d097c75f6b89717876c17f0dc1779a.rb
index 0e2e79c..477b16e 100644
--- a/lib/one_gadget/builds/libc-2.19-6d7e55c204d097c75f6b89717876c17f0dc1779a.rb
+++ b/lib/one_gadget/builds/libc-2.19-6d7e55c204d097c75f6b89717876c17f0dc1779a.rb
@@ -19,21 +19,27 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 452940,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
+OneGadget::Gadget.add(build_id, 452962,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
+ effect: "execve(\"/bin/sh\", esp+0x30, [esp+0x8])")
OneGadget::Gadget.add(build_id, 452966,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp+0x8])")
OneGadget::Gadget.add(build_id, 452970,
- constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])")
+OneGadget::Gadget.add(build_id, 606899,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"],
+ effect: "execl(\"/bin/sh\", \"sh\", eax)")
OneGadget::Gadget.add(build_id, 606903,
- constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"],
effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])")
OneGadget::Gadget.add(build_id, 606909,
- constraints: ["ebx is the GOT address of libc", "eax == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"],
effect: "execl(\"/bin/sh\", eax)")
OneGadget::Gadget.add(build_id, 606913,
- constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"],
effect: "execl(\"/bin/sh\", [esp+0x4])")
diff --git a/lib/one_gadget/builds/libc-2.19-6d8d0b8321b58b20d824cfa9d68d66769caa9b42.rb b/lib/one_gadget/builds/libc-2.19-6d8d0b8321b58b20d824cfa9d68d66769caa9b42.rb
index 6df1a02..e59f4bd 100644
--- a/lib/one_gadget/builds/libc-2.19-6d8d0b8321b58b20d824cfa9d68d66769caa9b42.rb
+++ b/lib/one_gadget/builds/libc-2.19-6d8d0b8321b58b20d824cfa9d68d66769caa9b42.rb
@@ -20,22 +20,31 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 255271,
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x34, environ)")
+OneGadget::Gadget.add(build_id, 255278,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 255287,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 255323,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp+0x8])")
OneGadget::Gadget.add(build_id, 255327,
- constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])")
+OneGadget::Gadget.add(build_id, 415479,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"],
+ effect: "execl(\"/bin/sh\", \"sh\", eax)")
OneGadget::Gadget.add(build_id, 415483,
- constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"],
effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])")
OneGadget::Gadget.add(build_id, 415489,
- constraints: ["ebx is the GOT address of libc", "eax == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"],
effect: "execl(\"/bin/sh\", eax)")
OneGadget::Gadget.add(build_id, 415493,
- constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"],
effect: "execl(\"/bin/sh\", [esp+0x4])")
diff --git a/lib/one_gadget/builds/libc-2.19-6ee0f980c1c75935d8802d0ea84e0a9f09874c51.rb b/lib/one_gadget/builds/libc-2.19-6ee0f980c1c75935d8802d0ea84e0a9f09874c51.rb
index 2ee36b8..925186c 100644
--- a/lib/one_gadget/builds/libc-2.19-6ee0f980c1c75935d8802d0ea84e0a9f09874c51.rb
+++ b/lib/one_gadget/builds/libc-2.19-6ee0f980c1c75935d8802d0ea84e0a9f09874c51.rb
@@ -20,25 +20,28 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 274313,
+ constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 274320,
- constraints: ["rax == NULL"],
+ constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 274404,
- constraints: ["[rsp+0x30] == NULL"],
+ constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 753661,
- constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, r12)")
OneGadget::Gadget.add(build_id, 753740,
- constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL || [rbp-0x48] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", [rbp-0x48], r12)")
OneGadget::Gadget.add(build_id, 868944,
- constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", r9, rdx)")
OneGadget::Gadget.add(build_id, 873688,
- constraints: ["[rsp+0x70] == NULL"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x70, environ)")
OneGadget::Gadget.add(build_id, 873700,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rax])")
diff --git a/lib/one_gadget/builds/libc-2.19-700e2a19dfcc8e20b41145039b6c823123676696.rb b/lib/one_gadget/builds/libc-2.19-700e2a19dfcc8e20b41145039b6c823123676696.rb
index 112393a..bdb021f 100644
--- a/lib/one_gadget/builds/libc-2.19-700e2a19dfcc8e20b41145039b6c823123676696.rb
+++ b/lib/one_gadget/builds/libc-2.19-700e2a19dfcc8e20b41145039b6c823123676696.rb
@@ -19,21 +19,27 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 453596,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
+OneGadget::Gadget.add(build_id, 453618,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
+ effect: "execve(\"/bin/sh\", esp+0x30, [esp+0x8])")
OneGadget::Gadget.add(build_id, 453622,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp+0x8])")
OneGadget::Gadget.add(build_id, 453626,
- constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])")
+OneGadget::Gadget.add(build_id, 610147,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"],
+ effect: "execl(\"/bin/sh\", \"sh\", eax)")
OneGadget::Gadget.add(build_id, 610151,
- constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"],
effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])")
OneGadget::Gadget.add(build_id, 610157,
- constraints: ["ebx is the GOT address of libc", "eax == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"],
effect: "execl(\"/bin/sh\", eax)")
OneGadget::Gadget.add(build_id, 610161,
- constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"],
effect: "execl(\"/bin/sh\", [esp+0x4])")
diff --git a/lib/one_gadget/builds/libc-2.19-705f27d45e46aeda2619beb62fc804d1c2fbe26c.rb b/lib/one_gadget/builds/libc-2.19-705f27d45e46aeda2619beb62fc804d1c2fbe26c.rb
index 8d17f8f..5833ec0 100644
--- a/lib/one_gadget/builds/libc-2.19-705f27d45e46aeda2619beb62fc804d1c2fbe26c.rb
+++ b/lib/one_gadget/builds/libc-2.19-705f27d45e46aeda2619beb62fc804d1c2fbe26c.rb
@@ -20,22 +20,31 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 254599,
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x34, environ)")
+OneGadget::Gadget.add(build_id, 254606,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 254615,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 254651,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp+0x8])")
OneGadget::Gadget.add(build_id, 254655,
- constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])")
+OneGadget::Gadget.add(build_id, 412743,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"],
+ effect: "execl(\"/bin/sh\", \"sh\", eax)")
OneGadget::Gadget.add(build_id, 412747,
- constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"],
effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])")
OneGadget::Gadget.add(build_id, 412753,
- constraints: ["ebx is the GOT address of libc", "eax == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"],
effect: "execl(\"/bin/sh\", eax)")
OneGadget::Gadget.add(build_id, 412757,
- constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"],
effect: "execl(\"/bin/sh\", [esp+0x4])")
diff --git a/lib/one_gadget/builds/libc-2.19-707bc133809b86abab918bb8a8fc7791fe916765.rb b/lib/one_gadget/builds/libc-2.19-707bc133809b86abab918bb8a8fc7791fe916765.rb
index aa97cf8..edb6039 100644
--- a/lib/one_gadget/builds/libc-2.19-707bc133809b86abab918bb8a8fc7791fe916765.rb
+++ b/lib/one_gadget/builds/libc-2.19-707bc133809b86abab918bb8a8fc7791fe916765.rb
@@ -20,22 +20,31 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 256267,
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x34, environ)")
+OneGadget::Gadget.add(build_id, 256274,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 256283,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 256319,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp+0x8])")
OneGadget::Gadget.add(build_id, 256323,
- constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])")
+OneGadget::Gadget.add(build_id, 420079,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"],
+ effect: "execl(\"/bin/sh\", \"sh\", eax)")
OneGadget::Gadget.add(build_id, 420083,
- constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"],
effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])")
OneGadget::Gadget.add(build_id, 420089,
- constraints: ["ebx is the GOT address of libc", "eax == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"],
effect: "execl(\"/bin/sh\", eax)")
OneGadget::Gadget.add(build_id, 420093,
- constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"],
effect: "execl(\"/bin/sh\", [esp+0x4])")
diff --git a/lib/one_gadget/builds/libc-2.19-74a3b58450e957c04e2cca3619695cb3d73bb68e.rb b/lib/one_gadget/builds/libc-2.19-74a3b58450e957c04e2cca3619695cb3d73bb68e.rb
index dad43a9..16b624c 100644
--- a/lib/one_gadget/builds/libc-2.19-74a3b58450e957c04e2cca3619695cb3d73bb68e.rb
+++ b/lib/one_gadget/builds/libc-2.19-74a3b58450e957c04e2cca3619695cb3d73bb68e.rb
@@ -20,22 +20,31 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 254471,
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x34, environ)")
+OneGadget::Gadget.add(build_id, 254478,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 254487,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 254523,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp+0x8])")
OneGadget::Gadget.add(build_id, 254527,
- constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])")
+OneGadget::Gadget.add(build_id, 415063,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"],
+ effect: "execl(\"/bin/sh\", \"sh\", eax)")
OneGadget::Gadget.add(build_id, 415067,
- constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"],
effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])")
OneGadget::Gadget.add(build_id, 415073,
- constraints: ["ebx is the GOT address of libc", "eax == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"],
effect: "execl(\"/bin/sh\", eax)")
OneGadget::Gadget.add(build_id, 415077,
- constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"],
effect: "execl(\"/bin/sh\", [esp+0x4])")
diff --git a/lib/one_gadget/builds/libc-2.19-74bf136a60dee4fe2f7ca0d9b40fbdd6b0115496.rb b/lib/one_gadget/builds/libc-2.19-74bf136a60dee4fe2f7ca0d9b40fbdd6b0115496.rb
index 26bf62e..322a2c1 100644
--- a/lib/one_gadget/builds/libc-2.19-74bf136a60dee4fe2f7ca0d9b40fbdd6b0115496.rb
+++ b/lib/one_gadget/builds/libc-2.19-74bf136a60dee4fe2f7ca0d9b40fbdd6b0115496.rb
@@ -19,21 +19,27 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 452940,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
+OneGadget::Gadget.add(build_id, 452962,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
+ effect: "execve(\"/bin/sh\", esp+0x30, [esp+0x8])")
OneGadget::Gadget.add(build_id, 452966,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp+0x8])")
OneGadget::Gadget.add(build_id, 452970,
- constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])")
+OneGadget::Gadget.add(build_id, 609411,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"],
+ effect: "execl(\"/bin/sh\", \"sh\", eax)")
OneGadget::Gadget.add(build_id, 609415,
- constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"],
effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])")
OneGadget::Gadget.add(build_id, 609421,
- constraints: ["ebx is the GOT address of libc", "eax == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"],
effect: "execl(\"/bin/sh\", eax)")
OneGadget::Gadget.add(build_id, 609425,
- constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"],
effect: "execl(\"/bin/sh\", [esp+0x4])")
diff --git a/lib/one_gadget/builds/libc-2.19-7553121919b4b6bb1d86f8b1eb8eb152e6fb1218.rb b/lib/one_gadget/builds/libc-2.19-7553121919b4b6bb1d86f8b1eb8eb152e6fb1218.rb
index 324ad2f..86f8816 100644
--- a/lib/one_gadget/builds/libc-2.19-7553121919b4b6bb1d86f8b1eb8eb152e6fb1218.rb
+++ b/lib/one_gadget/builds/libc-2.19-7553121919b4b6bb1d86f8b1eb8eb152e6fb1218.rb
@@ -20,25 +20,28 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 266985,
+ constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 266992,
- constraints: ["rax == NULL"],
+ constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 267076,
- constraints: ["[rsp+0x30] == NULL"],
+ constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 765005,
- constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, r12)")
OneGadget::Gadget.add(build_id, 765084,
- constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL || [rbp-0x48] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", [rbp-0x48], r12)")
OneGadget::Gadget.add(build_id, 880199,
- constraints: ["[rsp+0x70] == NULL"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x70, environ)")
OneGadget::Gadget.add(build_id, 880211,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rax])")
OneGadget::Gadget.add(build_id, 895520,
- constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", r9, rdx)")
diff --git a/lib/one_gadget/builds/libc-2.19-77063a4c59e02c182d5afae288f450c7cdf5b6da.rb b/lib/one_gadget/builds/libc-2.19-77063a4c59e02c182d5afae288f450c7cdf5b6da.rb
index ccf75bd..d554313 100644
--- a/lib/one_gadget/builds/libc-2.19-77063a4c59e02c182d5afae288f450c7cdf5b6da.rb
+++ b/lib/one_gadget/builds/libc-2.19-77063a4c59e02c182d5afae288f450c7cdf5b6da.rb
@@ -19,22 +19,31 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 248791,
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x38, environ)")
+OneGadget::Gadget.add(build_id, 248798,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x38, environ)")
OneGadget::Gadget.add(build_id, 248807,
- constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x38, environ)")
OneGadget::Gadget.add(build_id, 248843,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp+0x8])")
OneGadget::Gadget.add(build_id, 248847,
- constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])")
+OneGadget::Gadget.add(build_id, 409376,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"],
+ effect: "execl(\"/bin/sh\", \"sh\", eax)")
OneGadget::Gadget.add(build_id, 409380,
- constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"],
effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])")
OneGadget::Gadget.add(build_id, 409386,
- constraints: ["ebx is the GOT address of libc", "eax == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"],
effect: "execl(\"/bin/sh\", eax)")
OneGadget::Gadget.add(build_id, 409390,
- constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"],
effect: "execl(\"/bin/sh\", [esp+0x4])")
diff --git a/lib/one_gadget/builds/libc-2.19-77504f0405a2d81d64310f262ac559cdc8375b04.rb b/lib/one_gadget/builds/libc-2.19-77504f0405a2d81d64310f262ac559cdc8375b04.rb
index e230942..25cb1a8 100644
--- a/lib/one_gadget/builds/libc-2.19-77504f0405a2d81d64310f262ac559cdc8375b04.rb
+++ b/lib/one_gadget/builds/libc-2.19-77504f0405a2d81d64310f262ac559cdc8375b04.rb
@@ -20,25 +20,28 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 266937,
+ constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 266944,
- constraints: ["rax == NULL"],
+ constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 267028,
- constraints: ["[rsp+0x30] == NULL"],
+ constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 754125,
- constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, r12)")
OneGadget::Gadget.add(build_id, 754204,
- constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL || [rbp-0x48] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", [rbp-0x48], r12)")
OneGadget::Gadget.add(build_id, 869735,
- constraints: ["[rsp+0x70] == NULL"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x70, environ)")
OneGadget::Gadget.add(build_id, 869747,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rax])")
OneGadget::Gadget.add(build_id, 884848,
- constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", r9, rdx)")
diff --git a/lib/one_gadget/builds/libc-2.19-77bcde9cd55f5ca93684b46705e0851585b94019.rb b/lib/one_gadget/builds/libc-2.19-77bcde9cd55f5ca93684b46705e0851585b94019.rb
index 2c8fc63..9b04843 100644
--- a/lib/one_gadget/builds/libc-2.19-77bcde9cd55f5ca93684b46705e0851585b94019.rb
+++ b/lib/one_gadget/builds/libc-2.19-77bcde9cd55f5ca93684b46705e0851585b94019.rb
@@ -20,28 +20,31 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 287873,
+ constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 287880,
- constraints: ["rax == NULL"],
+ constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 287964,
- constraints: ["[rsp+0x30] == NULL"],
+ constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 793875,
- constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, r12)")
OneGadget::Gadget.add(build_id, 793954,
- constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL || [rbp-0x48] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", [rbp-0x48], r12)")
OneGadget::Gadget.add(build_id, 936680,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rbp-0xf0]] == NULL || [rbp-0xf0] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rbp-0xf0]] == NULL || [rbp-0xf0] == NULL || [rbp-0xf0] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rbp-0xf0])")
OneGadget::Gadget.add(build_id, 940261,
- constraints: ["[rsp+0x50] == NULL"],
+ constraints: ["[rsp+0x50] == NULL || {[rsp+0x50], [rsp+0x58], [rsp+0x60], [rsp+0x68], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x50, environ)")
OneGadget::Gadget.add(build_id, 940273,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rax])")
OneGadget::Gadget.add(build_id, 944189,
- constraints: ["[rsp+0x70] == NULL"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x70, environ)")
diff --git a/lib/one_gadget/builds/libc-2.19-78c0362905c145cfc28aa2ff409962f3c8b2cb6b.rb b/lib/one_gadget/builds/libc-2.19-78c0362905c145cfc28aa2ff409962f3c8b2cb6b.rb
index 7302666..ccc4534 100644
--- a/lib/one_gadget/builds/libc-2.19-78c0362905c145cfc28aa2ff409962f3c8b2cb6b.rb
+++ b/lib/one_gadget/builds/libc-2.19-78c0362905c145cfc28aa2ff409962f3c8b2cb6b.rb
@@ -20,22 +20,31 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 254439,
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x34, environ)")
+OneGadget::Gadget.add(build_id, 254446,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 254455,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 254491,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp+0x8])")
OneGadget::Gadget.add(build_id, 254495,
- constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])")
+OneGadget::Gadget.add(build_id, 412463,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"],
+ effect: "execl(\"/bin/sh\", \"sh\", eax)")
OneGadget::Gadget.add(build_id, 412467,
- constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"],
effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])")
OneGadget::Gadget.add(build_id, 412473,
- constraints: ["ebx is the GOT address of libc", "eax == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"],
effect: "execl(\"/bin/sh\", eax)")
OneGadget::Gadget.add(build_id, 412477,
- constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"],
effect: "execl(\"/bin/sh\", [esp+0x4])")
diff --git a/lib/one_gadget/builds/libc-2.19-7a7914eec99efd40990d0b1978a01caf46612636.rb b/lib/one_gadget/builds/libc-2.19-7a7914eec99efd40990d0b1978a01caf46612636.rb
index c0647af..335228a 100644
--- a/lib/one_gadget/builds/libc-2.19-7a7914eec99efd40990d0b1978a01caf46612636.rb
+++ b/lib/one_gadget/builds/libc-2.19-7a7914eec99efd40990d0b1978a01caf46612636.rb
@@ -20,25 +20,28 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 267961,
+ constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 267968,
- constraints: ["rax == NULL"],
+ constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 268052,
- constraints: ["[rsp+0x30] == NULL"],
+ constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 755213,
- constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, r12)")
OneGadget::Gadget.add(build_id, 755292,
- constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL || [rbp-0x48] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", [rbp-0x48], r12)")
OneGadget::Gadget.add(build_id, 870839,
- constraints: ["[rsp+0x70] == NULL"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x70, environ)")
OneGadget::Gadget.add(build_id, 870851,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rax])")
OneGadget::Gadget.add(build_id, 885952,
- constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", r9, rdx)")
diff --git a/lib/one_gadget/builds/libc-2.19-7ccbbd7f1713d8eebb6042a8da7e9f2ac1878d42.rb b/lib/one_gadget/builds/libc-2.19-7ccbbd7f1713d8eebb6042a8da7e9f2ac1878d42.rb
index 1056a2b..8ff356c 100644
--- a/lib/one_gadget/builds/libc-2.19-7ccbbd7f1713d8eebb6042a8da7e9f2ac1878d42.rb
+++ b/lib/one_gadget/builds/libc-2.19-7ccbbd7f1713d8eebb6042a8da7e9f2ac1878d42.rb
@@ -19,22 +19,31 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 249543,
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x38, environ)")
+OneGadget::Gadget.add(build_id, 249550,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x38, environ)")
OneGadget::Gadget.add(build_id, 249559,
- constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x38, environ)")
OneGadget::Gadget.add(build_id, 249595,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp+0x8])")
OneGadget::Gadget.add(build_id, 249599,
- constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])")
+OneGadget::Gadget.add(build_id, 409536,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"],
+ effect: "execl(\"/bin/sh\", \"sh\", eax)")
OneGadget::Gadget.add(build_id, 409540,
- constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"],
effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])")
OneGadget::Gadget.add(build_id, 409546,
- constraints: ["ebx is the GOT address of libc", "eax == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"],
effect: "execl(\"/bin/sh\", eax)")
OneGadget::Gadget.add(build_id, 409550,
- constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"],
effect: "execl(\"/bin/sh\", [esp+0x4])")
diff --git a/lib/one_gadget/builds/libc-2.19-7cf04fce2326ced25e80c0d7972408574a0817e6.rb b/lib/one_gadget/builds/libc-2.19-7cf04fce2326ced25e80c0d7972408574a0817e6.rb
index dcde4a3..f73f5f6 100644
--- a/lib/one_gadget/builds/libc-2.19-7cf04fce2326ced25e80c0d7972408574a0817e6.rb
+++ b/lib/one_gadget/builds/libc-2.19-7cf04fce2326ced25e80c0d7972408574a0817e6.rb
@@ -20,25 +20,28 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 274841,
+ constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 274848,
- constraints: ["rax == NULL"],
+ constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 274932,
- constraints: ["[rsp+0x30] == NULL"],
+ constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 755165,
- constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, r12)")
OneGadget::Gadget.add(build_id, 755244,
- constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL || [rbp-0x48] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", [rbp-0x48], r12)")
OneGadget::Gadget.add(build_id, 870272,
- constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", r9, rdx)")
OneGadget::Gadget.add(build_id, 874871,
- constraints: ["[rsp+0x70] == NULL"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x70, environ)")
OneGadget::Gadget.add(build_id, 874883,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rax])")
diff --git a/lib/one_gadget/builds/libc-2.19-7d415bffb8dbc06c96e116d8e8f0d8deababbd9e.rb b/lib/one_gadget/builds/libc-2.19-7d415bffb8dbc06c96e116d8e8f0d8deababbd9e.rb
index cde0576..3372511 100644
--- a/lib/one_gadget/builds/libc-2.19-7d415bffb8dbc06c96e116d8e8f0d8deababbd9e.rb
+++ b/lib/one_gadget/builds/libc-2.19-7d415bffb8dbc06c96e116d8e8f0d8deababbd9e.rb
@@ -20,25 +20,28 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 274265,
+ constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 274272,
- constraints: ["rax == NULL"],
+ constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 274356,
- constraints: ["[rsp+0x30] == NULL"],
+ constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 753597,
- constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, r12)")
OneGadget::Gadget.add(build_id, 753676,
- constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL || [rbp-0x48] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", [rbp-0x48], r12)")
OneGadget::Gadget.add(build_id, 868880,
- constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", r9, rdx)")
OneGadget::Gadget.add(build_id, 873624,
- constraints: ["[rsp+0x70] == NULL"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x70, environ)")
OneGadget::Gadget.add(build_id, 873636,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rax])")
diff --git a/lib/one_gadget/builds/libc-2.19-7e523a4a16878ad1fcb7844e93bdd4d474843f86.rb b/lib/one_gadget/builds/libc-2.19-7e523a4a16878ad1fcb7844e93bdd4d474843f86.rb
index bc37c96..07ce18c 100644
--- a/lib/one_gadget/builds/libc-2.19-7e523a4a16878ad1fcb7844e93bdd4d474843f86.rb
+++ b/lib/one_gadget/builds/libc-2.19-7e523a4a16878ad1fcb7844e93bdd4d474843f86.rb
@@ -19,22 +19,31 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 248599,
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x38, environ)")
+OneGadget::Gadget.add(build_id, 248606,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x38, environ)")
OneGadget::Gadget.add(build_id, 248615,
- constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x38, environ)")
OneGadget::Gadget.add(build_id, 248651,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp+0x8])")
OneGadget::Gadget.add(build_id, 248655,
- constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])")
+OneGadget::Gadget.add(build_id, 408832,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"],
+ effect: "execl(\"/bin/sh\", \"sh\", eax)")
OneGadget::Gadget.add(build_id, 408836,
- constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"],
effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])")
OneGadget::Gadget.add(build_id, 408842,
- constraints: ["ebx is the GOT address of libc", "eax == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"],
effect: "execl(\"/bin/sh\", eax)")
OneGadget::Gadget.add(build_id, 408846,
- constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"],
effect: "execl(\"/bin/sh\", [esp+0x4])")
diff --git a/lib/one_gadget/builds/libc-2.19-7e97512d5895e6d5e26dc5b26b31c575a80f0188.rb b/lib/one_gadget/builds/libc-2.19-7e97512d5895e6d5e26dc5b26b31c575a80f0188.rb
index 0b83a91..aed6c37 100644
--- a/lib/one_gadget/builds/libc-2.19-7e97512d5895e6d5e26dc5b26b31c575a80f0188.rb
+++ b/lib/one_gadget/builds/libc-2.19-7e97512d5895e6d5e26dc5b26b31c575a80f0188.rb
@@ -22,22 +22,31 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 253955,
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x34, environ)")
+OneGadget::Gadget.add(build_id, 253962,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 253971,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 254007,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp+0x8])")
OneGadget::Gadget.add(build_id, 254011,
- constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])")
+OneGadget::Gadget.add(build_id, 416399,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"],
+ effect: "execl(\"/bin/sh\", \"sh\", eax)")
OneGadget::Gadget.add(build_id, 416403,
- constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"],
effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])")
OneGadget::Gadget.add(build_id, 416409,
- constraints: ["ebx is the GOT address of libc", "eax == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"],
effect: "execl(\"/bin/sh\", eax)")
OneGadget::Gadget.add(build_id, 416413,
- constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"],
effect: "execl(\"/bin/sh\", [esp+0x4])")
diff --git a/lib/one_gadget/builds/libc-2.19-7f380884708f0bac5c779705562e01ccc7ecf223.rb b/lib/one_gadget/builds/libc-2.19-7f380884708f0bac5c779705562e01ccc7ecf223.rb
index d7ba383..1f03119 100644
--- a/lib/one_gadget/builds/libc-2.19-7f380884708f0bac5c779705562e01ccc7ecf223.rb
+++ b/lib/one_gadget/builds/libc-2.19-7f380884708f0bac5c779705562e01ccc7ecf223.rb
@@ -19,21 +19,27 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 454556,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
+OneGadget::Gadget.add(build_id, 454578,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
+ effect: "execve(\"/bin/sh\", esp+0x30, [esp+0x8])")
OneGadget::Gadget.add(build_id, 454582,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp+0x8])")
OneGadget::Gadget.add(build_id, 454586,
- constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])")
+OneGadget::Gadget.add(build_id, 609859,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"],
+ effect: "execl(\"/bin/sh\", \"sh\", eax)")
OneGadget::Gadget.add(build_id, 609863,
- constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"],
effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])")
OneGadget::Gadget.add(build_id, 609869,
- constraints: ["ebx is the GOT address of libc", "eax == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"],
effect: "execl(\"/bin/sh\", eax)")
OneGadget::Gadget.add(build_id, 609873,
- constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"],
effect: "execl(\"/bin/sh\", [esp+0x4])")
diff --git a/lib/one_gadget/builds/libc-2.19-7f6d04c0ad1b67e316c80cd606720675fc111b50.rb b/lib/one_gadget/builds/libc-2.19-7f6d04c0ad1b67e316c80cd606720675fc111b50.rb
index 569a1ca..b9f2c70 100644
--- a/lib/one_gadget/builds/libc-2.19-7f6d04c0ad1b67e316c80cd606720675fc111b50.rb
+++ b/lib/one_gadget/builds/libc-2.19-7f6d04c0ad1b67e316c80cd606720675fc111b50.rb
@@ -20,22 +20,31 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 254471,
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x34, environ)")
+OneGadget::Gadget.add(build_id, 254478,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 254487,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 254523,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp+0x8])")
OneGadget::Gadget.add(build_id, 254527,
- constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])")
+OneGadget::Gadget.add(build_id, 414679,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"],
+ effect: "execl(\"/bin/sh\", \"sh\", eax)")
OneGadget::Gadget.add(build_id, 414683,
- constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"],
effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])")
OneGadget::Gadget.add(build_id, 414689,
- constraints: ["ebx is the GOT address of libc", "eax == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"],
effect: "execl(\"/bin/sh\", eax)")
OneGadget::Gadget.add(build_id, 414693,
- constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"],
effect: "execl(\"/bin/sh\", [esp+0x4])")
diff --git a/lib/one_gadget/builds/libc-2.19-7fbf66aed8b38b67a1a5653e27e9e4d430b9ada6.rb b/lib/one_gadget/builds/libc-2.19-7fbf66aed8b38b67a1a5653e27e9e4d430b9ada6.rb
index 456a408..6d6bc0a 100644
--- a/lib/one_gadget/builds/libc-2.19-7fbf66aed8b38b67a1a5653e27e9e4d430b9ada6.rb
+++ b/lib/one_gadget/builds/libc-2.19-7fbf66aed8b38b67a1a5653e27e9e4d430b9ada6.rb
@@ -19,22 +19,31 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 248599,
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x38, environ)")
+OneGadget::Gadget.add(build_id, 248606,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x38, environ)")
OneGadget::Gadget.add(build_id, 248615,
- constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x38, environ)")
OneGadget::Gadget.add(build_id, 248651,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp+0x8])")
OneGadget::Gadget.add(build_id, 248655,
- constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])")
+OneGadget::Gadget.add(build_id, 406400,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"],
+ effect: "execl(\"/bin/sh\", \"sh\", eax)")
OneGadget::Gadget.add(build_id, 406404,
- constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"],
effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])")
OneGadget::Gadget.add(build_id, 406410,
- constraints: ["ebx is the GOT address of libc", "eax == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"],
effect: "execl(\"/bin/sh\", eax)")
OneGadget::Gadget.add(build_id, 406414,
- constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"],
effect: "execl(\"/bin/sh\", [esp+0x4])")
diff --git a/lib/one_gadget/builds/libc-2.19-80c8143bd0180bbeb21b7d8c12687d043ae81c7d.rb b/lib/one_gadget/builds/libc-2.19-80c8143bd0180bbeb21b7d8c12687d043ae81c7d.rb
index 9e971e9..f27c16f 100644
--- a/lib/one_gadget/builds/libc-2.19-80c8143bd0180bbeb21b7d8c12687d043ae81c7d.rb
+++ b/lib/one_gadget/builds/libc-2.19-80c8143bd0180bbeb21b7d8c12687d043ae81c7d.rb
@@ -20,22 +20,31 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 254967,
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x34, environ)")
+OneGadget::Gadget.add(build_id, 254974,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 254983,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 255019,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp+0x8])")
OneGadget::Gadget.add(build_id, 255023,
- constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])")
+OneGadget::Gadget.add(build_id, 415175,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"],
+ effect: "execl(\"/bin/sh\", \"sh\", eax)")
OneGadget::Gadget.add(build_id, 415179,
- constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"],
effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])")
OneGadget::Gadget.add(build_id, 415185,
- constraints: ["ebx is the GOT address of libc", "eax == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"],
effect: "execl(\"/bin/sh\", eax)")
OneGadget::Gadget.add(build_id, 415189,
- constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"],
effect: "execl(\"/bin/sh\", [esp+0x4])")
diff --git a/lib/one_gadget/builds/libc-2.19-8131bf46e87501516970176f3f7e86762ffcc3bf.rb b/lib/one_gadget/builds/libc-2.19-8131bf46e87501516970176f3f7e86762ffcc3bf.rb
index f2626f5..d51b289 100644
--- a/lib/one_gadget/builds/libc-2.19-8131bf46e87501516970176f3f7e86762ffcc3bf.rb
+++ b/lib/one_gadget/builds/libc-2.19-8131bf46e87501516970176f3f7e86762ffcc3bf.rb
@@ -20,22 +20,31 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 254599,
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x34, environ)")
+OneGadget::Gadget.add(build_id, 254606,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 254615,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 254651,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp+0x8])")
OneGadget::Gadget.add(build_id, 254655,
- constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])")
+OneGadget::Gadget.add(build_id, 412743,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"],
+ effect: "execl(\"/bin/sh\", \"sh\", eax)")
OneGadget::Gadget.add(build_id, 412747,
- constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"],
effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])")
OneGadget::Gadget.add(build_id, 412753,
- constraints: ["ebx is the GOT address of libc", "eax == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"],
effect: "execl(\"/bin/sh\", eax)")
OneGadget::Gadget.add(build_id, 412757,
- constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"],
effect: "execl(\"/bin/sh\", [esp+0x4])")
diff --git a/lib/one_gadget/builds/libc-2.19-83aef0e751f3dddd4b56c5be57524239e39eecaa.rb b/lib/one_gadget/builds/libc-2.19-83aef0e751f3dddd4b56c5be57524239e39eecaa.rb
index 7aa5380..3461e97 100644
--- a/lib/one_gadget/builds/libc-2.19-83aef0e751f3dddd4b56c5be57524239e39eecaa.rb
+++ b/lib/one_gadget/builds/libc-2.19-83aef0e751f3dddd4b56c5be57524239e39eecaa.rb
@@ -19,21 +19,27 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 452812,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
+OneGadget::Gadget.add(build_id, 452834,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
+ effect: "execve(\"/bin/sh\", esp+0x30, [esp+0x8])")
OneGadget::Gadget.add(build_id, 452838,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp+0x8])")
OneGadget::Gadget.add(build_id, 452842,
- constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])")
+OneGadget::Gadget.add(build_id, 609283,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"],
+ effect: "execl(\"/bin/sh\", \"sh\", eax)")
OneGadget::Gadget.add(build_id, 609287,
- constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"],
effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])")
OneGadget::Gadget.add(build_id, 609293,
- constraints: ["ebx is the GOT address of libc", "eax == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"],
effect: "execl(\"/bin/sh\", eax)")
OneGadget::Gadget.add(build_id, 609297,
- constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"],
effect: "execl(\"/bin/sh\", [esp+0x4])")
diff --git a/lib/one_gadget/builds/libc-2.19-83f3af43ecaf52a63801ea59ad113835dfb31d58.rb b/lib/one_gadget/builds/libc-2.19-83f3af43ecaf52a63801ea59ad113835dfb31d58.rb
index 5841e40..fd52f54 100644
--- a/lib/one_gadget/builds/libc-2.19-83f3af43ecaf52a63801ea59ad113835dfb31d58.rb
+++ b/lib/one_gadget/builds/libc-2.19-83f3af43ecaf52a63801ea59ad113835dfb31d58.rb
@@ -20,22 +20,31 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 253111,
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x34, environ)")
+OneGadget::Gadget.add(build_id, 253118,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 253127,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 253163,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp+0x8])")
OneGadget::Gadget.add(build_id, 253167,
- constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])")
+OneGadget::Gadget.add(build_id, 412007,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"],
+ effect: "execl(\"/bin/sh\", \"sh\", eax)")
OneGadget::Gadget.add(build_id, 412011,
- constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"],
effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])")
OneGadget::Gadget.add(build_id, 412017,
- constraints: ["ebx is the GOT address of libc", "eax == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"],
effect: "execl(\"/bin/sh\", eax)")
OneGadget::Gadget.add(build_id, 412021,
- constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"],
effect: "execl(\"/bin/sh\", [esp+0x4])")
diff --git a/lib/one_gadget/builds/libc-2.19-845104cd0116005c9b9569fe3c6d5afd3689a01e.rb b/lib/one_gadget/builds/libc-2.19-845104cd0116005c9b9569fe3c6d5afd3689a01e.rb
index 3f086db..bdc5fbb 100644
--- a/lib/one_gadget/builds/libc-2.19-845104cd0116005c9b9569fe3c6d5afd3689a01e.rb
+++ b/lib/one_gadget/builds/libc-2.19-845104cd0116005c9b9569fe3c6d5afd3689a01e.rb
@@ -20,22 +20,31 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 254311,
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x34, environ)")
+OneGadget::Gadget.add(build_id, 254318,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 254327,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 254363,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp+0x8])")
OneGadget::Gadget.add(build_id, 254367,
- constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])")
+OneGadget::Gadget.add(build_id, 414551,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"],
+ effect: "execl(\"/bin/sh\", \"sh\", eax)")
OneGadget::Gadget.add(build_id, 414555,
- constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"],
effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])")
OneGadget::Gadget.add(build_id, 414561,
- constraints: ["ebx is the GOT address of libc", "eax == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"],
effect: "execl(\"/bin/sh\", eax)")
OneGadget::Gadget.add(build_id, 414565,
- constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"],
effect: "execl(\"/bin/sh\", [esp+0x4])")
diff --git a/lib/one_gadget/builds/libc-2.19-8564abd306654cfc468a54117954244e1a2c9102.rb b/lib/one_gadget/builds/libc-2.19-8564abd306654cfc468a54117954244e1a2c9102.rb
index ce77a95..7af7ff0 100644
--- a/lib/one_gadget/builds/libc-2.19-8564abd306654cfc468a54117954244e1a2c9102.rb
+++ b/lib/one_gadget/builds/libc-2.19-8564abd306654cfc468a54117954244e1a2c9102.rb
@@ -20,22 +20,31 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 254599,
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x34, environ)")
+OneGadget::Gadget.add(build_id, 254606,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 254615,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 254651,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp+0x8])")
OneGadget::Gadget.add(build_id, 254655,
- constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])")
+OneGadget::Gadget.add(build_id, 412775,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"],
+ effect: "execl(\"/bin/sh\", \"sh\", eax)")
OneGadget::Gadget.add(build_id, 412779,
- constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"],
effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])")
OneGadget::Gadget.add(build_id, 412785,
- constraints: ["ebx is the GOT address of libc", "eax == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"],
effect: "execl(\"/bin/sh\", eax)")
OneGadget::Gadget.add(build_id, 412789,
- constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"],
effect: "execl(\"/bin/sh\", [esp+0x4])")
diff --git a/lib/one_gadget/builds/libc-2.19-863b5d3db2ef5af0b32dba633dca439a3908c42e.rb b/lib/one_gadget/builds/libc-2.19-863b5d3db2ef5af0b32dba633dca439a3908c42e.rb
index e7b4be5..4ec41ac 100644
--- a/lib/one_gadget/builds/libc-2.19-863b5d3db2ef5af0b32dba633dca439a3908c42e.rb
+++ b/lib/one_gadget/builds/libc-2.19-863b5d3db2ef5af0b32dba633dca439a3908c42e.rb
@@ -20,25 +20,28 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 267081,
+ constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 267088,
- constraints: ["rax == NULL"],
+ constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 267172,
- constraints: ["[rsp+0x30] == NULL"],
+ constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 754269,
- constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, r12)")
OneGadget::Gadget.add(build_id, 754348,
- constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL || [rbp-0x48] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", [rbp-0x48], r12)")
OneGadget::Gadget.add(build_id, 869879,
- constraints: ["[rsp+0x70] == NULL"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x70, environ)")
OneGadget::Gadget.add(build_id, 869891,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rax])")
OneGadget::Gadget.add(build_id, 884992,
- constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", r9, rdx)")
diff --git a/lib/one_gadget/builds/libc-2.19-866e18be92e8dcab711b7c1e3402065deff5df70.rb b/lib/one_gadget/builds/libc-2.19-866e18be92e8dcab711b7c1e3402065deff5df70.rb
index 3b86ba8..532e4d7 100644
--- a/lib/one_gadget/builds/libc-2.19-866e18be92e8dcab711b7c1e3402065deff5df70.rb
+++ b/lib/one_gadget/builds/libc-2.19-866e18be92e8dcab711b7c1e3402065deff5df70.rb
@@ -19,22 +19,31 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 249495,
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x38, environ)")
+OneGadget::Gadget.add(build_id, 249502,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x38, environ)")
OneGadget::Gadget.add(build_id, 249511,
- constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x38, environ)")
OneGadget::Gadget.add(build_id, 249547,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp+0x8])")
OneGadget::Gadget.add(build_id, 249551,
- constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])")
+OneGadget::Gadget.add(build_id, 409504,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"],
+ effect: "execl(\"/bin/sh\", \"sh\", eax)")
OneGadget::Gadget.add(build_id, 409508,
- constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"],
effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])")
OneGadget::Gadget.add(build_id, 409514,
- constraints: ["ebx is the GOT address of libc", "eax == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"],
effect: "execl(\"/bin/sh\", eax)")
OneGadget::Gadget.add(build_id, 409518,
- constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"],
effect: "execl(\"/bin/sh\", [esp+0x4])")
diff --git a/lib/one_gadget/builds/libc-2.19-869f691faebbe08548ec64381e41acf5997c0fb0.rb b/lib/one_gadget/builds/libc-2.19-869f691faebbe08548ec64381e41acf5997c0fb0.rb
index 6291367..7fac603 100644
--- a/lib/one_gadget/builds/libc-2.19-869f691faebbe08548ec64381e41acf5997c0fb0.rb
+++ b/lib/one_gadget/builds/libc-2.19-869f691faebbe08548ec64381e41acf5997c0fb0.rb
@@ -19,22 +19,31 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 248599,
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x38, environ)")
+OneGadget::Gadget.add(build_id, 248606,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x38, environ)")
OneGadget::Gadget.add(build_id, 248615,
- constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x38, environ)")
OneGadget::Gadget.add(build_id, 248651,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp+0x8])")
OneGadget::Gadget.add(build_id, 248655,
- constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])")
+OneGadget::Gadget.add(build_id, 406400,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"],
+ effect: "execl(\"/bin/sh\", \"sh\", eax)")
OneGadget::Gadget.add(build_id, 406404,
- constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"],
effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])")
OneGadget::Gadget.add(build_id, 406410,
- constraints: ["ebx is the GOT address of libc", "eax == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"],
effect: "execl(\"/bin/sh\", eax)")
OneGadget::Gadget.add(build_id, 406414,
- constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"],
effect: "execl(\"/bin/sh\", [esp+0x4])")
diff --git a/lib/one_gadget/builds/libc-2.19-87805ebef970b79b4a1fb5facb43719a26c335af.rb b/lib/one_gadget/builds/libc-2.19-87805ebef970b79b4a1fb5facb43719a26c335af.rb
index dba0439..cfd935f 100644
--- a/lib/one_gadget/builds/libc-2.19-87805ebef970b79b4a1fb5facb43719a26c335af.rb
+++ b/lib/one_gadget/builds/libc-2.19-87805ebef970b79b4a1fb5facb43719a26c335af.rb
@@ -20,22 +20,31 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 255271,
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x34, environ)")
+OneGadget::Gadget.add(build_id, 255278,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 255287,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 255323,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp+0x8])")
OneGadget::Gadget.add(build_id, 255327,
- constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])")
+OneGadget::Gadget.add(build_id, 415511,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"],
+ effect: "execl(\"/bin/sh\", \"sh\", eax)")
OneGadget::Gadget.add(build_id, 415515,
- constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"],
effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])")
OneGadget::Gadget.add(build_id, 415521,
- constraints: ["ebx is the GOT address of libc", "eax == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"],
effect: "execl(\"/bin/sh\", eax)")
OneGadget::Gadget.add(build_id, 415525,
- constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"],
effect: "execl(\"/bin/sh\", [esp+0x4])")
diff --git a/lib/one_gadget/builds/libc-2.19-887a7db21e668f6153604d9e00d1026137f777ee.rb b/lib/one_gadget/builds/libc-2.19-887a7db21e668f6153604d9e00d1026137f777ee.rb
index c076182..c77329a 100644
--- a/lib/one_gadget/builds/libc-2.19-887a7db21e668f6153604d9e00d1026137f777ee.rb
+++ b/lib/one_gadget/builds/libc-2.19-887a7db21e668f6153604d9e00d1026137f777ee.rb
@@ -20,22 +20,31 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 254599,
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x34, environ)")
+OneGadget::Gadget.add(build_id, 254606,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 254615,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 254651,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp+0x8])")
OneGadget::Gadget.add(build_id, 254655,
- constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])")
+OneGadget::Gadget.add(build_id, 412775,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"],
+ effect: "execl(\"/bin/sh\", \"sh\", eax)")
OneGadget::Gadget.add(build_id, 412779,
- constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"],
effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])")
OneGadget::Gadget.add(build_id, 412785,
- constraints: ["ebx is the GOT address of libc", "eax == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"],
effect: "execl(\"/bin/sh\", eax)")
OneGadget::Gadget.add(build_id, 412789,
- constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"],
effect: "execl(\"/bin/sh\", [esp+0x4])")
diff --git a/lib/one_gadget/builds/libc-2.19-8b05579712ebaea7cae547f4fc461c0828e9c446.rb b/lib/one_gadget/builds/libc-2.19-8b05579712ebaea7cae547f4fc461c0828e9c446.rb
index c99ef80..17af21c 100644
--- a/lib/one_gadget/builds/libc-2.19-8b05579712ebaea7cae547f4fc461c0828e9c446.rb
+++ b/lib/one_gadget/builds/libc-2.19-8b05579712ebaea7cae547f4fc461c0828e9c446.rb
@@ -19,22 +19,31 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 248167,
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x38, environ)")
+OneGadget::Gadget.add(build_id, 248174,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x38, environ)")
OneGadget::Gadget.add(build_id, 248183,
- constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x38, environ)")
OneGadget::Gadget.add(build_id, 248219,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp+0x8])")
OneGadget::Gadget.add(build_id, 248223,
- constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])")
+OneGadget::Gadget.add(build_id, 406688,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"],
+ effect: "execl(\"/bin/sh\", \"sh\", eax)")
OneGadget::Gadget.add(build_id, 406692,
- constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"],
effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])")
OneGadget::Gadget.add(build_id, 406698,
- constraints: ["ebx is the GOT address of libc", "eax == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"],
effect: "execl(\"/bin/sh\", eax)")
OneGadget::Gadget.add(build_id, 406702,
- constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"],
effect: "execl(\"/bin/sh\", [esp+0x4])")
diff --git a/lib/one_gadget/builds/libc-2.19-8c5d5643cd08bc078f22310103f7c6af4ed37921.rb b/lib/one_gadget/builds/libc-2.19-8c5d5643cd08bc078f22310103f7c6af4ed37921.rb
index 8dd5eed..91dbc2d 100644
--- a/lib/one_gadget/builds/libc-2.19-8c5d5643cd08bc078f22310103f7c6af4ed37921.rb
+++ b/lib/one_gadget/builds/libc-2.19-8c5d5643cd08bc078f22310103f7c6af4ed37921.rb
@@ -20,25 +20,28 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 267209,
+ constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 267216,
- constraints: ["rax == NULL"],
+ constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 267300,
- constraints: ["[rsp+0x30] == NULL"],
+ constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 765341,
- constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, r12)")
OneGadget::Gadget.add(build_id, 765420,
- constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL || [rbp-0x48] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", [rbp-0x48], r12)")
OneGadget::Gadget.add(build_id, 881207,
- constraints: ["[rsp+0x70] == NULL"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x70, environ)")
OneGadget::Gadget.add(build_id, 881219,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rax])")
OneGadget::Gadget.add(build_id, 896528,
- constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", r9, rdx)")
diff --git a/lib/one_gadget/builds/libc-2.19-8cb4573f8cc3764df7570800247a76dd63d847b4.rb b/lib/one_gadget/builds/libc-2.19-8cb4573f8cc3764df7570800247a76dd63d847b4.rb
index e370ebb..432b89f 100644
--- a/lib/one_gadget/builds/libc-2.19-8cb4573f8cc3764df7570800247a76dd63d847b4.rb
+++ b/lib/one_gadget/builds/libc-2.19-8cb4573f8cc3764df7570800247a76dd63d847b4.rb
@@ -20,25 +20,28 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 266985,
+ constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 266992,
- constraints: ["rax == NULL"],
+ constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 267076,
- constraints: ["[rsp+0x30] == NULL"],
+ constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 765005,
- constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, r12)")
OneGadget::Gadget.add(build_id, 765084,
- constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL || [rbp-0x48] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", [rbp-0x48], r12)")
OneGadget::Gadget.add(build_id, 880199,
- constraints: ["[rsp+0x70] == NULL"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x70, environ)")
OneGadget::Gadget.add(build_id, 880211,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rax])")
OneGadget::Gadget.add(build_id, 895520,
- constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", r9, rdx)")
diff --git a/lib/one_gadget/builds/libc-2.19-8d935a42f2f2a1149aa52d3098b32b1d5012cb67.rb b/lib/one_gadget/builds/libc-2.19-8d935a42f2f2a1149aa52d3098b32b1d5012cb67.rb
index 75f081d..c2868a7 100644
--- a/lib/one_gadget/builds/libc-2.19-8d935a42f2f2a1149aa52d3098b32b1d5012cb67.rb
+++ b/lib/one_gadget/builds/libc-2.19-8d935a42f2f2a1149aa52d3098b32b1d5012cb67.rb
@@ -20,19 +20,22 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 261720,
+ constraints: ["writable: x21+0x2e0", "{\"sh\", \"-c\", x22, x1, ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", sp+0x68, environ)")
OneGadget::Gadget.add(build_id, 261724,
- constraints: ["writable: x21+0x2e0", "x3+0x3b0 == NULL"],
+ constraints: ["writable: x21+0x2e0", "x3+0x3b0 == NULL || {x3+0x3b0, \"-c\", x22, x1, ...} is a valid argv"],
effect: "execve(\"/bin/sh\", sp+0x68, environ)")
OneGadget::Gadget.add(build_id, 261732,
- constraints: ["writable: x20", "writable: x21+0x2e0", "[x20] == NULL || x20 == NULL"],
+ constraints: ["writable: x20", "writable: x21+0x2e0", "[x20] == NULL || x20 == NULL || x20 is a valid argv"],
effect: "execve(\"/bin/sh\", x20, environ)")
OneGadget::Gadget.add(build_id, 261808,
- constraints: ["writable: x21+0x2e0", "writable: x24+0x4", "[x20] == NULL || x20 == NULL"],
+ constraints: ["writable: x21+0x2e0", "writable: x24+0x4", "[x20] == NULL || x20 == NULL || x20 is a valid argv"],
effect: "execve(\"/bin/sh\", x20, environ)")
OneGadget::Gadget.add(build_id, 261820,
- constraints: ["writable: x21+0x2e0", "writable: x24+0x4", "[x1] == NULL || x1 == NULL", "[[x0]] == NULL || [x0] == NULL"],
+ constraints: ["writable: x21+0x2e0", "writable: x24+0x4", "[x1] == NULL || x1 == NULL || x1 is a valid argv", "[[x0]] == NULL || [x0] == NULL || [x0] is a valid envp"],
effect: "execve(\"/bin/sh\", x1, [x0])")
OneGadget::Gadget.add(build_id, 261824,
- constraints: ["writable: x21+0x2e0", "writable: x24+0x4", "[x1] == NULL || x1 == NULL", "[x2] == NULL || x2 == NULL"],
+ constraints: ["writable: x21+0x2e0", "writable: x24+0x4", "[x1] == NULL || x1 == NULL || x1 is a valid argv", "[x2] == NULL || x2 == NULL || x2 is a valid envp"],
effect: "execve(\"/bin/sh\", x1, x2)")
diff --git a/lib/one_gadget/builds/libc-2.19-8e4150ea59c3a6fdc9f001ba17274f7c48e4be21.rb b/lib/one_gadget/builds/libc-2.19-8e4150ea59c3a6fdc9f001ba17274f7c48e4be21.rb
index c08bc0e..756e083 100644
--- a/lib/one_gadget/builds/libc-2.19-8e4150ea59c3a6fdc9f001ba17274f7c48e4be21.rb
+++ b/lib/one_gadget/builds/libc-2.19-8e4150ea59c3a6fdc9f001ba17274f7c48e4be21.rb
@@ -20,25 +20,28 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 267897,
+ constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 267904,
- constraints: ["rax == NULL"],
+ constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 267988,
- constraints: ["[rsp+0x30] == NULL"],
+ constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 755149,
- constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, r12)")
OneGadget::Gadget.add(build_id, 755228,
- constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL || [rbp-0x48] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", [rbp-0x48], r12)")
OneGadget::Gadget.add(build_id, 870775,
- constraints: ["[rsp+0x70] == NULL"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x70, environ)")
OneGadget::Gadget.add(build_id, 870787,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rax])")
OneGadget::Gadget.add(build_id, 885888,
- constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", r9, rdx)")
diff --git a/lib/one_gadget/builds/libc-2.19-8fa762223d6b8ee6d47af7455c691a5e238c8209.rb b/lib/one_gadget/builds/libc-2.19-8fa762223d6b8ee6d47af7455c691a5e238c8209.rb
index f7768e9..4f25ede 100644
--- a/lib/one_gadget/builds/libc-2.19-8fa762223d6b8ee6d47af7455c691a5e238c8209.rb
+++ b/lib/one_gadget/builds/libc-2.19-8fa762223d6b8ee6d47af7455c691a5e238c8209.rb
@@ -19,22 +19,31 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 248567,
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x38, environ)")
+OneGadget::Gadget.add(build_id, 248574,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x38, environ)")
OneGadget::Gadget.add(build_id, 248583,
- constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x38, environ)")
OneGadget::Gadget.add(build_id, 248619,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp+0x8])")
OneGadget::Gadget.add(build_id, 248623,
- constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])")
+OneGadget::Gadget.add(build_id, 408560,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"],
+ effect: "execl(\"/bin/sh\", \"sh\", eax)")
OneGadget::Gadget.add(build_id, 408564,
- constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"],
effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])")
OneGadget::Gadget.add(build_id, 408570,
- constraints: ["ebx is the GOT address of libc", "eax == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"],
effect: "execl(\"/bin/sh\", eax)")
OneGadget::Gadget.add(build_id, 408574,
- constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"],
effect: "execl(\"/bin/sh\", [esp+0x4])")
diff --git a/lib/one_gadget/builds/libc-2.19-90b068141be8b0f52ef8dc93e8327cda87a632bc.rb b/lib/one_gadget/builds/libc-2.19-90b068141be8b0f52ef8dc93e8327cda87a632bc.rb
index 02d6bdc..46e3e39 100644
--- a/lib/one_gadget/builds/libc-2.19-90b068141be8b0f52ef8dc93e8327cda87a632bc.rb
+++ b/lib/one_gadget/builds/libc-2.19-90b068141be8b0f52ef8dc93e8327cda87a632bc.rb
@@ -20,28 +20,31 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 281025,
+ constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 281032,
- constraints: ["rax == NULL"],
+ constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 281116,
- constraints: ["[rsp+0x30] == NULL"],
+ constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 796211,
- constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, r12)")
OneGadget::Gadget.add(build_id, 796290,
- constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL || [rbp-0x48] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", [rbp-0x48], r12)")
OneGadget::Gadget.add(build_id, 937909,
- constraints: ["[rsp+0x50] == NULL"],
+ constraints: ["[rsp+0x50] == NULL || {[rsp+0x50], [rsp+0x58], [rsp+0x60], [rsp+0x68], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x50, environ)")
OneGadget::Gadget.add(build_id, 937921,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rax])")
OneGadget::Gadget.add(build_id, 941662,
- constraints: ["[rsp+0x60] == NULL"],
+ constraints: ["[rsp+0x60] == NULL || {[rsp+0x60], [rsp+0x68], [rsp+0x70], [rsp+0x78], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x60, environ)")
OneGadget::Gadget.add(build_id, 963176,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rbp-0xf0]] == NULL || [rbp-0xf0] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rbp-0xf0]] == NULL || [rbp-0xf0] == NULL || [rbp-0xf0] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rbp-0xf0])")
diff --git a/lib/one_gadget/builds/libc-2.19-913a7e92e674593c7e1121b0013d81e20cebe85c.rb b/lib/one_gadget/builds/libc-2.19-913a7e92e674593c7e1121b0013d81e20cebe85c.rb
index 15bd76d..e46c691 100644
--- a/lib/one_gadget/builds/libc-2.19-913a7e92e674593c7e1121b0013d81e20cebe85c.rb
+++ b/lib/one_gadget/builds/libc-2.19-913a7e92e674593c7e1121b0013d81e20cebe85c.rb
@@ -20,25 +20,28 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 266985,
+ constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 266992,
- constraints: ["rax == NULL"],
+ constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 267076,
- constraints: ["[rsp+0x30] == NULL"],
+ constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 765005,
- constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, r12)")
OneGadget::Gadget.add(build_id, 765084,
- constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL || [rbp-0x48] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", [rbp-0x48], r12)")
OneGadget::Gadget.add(build_id, 880199,
- constraints: ["[rsp+0x70] == NULL"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x70, environ)")
OneGadget::Gadget.add(build_id, 880211,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rax])")
OneGadget::Gadget.add(build_id, 895520,
- constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", r9, rdx)")
diff --git a/lib/one_gadget/builds/libc-2.19-9356622cb19154bd2d3bb21e67f188e3cc3e2902.rb b/lib/one_gadget/builds/libc-2.19-9356622cb19154bd2d3bb21e67f188e3cc3e2902.rb
index 6166551..57907d7 100644
--- a/lib/one_gadget/builds/libc-2.19-9356622cb19154bd2d3bb21e67f188e3cc3e2902.rb
+++ b/lib/one_gadget/builds/libc-2.19-9356622cb19154bd2d3bb21e67f188e3cc3e2902.rb
@@ -19,21 +19,27 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 453564,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
+OneGadget::Gadget.add(build_id, 453586,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
+ effect: "execve(\"/bin/sh\", esp+0x30, [esp+0x8])")
OneGadget::Gadget.add(build_id, 453590,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp+0x8])")
OneGadget::Gadget.add(build_id, 453594,
- constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])")
+OneGadget::Gadget.add(build_id, 610136,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"],
+ effect: "execl(\"/bin/sh\", \"sh\", eax)")
OneGadget::Gadget.add(build_id, 610140,
- constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"],
effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])")
OneGadget::Gadget.add(build_id, 610146,
- constraints: ["ebx is the GOT address of libc", "eax == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"],
effect: "execl(\"/bin/sh\", eax)")
OneGadget::Gadget.add(build_id, 610150,
- constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"],
effect: "execl(\"/bin/sh\", [esp+0x4])")
diff --git a/lib/one_gadget/builds/libc-2.19-95287be8acccc7b5723f4306e6a5eca6dfe7bffd.rb b/lib/one_gadget/builds/libc-2.19-95287be8acccc7b5723f4306e6a5eca6dfe7bffd.rb
index a95bda3..0276128 100644
--- a/lib/one_gadget/builds/libc-2.19-95287be8acccc7b5723f4306e6a5eca6dfe7bffd.rb
+++ b/lib/one_gadget/builds/libc-2.19-95287be8acccc7b5723f4306e6a5eca6dfe7bffd.rb
@@ -20,28 +20,31 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 281297,
+ constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 281304,
- constraints: ["rax == NULL"],
+ constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 281388,
- constraints: ["[rsp+0x30] == NULL"],
+ constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 793523,
- constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, r12)")
OneGadget::Gadget.add(build_id, 793602,
- constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL || [rbp-0x48] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", [rbp-0x48], r12)")
OneGadget::Gadget.add(build_id, 935269,
- constraints: ["[rsp+0x50] == NULL"],
+ constraints: ["[rsp+0x50] == NULL || {[rsp+0x50], [rsp+0x58], [rsp+0x60], [rsp+0x68], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x50, environ)")
OneGadget::Gadget.add(build_id, 935281,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rax])")
OneGadget::Gadget.add(build_id, 939084,
- constraints: ["[rsp+0x70] == NULL"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x70, environ)")
OneGadget::Gadget.add(build_id, 960280,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rbp-0xf0]] == NULL || [rbp-0xf0] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rbp-0xf0]] == NULL || [rbp-0xf0] == NULL || [rbp-0xf0] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rbp-0xf0])")
diff --git a/lib/one_gadget/builds/libc-2.19-9a970aa5f863d2ccecd63ceef8bb57d28e55be11.rb b/lib/one_gadget/builds/libc-2.19-9a970aa5f863d2ccecd63ceef8bb57d28e55be11.rb
index ed6cbaa..9ef1ea5 100644
--- a/lib/one_gadget/builds/libc-2.19-9a970aa5f863d2ccecd63ceef8bb57d28e55be11.rb
+++ b/lib/one_gadget/builds/libc-2.19-9a970aa5f863d2ccecd63ceef8bb57d28e55be11.rb
@@ -19,25 +19,28 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 270395,
+ constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbp, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 270402,
- constraints: ["rax == NULL"],
+ constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbp, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 270486,
- constraints: ["[rsp+0x30] == NULL"],
+ constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 701581,
- constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, r12)")
OneGadget::Gadget.add(build_id, 701660,
- constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL || [rbp-0x48] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", [rbp-0x48], r12)")
OneGadget::Gadget.add(build_id, 822480,
- constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", r9, rdx)")
OneGadget::Gadget.add(build_id, 826475,
- constraints: ["[rsp+0x70] == NULL"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x70, environ)")
OneGadget::Gadget.add(build_id, 826487,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rax])")
diff --git a/lib/one_gadget/builds/libc-2.19-9bf807e100d6c152efd7e845c65ecfb92e2e202e.rb b/lib/one_gadget/builds/libc-2.19-9bf807e100d6c152efd7e845c65ecfb92e2e202e.rb
index 2f254bf..096d4c3 100644
--- a/lib/one_gadget/builds/libc-2.19-9bf807e100d6c152efd7e845c65ecfb92e2e202e.rb
+++ b/lib/one_gadget/builds/libc-2.19-9bf807e100d6c152efd7e845c65ecfb92e2e202e.rb
@@ -20,22 +20,31 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 254599,
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x34, environ)")
+OneGadget::Gadget.add(build_id, 254606,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 254615,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 254651,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp+0x8])")
OneGadget::Gadget.add(build_id, 254655,
- constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])")
+OneGadget::Gadget.add(build_id, 412743,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"],
+ effect: "execl(\"/bin/sh\", \"sh\", eax)")
OneGadget::Gadget.add(build_id, 412747,
- constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"],
effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])")
OneGadget::Gadget.add(build_id, 412753,
- constraints: ["ebx is the GOT address of libc", "eax == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"],
effect: "execl(\"/bin/sh\", eax)")
OneGadget::Gadget.add(build_id, 412757,
- constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"],
effect: "execl(\"/bin/sh\", [esp+0x4])")
diff --git a/lib/one_gadget/builds/libc-2.19-9d1dd2edd9ada4b73ddc73ea10ba1c9ef0810248.rb b/lib/one_gadget/builds/libc-2.19-9d1dd2edd9ada4b73ddc73ea10ba1c9ef0810248.rb
index 94a0e5d..d3088b1 100644
--- a/lib/one_gadget/builds/libc-2.19-9d1dd2edd9ada4b73ddc73ea10ba1c9ef0810248.rb
+++ b/lib/one_gadget/builds/libc-2.19-9d1dd2edd9ada4b73ddc73ea10ba1c9ef0810248.rb
@@ -20,25 +20,28 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 267081,
+ constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 267088,
- constraints: ["rax == NULL"],
+ constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 267172,
- constraints: ["[rsp+0x30] == NULL"],
+ constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 754717,
- constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, r12)")
OneGadget::Gadget.add(build_id, 754796,
- constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL || [rbp-0x48] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", [rbp-0x48], r12)")
OneGadget::Gadget.add(build_id, 870583,
- constraints: ["[rsp+0x70] == NULL"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x70, environ)")
OneGadget::Gadget.add(build_id, 870595,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rax])")
OneGadget::Gadget.add(build_id, 885904,
- constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", r9, rdx)")
diff --git a/lib/one_gadget/builds/libc-2.19-9e817f4c472417e94d161b392e13d6aeb76f0b5a.rb b/lib/one_gadget/builds/libc-2.19-9e817f4c472417e94d161b392e13d6aeb76f0b5a.rb
index 303adca..91a66e8 100644
--- a/lib/one_gadget/builds/libc-2.19-9e817f4c472417e94d161b392e13d6aeb76f0b5a.rb
+++ b/lib/one_gadget/builds/libc-2.19-9e817f4c472417e94d161b392e13d6aeb76f0b5a.rb
@@ -20,22 +20,31 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 254471,
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x34, environ)")
+OneGadget::Gadget.add(build_id, 254478,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 254487,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 254523,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp+0x8])")
OneGadget::Gadget.add(build_id, 254527,
- constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])")
+OneGadget::Gadget.add(build_id, 412615,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"],
+ effect: "execl(\"/bin/sh\", \"sh\", eax)")
OneGadget::Gadget.add(build_id, 412619,
- constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"],
effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])")
OneGadget::Gadget.add(build_id, 412625,
- constraints: ["ebx is the GOT address of libc", "eax == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"],
effect: "execl(\"/bin/sh\", eax)")
OneGadget::Gadget.add(build_id, 412629,
- constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"],
effect: "execl(\"/bin/sh\", [esp+0x4])")
diff --git a/lib/one_gadget/builds/libc-2.19-a13df1fb206f167af0eef4d438f3949d80f8bce3.rb b/lib/one_gadget/builds/libc-2.19-a13df1fb206f167af0eef4d438f3949d80f8bce3.rb
index cab30f2..7cea9e5 100644
--- a/lib/one_gadget/builds/libc-2.19-a13df1fb206f167af0eef4d438f3949d80f8bce3.rb
+++ b/lib/one_gadget/builds/libc-2.19-a13df1fb206f167af0eef4d438f3949d80f8bce3.rb
@@ -20,25 +20,28 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 267081,
+ constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 267088,
- constraints: ["rax == NULL"],
+ constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 267172,
- constraints: ["[rsp+0x30] == NULL"],
+ constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 754269,
- constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, r12)")
OneGadget::Gadget.add(build_id, 754348,
- constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL || [rbp-0x48] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", [rbp-0x48], r12)")
OneGadget::Gadget.add(build_id, 869895,
- constraints: ["[rsp+0x70] == NULL"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x70, environ)")
OneGadget::Gadget.add(build_id, 869907,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rax])")
OneGadget::Gadget.add(build_id, 885008,
- constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", r9, rdx)")
diff --git a/lib/one_gadget/builds/libc-2.19-a1818c2dd8e7c4a3d4f61270b4b29330d6b51391.rb b/lib/one_gadget/builds/libc-2.19-a1818c2dd8e7c4a3d4f61270b4b29330d6b51391.rb
index b813abd..ff4a837 100644
--- a/lib/one_gadget/builds/libc-2.19-a1818c2dd8e7c4a3d4f61270b4b29330d6b51391.rb
+++ b/lib/one_gadget/builds/libc-2.19-a1818c2dd8e7c4a3d4f61270b4b29330d6b51391.rb
@@ -19,22 +19,31 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 248055,
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x38, environ)")
+OneGadget::Gadget.add(build_id, 248062,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x38, environ)")
OneGadget::Gadget.add(build_id, 248071,
- constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x38, environ)")
OneGadget::Gadget.add(build_id, 248107,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp+0x8])")
OneGadget::Gadget.add(build_id, 248111,
- constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])")
+OneGadget::Gadget.add(build_id, 406576,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"],
+ effect: "execl(\"/bin/sh\", \"sh\", eax)")
OneGadget::Gadget.add(build_id, 406580,
- constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"],
effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])")
OneGadget::Gadget.add(build_id, 406586,
- constraints: ["ebx is the GOT address of libc", "eax == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"],
effect: "execl(\"/bin/sh\", eax)")
OneGadget::Gadget.add(build_id, 406590,
- constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"],
effect: "execl(\"/bin/sh\", [esp+0x4])")
diff --git a/lib/one_gadget/builds/libc-2.19-a2d884479c5c8f73fbb82e6fefa5083623826cc1.rb b/lib/one_gadget/builds/libc-2.19-a2d884479c5c8f73fbb82e6fefa5083623826cc1.rb
index e453d3f..ade62a3 100644
--- a/lib/one_gadget/builds/libc-2.19-a2d884479c5c8f73fbb82e6fefa5083623826cc1.rb
+++ b/lib/one_gadget/builds/libc-2.19-a2d884479c5c8f73fbb82e6fefa5083623826cc1.rb
@@ -19,22 +19,31 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 248055,
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x38, environ)")
+OneGadget::Gadget.add(build_id, 248062,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x38, environ)")
OneGadget::Gadget.add(build_id, 248071,
- constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x38, environ)")
OneGadget::Gadget.add(build_id, 248107,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp+0x8])")
OneGadget::Gadget.add(build_id, 248111,
- constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])")
+OneGadget::Gadget.add(build_id, 406576,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"],
+ effect: "execl(\"/bin/sh\", \"sh\", eax)")
OneGadget::Gadget.add(build_id, 406580,
- constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"],
effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])")
OneGadget::Gadget.add(build_id, 406586,
- constraints: ["ebx is the GOT address of libc", "eax == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"],
effect: "execl(\"/bin/sh\", eax)")
OneGadget::Gadget.add(build_id, 406590,
- constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"],
effect: "execl(\"/bin/sh\", [esp+0x4])")
diff --git a/lib/one_gadget/builds/libc-2.19-a3386004b2a158b95ba4c26c01e421e6c2191a47.rb b/lib/one_gadget/builds/libc-2.19-a3386004b2a158b95ba4c26c01e421e6c2191a47.rb
index 1937cb0..866d5b4 100644
--- a/lib/one_gadget/builds/libc-2.19-a3386004b2a158b95ba4c26c01e421e6c2191a47.rb
+++ b/lib/one_gadget/builds/libc-2.19-a3386004b2a158b95ba4c26c01e421e6c2191a47.rb
@@ -19,22 +19,31 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 248135,
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x38, environ)")
+OneGadget::Gadget.add(build_id, 248142,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x38, environ)")
OneGadget::Gadget.add(build_id, 248151,
- constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x38, environ)")
OneGadget::Gadget.add(build_id, 248187,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp+0x8])")
OneGadget::Gadget.add(build_id, 248191,
- constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])")
+OneGadget::Gadget.add(build_id, 408704,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"],
+ effect: "execl(\"/bin/sh\", \"sh\", eax)")
OneGadget::Gadget.add(build_id, 408708,
- constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"],
effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])")
OneGadget::Gadget.add(build_id, 408714,
- constraints: ["ebx is the GOT address of libc", "eax == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"],
effect: "execl(\"/bin/sh\", eax)")
OneGadget::Gadget.add(build_id, 408718,
- constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"],
effect: "execl(\"/bin/sh\", [esp+0x4])")
diff --git a/lib/one_gadget/builds/libc-2.19-a3c88cff23421ec2e3c97860bdf28868592ed14c.rb b/lib/one_gadget/builds/libc-2.19-a3c88cff23421ec2e3c97860bdf28868592ed14c.rb
index 33680f2..cc4b018 100644
--- a/lib/one_gadget/builds/libc-2.19-a3c88cff23421ec2e3c97860bdf28868592ed14c.rb
+++ b/lib/one_gadget/builds/libc-2.19-a3c88cff23421ec2e3c97860bdf28868592ed14c.rb
@@ -21,22 +21,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 242675,
- constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x28, environ)")
OneGadget::Gadget.add(build_id, 242677,
- constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 242681,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 242688,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 242723,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 242724,
- constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 412260,
constraints: ["ebx is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.19-a3ebc8ad2873288cbd2a510de65161c697310e5c.rb b/lib/one_gadget/builds/libc-2.19-a3ebc8ad2873288cbd2a510de65161c697310e5c.rb
index ba5720a..b85bd1f 100644
--- a/lib/one_gadget/builds/libc-2.19-a3ebc8ad2873288cbd2a510de65161c697310e5c.rb
+++ b/lib/one_gadget/builds/libc-2.19-a3ebc8ad2873288cbd2a510de65161c697310e5c.rb
@@ -19,22 +19,31 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 249543,
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x38, environ)")
+OneGadget::Gadget.add(build_id, 249550,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x38, environ)")
OneGadget::Gadget.add(build_id, 249559,
- constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x38, environ)")
OneGadget::Gadget.add(build_id, 249595,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp+0x8])")
OneGadget::Gadget.add(build_id, 249599,
- constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])")
+OneGadget::Gadget.add(build_id, 409504,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"],
+ effect: "execl(\"/bin/sh\", \"sh\", eax)")
OneGadget::Gadget.add(build_id, 409508,
- constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"],
effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])")
OneGadget::Gadget.add(build_id, 409514,
- constraints: ["ebx is the GOT address of libc", "eax == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"],
effect: "execl(\"/bin/sh\", eax)")
OneGadget::Gadget.add(build_id, 409518,
- constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"],
effect: "execl(\"/bin/sh\", [esp+0x4])")
diff --git a/lib/one_gadget/builds/libc-2.19-a4b13a91fc5d961be3e1a68a30938ba840ae4290.rb b/lib/one_gadget/builds/libc-2.19-a4b13a91fc5d961be3e1a68a30938ba840ae4290.rb
index 7312211..2246df7 100644
--- a/lib/one_gadget/builds/libc-2.19-a4b13a91fc5d961be3e1a68a30938ba840ae4290.rb
+++ b/lib/one_gadget/builds/libc-2.19-a4b13a91fc5d961be3e1a68a30938ba840ae4290.rb
@@ -20,22 +20,31 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 256267,
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x34, environ)")
+OneGadget::Gadget.add(build_id, 256274,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 256283,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 256319,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp+0x8])")
OneGadget::Gadget.add(build_id, 256323,
- constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])")
+OneGadget::Gadget.add(build_id, 420079,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"],
+ effect: "execl(\"/bin/sh\", \"sh\", eax)")
OneGadget::Gadget.add(build_id, 420083,
- constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"],
effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])")
OneGadget::Gadget.add(build_id, 420089,
- constraints: ["ebx is the GOT address of libc", "eax == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"],
effect: "execl(\"/bin/sh\", eax)")
OneGadget::Gadget.add(build_id, 420093,
- constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"],
effect: "execl(\"/bin/sh\", [esp+0x4])")
diff --git a/lib/one_gadget/builds/libc-2.19-a6222959a65e5367ec3f2b54d7f114f6a2c8ce28.rb b/lib/one_gadget/builds/libc-2.19-a6222959a65e5367ec3f2b54d7f114f6a2c8ce28.rb
index 81c52f4..5c37768 100644
--- a/lib/one_gadget/builds/libc-2.19-a6222959a65e5367ec3f2b54d7f114f6a2c8ce28.rb
+++ b/lib/one_gadget/builds/libc-2.19-a6222959a65e5367ec3f2b54d7f114f6a2c8ce28.rb
@@ -20,22 +20,31 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 255635,
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x34, environ)")
+OneGadget::Gadget.add(build_id, 255642,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 255651,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 255687,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp+0x8])")
OneGadget::Gadget.add(build_id, 255691,
- constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])")
+OneGadget::Gadget.add(build_id, 415079,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"],
+ effect: "execl(\"/bin/sh\", \"sh\", eax)")
OneGadget::Gadget.add(build_id, 415083,
- constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"],
effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])")
OneGadget::Gadget.add(build_id, 415089,
- constraints: ["ebx is the GOT address of libc", "eax == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"],
effect: "execl(\"/bin/sh\", eax)")
OneGadget::Gadget.add(build_id, 415093,
- constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"],
effect: "execl(\"/bin/sh\", [esp+0x4])")
diff --git a/lib/one_gadget/builds/libc-2.19-a62a3aed804ccd4faac1ae52ee39165dd1cf4ebe.rb b/lib/one_gadget/builds/libc-2.19-a62a3aed804ccd4faac1ae52ee39165dd1cf4ebe.rb
index df9bd4f..ff9f7a9 100644
--- a/lib/one_gadget/builds/libc-2.19-a62a3aed804ccd4faac1ae52ee39165dd1cf4ebe.rb
+++ b/lib/one_gadget/builds/libc-2.19-a62a3aed804ccd4faac1ae52ee39165dd1cf4ebe.rb
@@ -19,21 +19,27 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 454092,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
+OneGadget::Gadget.add(build_id, 454114,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
+ effect: "execve(\"/bin/sh\", esp+0x30, [esp+0x8])")
OneGadget::Gadget.add(build_id, 454118,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp+0x8])")
OneGadget::Gadget.add(build_id, 454122,
- constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])")
+OneGadget::Gadget.add(build_id, 609331,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"],
+ effect: "execl(\"/bin/sh\", \"sh\", eax)")
OneGadget::Gadget.add(build_id, 609335,
- constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"],
effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])")
OneGadget::Gadget.add(build_id, 609341,
- constraints: ["ebx is the GOT address of libc", "eax == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"],
effect: "execl(\"/bin/sh\", eax)")
OneGadget::Gadget.add(build_id, 609345,
- constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"],
effect: "execl(\"/bin/sh\", [esp+0x4])")
diff --git a/lib/one_gadget/builds/libc-2.19-a71e7ba2ffe12012ab7e5c0ff7d83d6f627a7548.rb b/lib/one_gadget/builds/libc-2.19-a71e7ba2ffe12012ab7e5c0ff7d83d6f627a7548.rb
index 1a7f716..3533b43 100644
--- a/lib/one_gadget/builds/libc-2.19-a71e7ba2ffe12012ab7e5c0ff7d83d6f627a7548.rb
+++ b/lib/one_gadget/builds/libc-2.19-a71e7ba2ffe12012ab7e5c0ff7d83d6f627a7548.rb
@@ -19,21 +19,27 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 452924,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
+OneGadget::Gadget.add(build_id, 452946,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
+ effect: "execve(\"/bin/sh\", esp+0x30, [esp+0x8])")
OneGadget::Gadget.add(build_id, 452950,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp+0x8])")
OneGadget::Gadget.add(build_id, 452954,
- constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])")
+OneGadget::Gadget.add(build_id, 609395,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"],
+ effect: "execl(\"/bin/sh\", \"sh\", eax)")
OneGadget::Gadget.add(build_id, 609399,
- constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"],
effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])")
OneGadget::Gadget.add(build_id, 609405,
- constraints: ["ebx is the GOT address of libc", "eax == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"],
effect: "execl(\"/bin/sh\", eax)")
OneGadget::Gadget.add(build_id, 609409,
- constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"],
effect: "execl(\"/bin/sh\", [esp+0x4])")
diff --git a/lib/one_gadget/builds/libc-2.19-a7204938a680127c01c9799462c3b33035f06358.rb b/lib/one_gadget/builds/libc-2.19-a7204938a680127c01c9799462c3b33035f06358.rb
index 4412fbb..aab5039 100644
--- a/lib/one_gadget/builds/libc-2.19-a7204938a680127c01c9799462c3b33035f06358.rb
+++ b/lib/one_gadget/builds/libc-2.19-a7204938a680127c01c9799462c3b33035f06358.rb
@@ -19,22 +19,31 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 248167,
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x38, environ)")
+OneGadget::Gadget.add(build_id, 248174,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x38, environ)")
OneGadget::Gadget.add(build_id, 248183,
- constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x38, environ)")
OneGadget::Gadget.add(build_id, 248219,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp+0x8])")
OneGadget::Gadget.add(build_id, 248223,
- constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])")
+OneGadget::Gadget.add(build_id, 406672,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"],
+ effect: "execl(\"/bin/sh\", \"sh\", eax)")
OneGadget::Gadget.add(build_id, 406676,
- constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"],
effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])")
OneGadget::Gadget.add(build_id, 406682,
- constraints: ["ebx is the GOT address of libc", "eax == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"],
effect: "execl(\"/bin/sh\", eax)")
OneGadget::Gadget.add(build_id, 406686,
- constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"],
effect: "execl(\"/bin/sh\", [esp+0x4])")
diff --git a/lib/one_gadget/builds/libc-2.19-a77581d3046ec7a2176ba4bebc222562668d9fd6.rb b/lib/one_gadget/builds/libc-2.19-a77581d3046ec7a2176ba4bebc222562668d9fd6.rb
index a7cafdf..66f4a65 100644
--- a/lib/one_gadget/builds/libc-2.19-a77581d3046ec7a2176ba4bebc222562668d9fd6.rb
+++ b/lib/one_gadget/builds/libc-2.19-a77581d3046ec7a2176ba4bebc222562668d9fd6.rb
@@ -19,22 +19,31 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 248407,
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x38, environ)")
+OneGadget::Gadget.add(build_id, 248414,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x38, environ)")
OneGadget::Gadget.add(build_id, 248423,
- constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x38, environ)")
OneGadget::Gadget.add(build_id, 248459,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp+0x8])")
OneGadget::Gadget.add(build_id, 248463,
- constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])")
+OneGadget::Gadget.add(build_id, 406208,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"],
+ effect: "execl(\"/bin/sh\", \"sh\", eax)")
OneGadget::Gadget.add(build_id, 406212,
- constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"],
effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])")
OneGadget::Gadget.add(build_id, 406218,
- constraints: ["ebx is the GOT address of libc", "eax == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"],
effect: "execl(\"/bin/sh\", eax)")
OneGadget::Gadget.add(build_id, 406222,
- constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"],
effect: "execl(\"/bin/sh\", [esp+0x4])")
diff --git a/lib/one_gadget/builds/libc-2.19-a77d09f3b8cbad4c430378157308f6cb71549a5a.rb b/lib/one_gadget/builds/libc-2.19-a77d09f3b8cbad4c430378157308f6cb71549a5a.rb
index a064750..eee97a3 100644
--- a/lib/one_gadget/builds/libc-2.19-a77d09f3b8cbad4c430378157308f6cb71549a5a.rb
+++ b/lib/one_gadget/builds/libc-2.19-a77d09f3b8cbad4c430378157308f6cb71549a5a.rb
@@ -20,22 +20,31 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 254599,
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x34, environ)")
+OneGadget::Gadget.add(build_id, 254606,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 254615,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 254651,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp+0x8])")
OneGadget::Gadget.add(build_id, 254655,
- constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])")
+OneGadget::Gadget.add(build_id, 412775,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"],
+ effect: "execl(\"/bin/sh\", \"sh\", eax)")
OneGadget::Gadget.add(build_id, 412779,
- constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"],
effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])")
OneGadget::Gadget.add(build_id, 412785,
- constraints: ["ebx is the GOT address of libc", "eax == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"],
effect: "execl(\"/bin/sh\", eax)")
OneGadget::Gadget.add(build_id, 412789,
- constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"],
effect: "execl(\"/bin/sh\", [esp+0x4])")
diff --git a/lib/one_gadget/builds/libc-2.19-a7e2264ecf52a64ea3ab55163132240c3142eafd.rb b/lib/one_gadget/builds/libc-2.19-a7e2264ecf52a64ea3ab55163132240c3142eafd.rb
index dab08a0..e1336df 100644
--- a/lib/one_gadget/builds/libc-2.19-a7e2264ecf52a64ea3ab55163132240c3142eafd.rb
+++ b/lib/one_gadget/builds/libc-2.19-a7e2264ecf52a64ea3ab55163132240c3142eafd.rb
@@ -20,22 +20,31 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 254471,
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x34, environ)")
+OneGadget::Gadget.add(build_id, 254478,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 254487,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 254523,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp+0x8])")
OneGadget::Gadget.add(build_id, 254527,
- constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])")
+OneGadget::Gadget.add(build_id, 412615,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"],
+ effect: "execl(\"/bin/sh\", \"sh\", eax)")
OneGadget::Gadget.add(build_id, 412619,
- constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"],
effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])")
OneGadget::Gadget.add(build_id, 412625,
- constraints: ["ebx is the GOT address of libc", "eax == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"],
effect: "execl(\"/bin/sh\", eax)")
OneGadget::Gadget.add(build_id, 412629,
- constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"],
effect: "execl(\"/bin/sh\", [esp+0x4])")
diff --git a/lib/one_gadget/builds/libc-2.19-a820f849dda0b99ed06dd59bb88404969b3a5f88.rb b/lib/one_gadget/builds/libc-2.19-a820f849dda0b99ed06dd59bb88404969b3a5f88.rb
index fcc20e4..d7a6d05 100644
--- a/lib/one_gadget/builds/libc-2.19-a820f849dda0b99ed06dd59bb88404969b3a5f88.rb
+++ b/lib/one_gadget/builds/libc-2.19-a820f849dda0b99ed06dd59bb88404969b3a5f88.rb
@@ -20,22 +20,31 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 262563,
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x34, environ)")
+OneGadget::Gadget.add(build_id, 262570,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 262579,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 262615,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp+0x8])")
OneGadget::Gadget.add(build_id, 262619,
- constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])")
+OneGadget::Gadget.add(build_id, 415381,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"],
+ effect: "execl(\"/bin/sh\", \"sh\", eax)")
OneGadget::Gadget.add(build_id, 415385,
- constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"],
effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])")
OneGadget::Gadget.add(build_id, 415391,
- constraints: ["ebx is the GOT address of libc", "eax == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"],
effect: "execl(\"/bin/sh\", eax)")
OneGadget::Gadget.add(build_id, 415395,
- constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"],
effect: "execl(\"/bin/sh\", [esp+0x4])")
diff --git a/lib/one_gadget/builds/libc-2.19-a9f67b66e93e0abd79f1d8028188377397e4536b.rb b/lib/one_gadget/builds/libc-2.19-a9f67b66e93e0abd79f1d8028188377397e4536b.rb
index 3c0ed54..1cfd600 100644
--- a/lib/one_gadget/builds/libc-2.19-a9f67b66e93e0abd79f1d8028188377397e4536b.rb
+++ b/lib/one_gadget/builds/libc-2.19-a9f67b66e93e0abd79f1d8028188377397e4536b.rb
@@ -20,22 +20,31 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 261639,
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x34, environ)")
+OneGadget::Gadget.add(build_id, 261646,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 261655,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 261691,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp+0x8])")
OneGadget::Gadget.add(build_id, 261695,
- constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])")
+OneGadget::Gadget.add(build_id, 415015,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"],
+ effect: "execl(\"/bin/sh\", \"sh\", eax)")
OneGadget::Gadget.add(build_id, 415019,
- constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"],
effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])")
OneGadget::Gadget.add(build_id, 415025,
- constraints: ["ebx is the GOT address of libc", "eax == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"],
effect: "execl(\"/bin/sh\", eax)")
OneGadget::Gadget.add(build_id, 415029,
- constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"],
effect: "execl(\"/bin/sh\", [esp+0x4])")
diff --git a/lib/one_gadget/builds/libc-2.19-ab474a836c41aed0f0bad2ddc66388253bfa75af.rb b/lib/one_gadget/builds/libc-2.19-ab474a836c41aed0f0bad2ddc66388253bfa75af.rb
index d29818b..d324364 100644
--- a/lib/one_gadget/builds/libc-2.19-ab474a836c41aed0f0bad2ddc66388253bfa75af.rb
+++ b/lib/one_gadget/builds/libc-2.19-ab474a836c41aed0f0bad2ddc66388253bfa75af.rb
@@ -19,21 +19,27 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 453804,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
+OneGadget::Gadget.add(build_id, 453826,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
+ effect: "execve(\"/bin/sh\", esp+0x30, [esp+0x8])")
OneGadget::Gadget.add(build_id, 453830,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp+0x8])")
OneGadget::Gadget.add(build_id, 453834,
- constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])")
+OneGadget::Gadget.add(build_id, 610355,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"],
+ effect: "execl(\"/bin/sh\", \"sh\", eax)")
OneGadget::Gadget.add(build_id, 610359,
- constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"],
effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])")
OneGadget::Gadget.add(build_id, 610365,
- constraints: ["ebx is the GOT address of libc", "eax == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"],
effect: "execl(\"/bin/sh\", eax)")
OneGadget::Gadget.add(build_id, 610369,
- constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"],
effect: "execl(\"/bin/sh\", [esp+0x4])")
diff --git a/lib/one_gadget/builds/libc-2.19-ad03e0bcbda2213489f10a6bf63a7f5fe3dd6558.rb b/lib/one_gadget/builds/libc-2.19-ad03e0bcbda2213489f10a6bf63a7f5fe3dd6558.rb
index e92bc14..0d2d0a6 100644
--- a/lib/one_gadget/builds/libc-2.19-ad03e0bcbda2213489f10a6bf63a7f5fe3dd6558.rb
+++ b/lib/one_gadget/builds/libc-2.19-ad03e0bcbda2213489f10a6bf63a7f5fe3dd6558.rb
@@ -20,25 +20,28 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 267897,
+ constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 267904,
- constraints: ["rax == NULL"],
+ constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 267988,
- constraints: ["[rsp+0x30] == NULL"],
+ constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 755149,
- constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, r12)")
OneGadget::Gadget.add(build_id, 755228,
- constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL || [rbp-0x48] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", [rbp-0x48], r12)")
OneGadget::Gadget.add(build_id, 870775,
- constraints: ["[rsp+0x70] == NULL"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x70, environ)")
OneGadget::Gadget.add(build_id, 870787,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rax])")
OneGadget::Gadget.add(build_id, 885888,
- constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", r9, rdx)")
diff --git a/lib/one_gadget/builds/libc-2.19-ad91c7db0fad11b03e3ce92eda28f673cb36db5d.rb b/lib/one_gadget/builds/libc-2.19-ad91c7db0fad11b03e3ce92eda28f673cb36db5d.rb
index 75f53f0..2e0c58e 100644
--- a/lib/one_gadget/builds/libc-2.19-ad91c7db0fad11b03e3ce92eda28f673cb36db5d.rb
+++ b/lib/one_gadget/builds/libc-2.19-ad91c7db0fad11b03e3ce92eda28f673cb36db5d.rb
@@ -20,22 +20,31 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 255223,
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x34, environ)")
+OneGadget::Gadget.add(build_id, 255230,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 255239,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 255275,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp+0x8])")
OneGadget::Gadget.add(build_id, 255279,
- constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])")
+OneGadget::Gadget.add(build_id, 415463,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"],
+ effect: "execl(\"/bin/sh\", \"sh\", eax)")
OneGadget::Gadget.add(build_id, 415467,
- constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"],
effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])")
OneGadget::Gadget.add(build_id, 415473,
- constraints: ["ebx is the GOT address of libc", "eax == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"],
effect: "execl(\"/bin/sh\", eax)")
OneGadget::Gadget.add(build_id, 415477,
- constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"],
effect: "execl(\"/bin/sh\", [esp+0x4])")
diff --git a/lib/one_gadget/builds/libc-2.19-adf7d21d8b442e6b601ad3dcc180608193d2d041.rb b/lib/one_gadget/builds/libc-2.19-adf7d21d8b442e6b601ad3dcc180608193d2d041.rb
index 2e87d80..aca4a4b 100644
--- a/lib/one_gadget/builds/libc-2.19-adf7d21d8b442e6b601ad3dcc180608193d2d041.rb
+++ b/lib/one_gadget/builds/libc-2.19-adf7d21d8b442e6b601ad3dcc180608193d2d041.rb
@@ -19,21 +19,27 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 453900,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
+OneGadget::Gadget.add(build_id, 453922,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
+ effect: "execve(\"/bin/sh\", esp+0x30, [esp+0x8])")
OneGadget::Gadget.add(build_id, 453926,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp+0x8])")
OneGadget::Gadget.add(build_id, 453930,
- constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])")
+OneGadget::Gadget.add(build_id, 609155,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"],
+ effect: "execl(\"/bin/sh\", \"sh\", eax)")
OneGadget::Gadget.add(build_id, 609159,
- constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"],
effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])")
OneGadget::Gadget.add(build_id, 609165,
- constraints: ["ebx is the GOT address of libc", "eax == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"],
effect: "execl(\"/bin/sh\", eax)")
OneGadget::Gadget.add(build_id, 609169,
- constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"],
effect: "execl(\"/bin/sh\", [esp+0x4])")
diff --git a/lib/one_gadget/builds/libc-2.19-b166aefc9dff38869ad893bea2e9ce5e848628b1.rb b/lib/one_gadget/builds/libc-2.19-b166aefc9dff38869ad893bea2e9ce5e848628b1.rb
index 92b6734..d5dfa99 100644
--- a/lib/one_gadget/builds/libc-2.19-b166aefc9dff38869ad893bea2e9ce5e848628b1.rb
+++ b/lib/one_gadget/builds/libc-2.19-b166aefc9dff38869ad893bea2e9ce5e848628b1.rb
@@ -20,22 +20,31 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 261639,
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x34, environ)")
+OneGadget::Gadget.add(build_id, 261646,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 261655,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 261691,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp+0x8])")
OneGadget::Gadget.add(build_id, 261695,
- constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])")
+OneGadget::Gadget.add(build_id, 415015,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"],
+ effect: "execl(\"/bin/sh\", \"sh\", eax)")
OneGadget::Gadget.add(build_id, 415019,
- constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"],
effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])")
OneGadget::Gadget.add(build_id, 415025,
- constraints: ["ebx is the GOT address of libc", "eax == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"],
effect: "execl(\"/bin/sh\", eax)")
OneGadget::Gadget.add(build_id, 415029,
- constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"],
effect: "execl(\"/bin/sh\", [esp+0x4])")
diff --git a/lib/one_gadget/builds/libc-2.19-b2c58c0aaead4cc02a5ad606edf4284ca598c0ef.rb b/lib/one_gadget/builds/libc-2.19-b2c58c0aaead4cc02a5ad606edf4284ca598c0ef.rb
index 1fc3e4a..23ca620 100644
--- a/lib/one_gadget/builds/libc-2.19-b2c58c0aaead4cc02a5ad606edf4284ca598c0ef.rb
+++ b/lib/one_gadget/builds/libc-2.19-b2c58c0aaead4cc02a5ad606edf4284ca598c0ef.rb
@@ -20,22 +20,31 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 255491,
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x34, environ)")
+OneGadget::Gadget.add(build_id, 255498,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 255507,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 255543,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp+0x8])")
OneGadget::Gadget.add(build_id, 255547,
- constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])")
+OneGadget::Gadget.add(build_id, 417271,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"],
+ effect: "execl(\"/bin/sh\", \"sh\", eax)")
OneGadget::Gadget.add(build_id, 417275,
- constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"],
effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])")
OneGadget::Gadget.add(build_id, 417281,
- constraints: ["ebx is the GOT address of libc", "eax == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"],
effect: "execl(\"/bin/sh\", eax)")
OneGadget::Gadget.add(build_id, 417285,
- constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"],
effect: "execl(\"/bin/sh\", [esp+0x4])")
diff --git a/lib/one_gadget/builds/libc-2.19-b32788d3f2b080bd447b295cf59ace25fbfce313.rb b/lib/one_gadget/builds/libc-2.19-b32788d3f2b080bd447b295cf59ace25fbfce313.rb
index bbcb893..f3004ad 100644
--- a/lib/one_gadget/builds/libc-2.19-b32788d3f2b080bd447b295cf59ace25fbfce313.rb
+++ b/lib/one_gadget/builds/libc-2.19-b32788d3f2b080bd447b295cf59ace25fbfce313.rb
@@ -19,25 +19,28 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 262523,
+ constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbp, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 262530,
- constraints: ["rax == NULL"],
+ constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbp, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 262614,
- constraints: ["[rsp+0x30] == NULL"],
+ constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 700557,
- constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, r12)")
OneGadget::Gadget.add(build_id, 700636,
- constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL || [rbp-0x48] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", [rbp-0x48], r12)")
OneGadget::Gadget.add(build_id, 822251,
- constraints: ["[rsp+0x70] == NULL"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x70, environ)")
OneGadget::Gadget.add(build_id, 822263,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rax])")
OneGadget::Gadget.add(build_id, 837392,
- constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", r9, rdx)")
diff --git a/lib/one_gadget/builds/libc-2.19-b4fbe819a1dc946528b4added1887eb9ca130275.rb b/lib/one_gadget/builds/libc-2.19-b4fbe819a1dc946528b4added1887eb9ca130275.rb
index 54850c7..c173853 100644
--- a/lib/one_gadget/builds/libc-2.19-b4fbe819a1dc946528b4added1887eb9ca130275.rb
+++ b/lib/one_gadget/builds/libc-2.19-b4fbe819a1dc946528b4added1887eb9ca130275.rb
@@ -19,21 +19,27 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 454092,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
+OneGadget::Gadget.add(build_id, 454114,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
+ effect: "execve(\"/bin/sh\", esp+0x30, [esp+0x8])")
OneGadget::Gadget.add(build_id, 454118,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp+0x8])")
OneGadget::Gadget.add(build_id, 454122,
- constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])")
+OneGadget::Gadget.add(build_id, 607171,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"],
+ effect: "execl(\"/bin/sh\", \"sh\", eax)")
OneGadget::Gadget.add(build_id, 607175,
- constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"],
effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])")
OneGadget::Gadget.add(build_id, 607181,
- constraints: ["ebx is the GOT address of libc", "eax == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"],
effect: "execl(\"/bin/sh\", eax)")
OneGadget::Gadget.add(build_id, 607185,
- constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"],
effect: "execl(\"/bin/sh\", [esp+0x4])")
diff --git a/lib/one_gadget/builds/libc-2.19-b571f83a8a6f5bb22d3558cddda9f943a2a67fd1.rb b/lib/one_gadget/builds/libc-2.19-b571f83a8a6f5bb22d3558cddda9f943a2a67fd1.rb
index 1147b2e..f22ee59 100644
--- a/lib/one_gadget/builds/libc-2.19-b571f83a8a6f5bb22d3558cddda9f943a2a67fd1.rb
+++ b/lib/one_gadget/builds/libc-2.19-b571f83a8a6f5bb22d3558cddda9f943a2a67fd1.rb
@@ -20,28 +20,31 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 288641,
+ constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 288648,
- constraints: ["rax == NULL"],
+ constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 288732,
- constraints: ["[rsp+0x30] == NULL"],
+ constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 797491,
- constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, r12)")
OneGadget::Gadget.add(build_id, 797570,
- constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL || [rbp-0x48] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", [rbp-0x48], r12)")
OneGadget::Gadget.add(build_id, 940184,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rbp-0xf0]] == NULL || [rbp-0xf0] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rbp-0xf0]] == NULL || [rbp-0xf0] == NULL || [rbp-0xf0] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rbp-0xf0])")
OneGadget::Gadget.add(build_id, 943717,
- constraints: ["[rsp+0x50] == NULL"],
+ constraints: ["[rsp+0x50] == NULL || {[rsp+0x50], [rsp+0x58], [rsp+0x60], [rsp+0x68], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x50, environ)")
OneGadget::Gadget.add(build_id, 943729,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rax])")
OneGadget::Gadget.add(build_id, 947558,
- constraints: ["[rsp+0x60] == NULL"],
+ constraints: ["[rsp+0x60] == NULL || {[rsp+0x60], [rsp+0x68], [rsp+0x70], [rsp+0x78], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x60, environ)")
diff --git a/lib/one_gadget/builds/libc-2.19-b700a5d57528fde5c441b020bcc4e19a9099e05b.rb b/lib/one_gadget/builds/libc-2.19-b700a5d57528fde5c441b020bcc4e19a9099e05b.rb
index 811eae7..38efa1f 100644
--- a/lib/one_gadget/builds/libc-2.19-b700a5d57528fde5c441b020bcc4e19a9099e05b.rb
+++ b/lib/one_gadget/builds/libc-2.19-b700a5d57528fde5c441b020bcc4e19a9099e05b.rb
@@ -20,22 +20,31 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 261359,
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x34, environ)")
+OneGadget::Gadget.add(build_id, 261366,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 261375,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 261411,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp+0x8])")
OneGadget::Gadget.add(build_id, 261415,
- constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])")
+OneGadget::Gadget.add(build_id, 412736,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"],
+ effect: "execl(\"/bin/sh\", \"sh\", eax)")
OneGadget::Gadget.add(build_id, 412740,
- constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"],
effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])")
OneGadget::Gadget.add(build_id, 412746,
- constraints: ["ebx is the GOT address of libc", "eax == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"],
effect: "execl(\"/bin/sh\", eax)")
OneGadget::Gadget.add(build_id, 412750,
- constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"],
effect: "execl(\"/bin/sh\", [esp+0x4])")
diff --git a/lib/one_gadget/builds/libc-2.19-b71ed2c38888a9d0e2c977877193e01a64e97a5d.rb b/lib/one_gadget/builds/libc-2.19-b71ed2c38888a9d0e2c977877193e01a64e97a5d.rb
index 09b35a8..3ac475c 100644
--- a/lib/one_gadget/builds/libc-2.19-b71ed2c38888a9d0e2c977877193e01a64e97a5d.rb
+++ b/lib/one_gadget/builds/libc-2.19-b71ed2c38888a9d0e2c977877193e01a64e97a5d.rb
@@ -19,22 +19,31 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 249495,
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x38, environ)")
+OneGadget::Gadget.add(build_id, 249502,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x38, environ)")
OneGadget::Gadget.add(build_id, 249511,
- constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x38, environ)")
OneGadget::Gadget.add(build_id, 249547,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp+0x8])")
OneGadget::Gadget.add(build_id, 249551,
- constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])")
+OneGadget::Gadget.add(build_id, 409472,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"],
+ effect: "execl(\"/bin/sh\", \"sh\", eax)")
OneGadget::Gadget.add(build_id, 409476,
- constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"],
effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])")
OneGadget::Gadget.add(build_id, 409482,
- constraints: ["ebx is the GOT address of libc", "eax == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"],
effect: "execl(\"/bin/sh\", eax)")
OneGadget::Gadget.add(build_id, 409486,
- constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"],
effect: "execl(\"/bin/sh\", [esp+0x4])")
diff --git a/lib/one_gadget/builds/libc-2.19-b9082b0162f9d256c1ccf28b9d35d2cce9f6a6a4.rb b/lib/one_gadget/builds/libc-2.19-b9082b0162f9d256c1ccf28b9d35d2cce9f6a6a4.rb
index e8d0c81..33b0f53 100644
--- a/lib/one_gadget/builds/libc-2.19-b9082b0162f9d256c1ccf28b9d35d2cce9f6a6a4.rb
+++ b/lib/one_gadget/builds/libc-2.19-b9082b0162f9d256c1ccf28b9d35d2cce9f6a6a4.rb
@@ -20,22 +20,31 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 254599,
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x34, environ)")
+OneGadget::Gadget.add(build_id, 254606,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 254615,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 254651,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp+0x8])")
OneGadget::Gadget.add(build_id, 254655,
- constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])")
+OneGadget::Gadget.add(build_id, 412775,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"],
+ effect: "execl(\"/bin/sh\", \"sh\", eax)")
OneGadget::Gadget.add(build_id, 412779,
- constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"],
effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])")
OneGadget::Gadget.add(build_id, 412785,
- constraints: ["ebx is the GOT address of libc", "eax == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"],
effect: "execl(\"/bin/sh\", eax)")
OneGadget::Gadget.add(build_id, 412789,
- constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"],
effect: "execl(\"/bin/sh\", [esp+0x4])")
diff --git a/lib/one_gadget/builds/libc-2.19-ba1b1c588dbf0ebb80c646060af92e5a93825fee.rb b/lib/one_gadget/builds/libc-2.19-ba1b1c588dbf0ebb80c646060af92e5a93825fee.rb
index 2303449..ce96c81 100644
--- a/lib/one_gadget/builds/libc-2.19-ba1b1c588dbf0ebb80c646060af92e5a93825fee.rb
+++ b/lib/one_gadget/builds/libc-2.19-ba1b1c588dbf0ebb80c646060af92e5a93825fee.rb
@@ -19,22 +19,31 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 249239,
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x38, environ)")
+OneGadget::Gadget.add(build_id, 249246,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x38, environ)")
OneGadget::Gadget.add(build_id, 249255,
- constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x38, environ)")
OneGadget::Gadget.add(build_id, 249291,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp+0x8])")
OneGadget::Gadget.add(build_id, 249295,
- constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])")
+OneGadget::Gadget.add(build_id, 409248,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"],
+ effect: "execl(\"/bin/sh\", \"sh\", eax)")
OneGadget::Gadget.add(build_id, 409252,
- constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"],
effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])")
OneGadget::Gadget.add(build_id, 409258,
- constraints: ["ebx is the GOT address of libc", "eax == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"],
effect: "execl(\"/bin/sh\", eax)")
OneGadget::Gadget.add(build_id, 409262,
- constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"],
effect: "execl(\"/bin/sh\", [esp+0x4])")
diff --git a/lib/one_gadget/builds/libc-2.19-bb34f13b7ae5fe42cdd14b96dc278f9726424cac.rb b/lib/one_gadget/builds/libc-2.19-bb34f13b7ae5fe42cdd14b96dc278f9726424cac.rb
index e0a0f6e..0f37c02 100644
--- a/lib/one_gadget/builds/libc-2.19-bb34f13b7ae5fe42cdd14b96dc278f9726424cac.rb
+++ b/lib/one_gadget/builds/libc-2.19-bb34f13b7ae5fe42cdd14b96dc278f9726424cac.rb
@@ -19,22 +19,31 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 248599,
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x38, environ)")
+OneGadget::Gadget.add(build_id, 248606,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x38, environ)")
OneGadget::Gadget.add(build_id, 248615,
- constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x38, environ)")
OneGadget::Gadget.add(build_id, 248651,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp+0x8])")
OneGadget::Gadget.add(build_id, 248655,
- constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])")
+OneGadget::Gadget.add(build_id, 406432,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"],
+ effect: "execl(\"/bin/sh\", \"sh\", eax)")
OneGadget::Gadget.add(build_id, 406436,
- constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"],
effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])")
OneGadget::Gadget.add(build_id, 406442,
- constraints: ["ebx is the GOT address of libc", "eax == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"],
effect: "execl(\"/bin/sh\", eax)")
OneGadget::Gadget.add(build_id, 406446,
- constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"],
effect: "execl(\"/bin/sh\", [esp+0x4])")
diff --git a/lib/one_gadget/builds/libc-2.19-bb91233a6ef2a6c754a8ff20f7ba117d7d57707a.rb b/lib/one_gadget/builds/libc-2.19-bb91233a6ef2a6c754a8ff20f7ba117d7d57707a.rb
index b35dc37..3fda97e 100644
--- a/lib/one_gadget/builds/libc-2.19-bb91233a6ef2a6c754a8ff20f7ba117d7d57707a.rb
+++ b/lib/one_gadget/builds/libc-2.19-bb91233a6ef2a6c754a8ff20f7ba117d7d57707a.rb
@@ -19,25 +19,28 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 262555,
+ constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbp, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 262562,
- constraints: ["rax == NULL"],
+ constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbp, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 262646,
- constraints: ["[rsp+0x30] == NULL"],
+ constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 701421,
- constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, r12)")
OneGadget::Gadget.add(build_id, 701500,
- constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL || [rbp-0x48] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", [rbp-0x48], r12)")
OneGadget::Gadget.add(build_id, 823343,
- constraints: ["[rsp+0x70] == NULL"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x70, environ)")
OneGadget::Gadget.add(build_id, 823355,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rax])")
OneGadget::Gadget.add(build_id, 838672,
- constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", r9, rdx)")
diff --git a/lib/one_gadget/builds/libc-2.19-bd25bd030c2467d343581ee0d8d8aa7a32c7aa29.rb b/lib/one_gadget/builds/libc-2.19-bd25bd030c2467d343581ee0d8d8aa7a32c7aa29.rb
index e62931a..69ed96d 100644
--- a/lib/one_gadget/builds/libc-2.19-bd25bd030c2467d343581ee0d8d8aa7a32c7aa29.rb
+++ b/lib/one_gadget/builds/libc-2.19-bd25bd030c2467d343581ee0d8d8aa7a32c7aa29.rb
@@ -19,22 +19,31 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 255911,
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x38, environ)")
+OneGadget::Gadget.add(build_id, 255918,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x38, environ)")
OneGadget::Gadget.add(build_id, 255927,
- constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x38, environ)")
OneGadget::Gadget.add(build_id, 255963,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp+0x8])")
OneGadget::Gadget.add(build_id, 255967,
- constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])")
+OneGadget::Gadget.add(build_id, 409056,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"],
+ effect: "execl(\"/bin/sh\", \"sh\", eax)")
OneGadget::Gadget.add(build_id, 409060,
- constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"],
effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])")
OneGadget::Gadget.add(build_id, 409066,
- constraints: ["ebx is the GOT address of libc", "eax == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"],
effect: "execl(\"/bin/sh\", eax)")
OneGadget::Gadget.add(build_id, 409070,
- constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"],
effect: "execl(\"/bin/sh\", [esp+0x4])")
diff --git a/lib/one_gadget/builds/libc-2.19-bd69ec1fafeef65209d9874025fd45e093b23144.rb b/lib/one_gadget/builds/libc-2.19-bd69ec1fafeef65209d9874025fd45e093b23144.rb
index 8a10e5f..81a0958 100644
--- a/lib/one_gadget/builds/libc-2.19-bd69ec1fafeef65209d9874025fd45e093b23144.rb
+++ b/lib/one_gadget/builds/libc-2.19-bd69ec1fafeef65209d9874025fd45e093b23144.rb
@@ -19,22 +19,31 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 248567,
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x38, environ)")
+OneGadget::Gadget.add(build_id, 248574,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x38, environ)")
OneGadget::Gadget.add(build_id, 248583,
- constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x38, environ)")
OneGadget::Gadget.add(build_id, 248619,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp+0x8])")
OneGadget::Gadget.add(build_id, 248623,
- constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])")
+OneGadget::Gadget.add(build_id, 408560,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"],
+ effect: "execl(\"/bin/sh\", \"sh\", eax)")
OneGadget::Gadget.add(build_id, 408564,
- constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"],
effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])")
OneGadget::Gadget.add(build_id, 408570,
- constraints: ["ebx is the GOT address of libc", "eax == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"],
effect: "execl(\"/bin/sh\", eax)")
OneGadget::Gadget.add(build_id, 408574,
- constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"],
effect: "execl(\"/bin/sh\", [esp+0x4])")
diff --git a/lib/one_gadget/builds/libc-2.19-be4425690f42dd1807770d974ff87b88c51d306d.rb b/lib/one_gadget/builds/libc-2.19-be4425690f42dd1807770d974ff87b88c51d306d.rb
index 733692c..8e2103d 100644
--- a/lib/one_gadget/builds/libc-2.19-be4425690f42dd1807770d974ff87b88c51d306d.rb
+++ b/lib/one_gadget/builds/libc-2.19-be4425690f42dd1807770d974ff87b88c51d306d.rb
@@ -19,22 +19,31 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 248599,
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x38, environ)")
+OneGadget::Gadget.add(build_id, 248606,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x38, environ)")
OneGadget::Gadget.add(build_id, 248615,
- constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x38, environ)")
OneGadget::Gadget.add(build_id, 248651,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp+0x8])")
OneGadget::Gadget.add(build_id, 248655,
- constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])")
+OneGadget::Gadget.add(build_id, 406400,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"],
+ effect: "execl(\"/bin/sh\", \"sh\", eax)")
OneGadget::Gadget.add(build_id, 406404,
- constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"],
effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])")
OneGadget::Gadget.add(build_id, 406410,
- constraints: ["ebx is the GOT address of libc", "eax == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"],
effect: "execl(\"/bin/sh\", eax)")
OneGadget::Gadget.add(build_id, 406414,
- constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"],
effect: "execl(\"/bin/sh\", [esp+0x4])")
diff --git a/lib/one_gadget/builds/libc-2.19-bf368b38f238cfe2c12eac2b487ee8ae58a3a0d8.rb b/lib/one_gadget/builds/libc-2.19-bf368b38f238cfe2c12eac2b487ee8ae58a3a0d8.rb
index 7a543a4..5f14333 100644
--- a/lib/one_gadget/builds/libc-2.19-bf368b38f238cfe2c12eac2b487ee8ae58a3a0d8.rb
+++ b/lib/one_gadget/builds/libc-2.19-bf368b38f238cfe2c12eac2b487ee8ae58a3a0d8.rb
@@ -20,22 +20,31 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 255223,
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x34, environ)")
+OneGadget::Gadget.add(build_id, 255230,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 255239,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 255275,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp+0x8])")
OneGadget::Gadget.add(build_id, 255279,
- constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])")
+OneGadget::Gadget.add(build_id, 415463,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"],
+ effect: "execl(\"/bin/sh\", \"sh\", eax)")
OneGadget::Gadget.add(build_id, 415467,
- constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"],
effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])")
OneGadget::Gadget.add(build_id, 415473,
- constraints: ["ebx is the GOT address of libc", "eax == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"],
effect: "execl(\"/bin/sh\", eax)")
OneGadget::Gadget.add(build_id, 415477,
- constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"],
effect: "execl(\"/bin/sh\", [esp+0x4])")
diff --git a/lib/one_gadget/builds/libc-2.19-c00c9b70ba01f92a952474258bed608c3e7be6b9.rb b/lib/one_gadget/builds/libc-2.19-c00c9b70ba01f92a952474258bed608c3e7be6b9.rb
index 291aa8f..4a93953 100644
--- a/lib/one_gadget/builds/libc-2.19-c00c9b70ba01f92a952474258bed608c3e7be6b9.rb
+++ b/lib/one_gadget/builds/libc-2.19-c00c9b70ba01f92a952474258bed608c3e7be6b9.rb
@@ -20,22 +20,31 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 254599,
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x34, environ)")
+OneGadget::Gadget.add(build_id, 254606,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 254615,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 254651,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp+0x8])")
OneGadget::Gadget.add(build_id, 254655,
- constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])")
+OneGadget::Gadget.add(build_id, 412743,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"],
+ effect: "execl(\"/bin/sh\", \"sh\", eax)")
OneGadget::Gadget.add(build_id, 412747,
- constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"],
effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])")
OneGadget::Gadget.add(build_id, 412753,
- constraints: ["ebx is the GOT address of libc", "eax == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"],
effect: "execl(\"/bin/sh\", eax)")
OneGadget::Gadget.add(build_id, 412757,
- constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"],
effect: "execl(\"/bin/sh\", [esp+0x4])")
diff --git a/lib/one_gadget/builds/libc-2.19-c0ee9400445c93ecbc8562e006a8b95ed4d07834.rb b/lib/one_gadget/builds/libc-2.19-c0ee9400445c93ecbc8562e006a8b95ed4d07834.rb
index 699087d..051308a 100644
--- a/lib/one_gadget/builds/libc-2.19-c0ee9400445c93ecbc8562e006a8b95ed4d07834.rb
+++ b/lib/one_gadget/builds/libc-2.19-c0ee9400445c93ecbc8562e006a8b95ed4d07834.rb
@@ -19,22 +19,31 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 248567,
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x38, environ)")
+OneGadget::Gadget.add(build_id, 248574,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x38, environ)")
OneGadget::Gadget.add(build_id, 248583,
- constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x38, environ)")
OneGadget::Gadget.add(build_id, 248619,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp+0x8])")
OneGadget::Gadget.add(build_id, 248623,
- constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])")
+OneGadget::Gadget.add(build_id, 408528,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"],
+ effect: "execl(\"/bin/sh\", \"sh\", eax)")
OneGadget::Gadget.add(build_id, 408532,
- constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"],
effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])")
OneGadget::Gadget.add(build_id, 408538,
- constraints: ["ebx is the GOT address of libc", "eax == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"],
effect: "execl(\"/bin/sh\", eax)")
OneGadget::Gadget.add(build_id, 408542,
- constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"],
effect: "execl(\"/bin/sh\", [esp+0x4])")
diff --git a/lib/one_gadget/builds/libc-2.19-c24f77af0c861079dbcbbdf09f4b8eee8eb7130c.rb b/lib/one_gadget/builds/libc-2.19-c24f77af0c861079dbcbbdf09f4b8eee8eb7130c.rb
index 36e048b..35fe5be 100644
--- a/lib/one_gadget/builds/libc-2.19-c24f77af0c861079dbcbbdf09f4b8eee8eb7130c.rb
+++ b/lib/one_gadget/builds/libc-2.19-c24f77af0c861079dbcbbdf09f4b8eee8eb7130c.rb
@@ -20,22 +20,31 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 254471,
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x34, environ)")
+OneGadget::Gadget.add(build_id, 254478,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 254487,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 254523,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp+0x8])")
OneGadget::Gadget.add(build_id, 254527,
- constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])")
+OneGadget::Gadget.add(build_id, 412647,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"],
+ effect: "execl(\"/bin/sh\", \"sh\", eax)")
OneGadget::Gadget.add(build_id, 412651,
- constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"],
effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])")
OneGadget::Gadget.add(build_id, 412657,
- constraints: ["ebx is the GOT address of libc", "eax == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"],
effect: "execl(\"/bin/sh\", eax)")
OneGadget::Gadget.add(build_id, 412661,
- constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"],
effect: "execl(\"/bin/sh\", [esp+0x4])")
diff --git a/lib/one_gadget/builds/libc-2.19-c379cc4f4e8a55319c70e4d3ce4dc2a4c30f151a.rb b/lib/one_gadget/builds/libc-2.19-c379cc4f4e8a55319c70e4d3ce4dc2a4c30f151a.rb
index 90da39a..647afa9 100644
--- a/lib/one_gadget/builds/libc-2.19-c379cc4f4e8a55319c70e4d3ce4dc2a4c30f151a.rb
+++ b/lib/one_gadget/builds/libc-2.19-c379cc4f4e8a55319c70e4d3ce4dc2a4c30f151a.rb
@@ -19,22 +19,31 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 248567,
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x38, environ)")
+OneGadget::Gadget.add(build_id, 248574,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x38, environ)")
OneGadget::Gadget.add(build_id, 248583,
- constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x38, environ)")
OneGadget::Gadget.add(build_id, 248619,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp+0x8])")
OneGadget::Gadget.add(build_id, 248623,
- constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])")
+OneGadget::Gadget.add(build_id, 408528,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"],
+ effect: "execl(\"/bin/sh\", \"sh\", eax)")
OneGadget::Gadget.add(build_id, 408532,
- constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"],
effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])")
OneGadget::Gadget.add(build_id, 408538,
- constraints: ["ebx is the GOT address of libc", "eax == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"],
effect: "execl(\"/bin/sh\", eax)")
OneGadget::Gadget.add(build_id, 408542,
- constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"],
effect: "execl(\"/bin/sh\", [esp+0x4])")
diff --git a/lib/one_gadget/builds/libc-2.19-c40027c0c6f76c27293f7570888b9d64e1a93285.rb b/lib/one_gadget/builds/libc-2.19-c40027c0c6f76c27293f7570888b9d64e1a93285.rb
index 301e802..3c25b93 100644
--- a/lib/one_gadget/builds/libc-2.19-c40027c0c6f76c27293f7570888b9d64e1a93285.rb
+++ b/lib/one_gadget/builds/libc-2.19-c40027c0c6f76c27293f7570888b9d64e1a93285.rb
@@ -20,22 +20,31 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 261639,
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x34, environ)")
+OneGadget::Gadget.add(build_id, 261646,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 261655,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 261691,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp+0x8])")
OneGadget::Gadget.add(build_id, 261695,
- constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])")
+OneGadget::Gadget.add(build_id, 414983,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"],
+ effect: "execl(\"/bin/sh\", \"sh\", eax)")
OneGadget::Gadget.add(build_id, 414987,
- constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"],
effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])")
OneGadget::Gadget.add(build_id, 414993,
- constraints: ["ebx is the GOT address of libc", "eax == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"],
effect: "execl(\"/bin/sh\", eax)")
OneGadget::Gadget.add(build_id, 414997,
- constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"],
effect: "execl(\"/bin/sh\", [esp+0x4])")
diff --git a/lib/one_gadget/builds/libc-2.19-c41ed0ae53a1a559a44a1140c77c3b274a38e442.rb b/lib/one_gadget/builds/libc-2.19-c41ed0ae53a1a559a44a1140c77c3b274a38e442.rb
index 620c623..a4bb6d4 100644
--- a/lib/one_gadget/builds/libc-2.19-c41ed0ae53a1a559a44a1140c77c3b274a38e442.rb
+++ b/lib/one_gadget/builds/libc-2.19-c41ed0ae53a1a559a44a1140c77c3b274a38e442.rb
@@ -20,22 +20,31 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 254599,
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x34, environ)")
+OneGadget::Gadget.add(build_id, 254606,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 254615,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 254651,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp+0x8])")
OneGadget::Gadget.add(build_id, 254655,
- constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])")
+OneGadget::Gadget.add(build_id, 412775,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"],
+ effect: "execl(\"/bin/sh\", \"sh\", eax)")
OneGadget::Gadget.add(build_id, 412779,
- constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"],
effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])")
OneGadget::Gadget.add(build_id, 412785,
- constraints: ["ebx is the GOT address of libc", "eax == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"],
effect: "execl(\"/bin/sh\", eax)")
OneGadget::Gadget.add(build_id, 412789,
- constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"],
effect: "execl(\"/bin/sh\", [esp+0x4])")
diff --git a/lib/one_gadget/builds/libc-2.19-c4278754b0c28c437e1e5bd195d82b6d9e4a6d73.rb b/lib/one_gadget/builds/libc-2.19-c4278754b0c28c437e1e5bd195d82b6d9e4a6d73.rb
index 4361eae..497ff1c 100644
--- a/lib/one_gadget/builds/libc-2.19-c4278754b0c28c437e1e5bd195d82b6d9e4a6d73.rb
+++ b/lib/one_gadget/builds/libc-2.19-c4278754b0c28c437e1e5bd195d82b6d9e4a6d73.rb
@@ -20,25 +20,28 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 267081,
+ constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 267088,
- constraints: ["rax == NULL"],
+ constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 267172,
- constraints: ["[rsp+0x30] == NULL"],
+ constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 756893,
- constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, r12)")
OneGadget::Gadget.add(build_id, 756972,
- constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL || [rbp-0x48] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", [rbp-0x48], r12)")
OneGadget::Gadget.add(build_id, 872759,
- constraints: ["[rsp+0x70] == NULL"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x70, environ)")
OneGadget::Gadget.add(build_id, 872771,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rax])")
OneGadget::Gadget.add(build_id, 888080,
- constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", r9, rdx)")
diff --git a/lib/one_gadget/builds/libc-2.19-c46746723526fa9feb3cdf4218ec24c9179131ad.rb b/lib/one_gadget/builds/libc-2.19-c46746723526fa9feb3cdf4218ec24c9179131ad.rb
index 6d97c42..033074c 100644
--- a/lib/one_gadget/builds/libc-2.19-c46746723526fa9feb3cdf4218ec24c9179131ad.rb
+++ b/lib/one_gadget/builds/libc-2.19-c46746723526fa9feb3cdf4218ec24c9179131ad.rb
@@ -19,21 +19,27 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 453772,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
+OneGadget::Gadget.add(build_id, 453794,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
+ effect: "execve(\"/bin/sh\", esp+0x30, [esp+0x8])")
OneGadget::Gadget.add(build_id, 453798,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp+0x8])")
OneGadget::Gadget.add(build_id, 453802,
- constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])")
+OneGadget::Gadget.add(build_id, 609027,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"],
+ effect: "execl(\"/bin/sh\", \"sh\", eax)")
OneGadget::Gadget.add(build_id, 609031,
- constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"],
effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])")
OneGadget::Gadget.add(build_id, 609037,
- constraints: ["ebx is the GOT address of libc", "eax == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"],
effect: "execl(\"/bin/sh\", eax)")
OneGadget::Gadget.add(build_id, 609041,
- constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"],
effect: "execl(\"/bin/sh\", [esp+0x4])")
diff --git a/lib/one_gadget/builds/libc-2.19-c5affb5af2f506eb7d48c471160790d4c24e81ae.rb b/lib/one_gadget/builds/libc-2.19-c5affb5af2f506eb7d48c471160790d4c24e81ae.rb
index 2052471..0315c57 100644
--- a/lib/one_gadget/builds/libc-2.19-c5affb5af2f506eb7d48c471160790d4c24e81ae.rb
+++ b/lib/one_gadget/builds/libc-2.19-c5affb5af2f506eb7d48c471160790d4c24e81ae.rb
@@ -19,25 +19,28 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 262411,
+ constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbp, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 262418,
- constraints: ["rax == NULL"],
+ constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbp, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 262502,
- constraints: ["[rsp+0x30] == NULL"],
+ constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 711613,
- constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, r12)")
OneGadget::Gadget.add(build_id, 711692,
- constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL || [rbp-0x48] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", [rbp-0x48], r12)")
OneGadget::Gadget.add(build_id, 833551,
- constraints: ["[rsp+0x70] == NULL"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x70, environ)")
OneGadget::Gadget.add(build_id, 833563,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rax])")
OneGadget::Gadget.add(build_id, 848880,
- constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", r9, rdx)")
diff --git a/lib/one_gadget/builds/libc-2.19-c5e45bf4881c526999786f4dd2718042b20e582c.rb b/lib/one_gadget/builds/libc-2.19-c5e45bf4881c526999786f4dd2718042b20e582c.rb
index e1d0169..68915b8 100644
--- a/lib/one_gadget/builds/libc-2.19-c5e45bf4881c526999786f4dd2718042b20e582c.rb
+++ b/lib/one_gadget/builds/libc-2.19-c5e45bf4881c526999786f4dd2718042b20e582c.rb
@@ -19,22 +19,31 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 248599,
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x38, environ)")
+OneGadget::Gadget.add(build_id, 248606,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x38, environ)")
OneGadget::Gadget.add(build_id, 248615,
- constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x38, environ)")
OneGadget::Gadget.add(build_id, 248651,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp+0x8])")
OneGadget::Gadget.add(build_id, 248655,
- constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])")
+OneGadget::Gadget.add(build_id, 406432,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"],
+ effect: "execl(\"/bin/sh\", \"sh\", eax)")
OneGadget::Gadget.add(build_id, 406436,
- constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"],
effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])")
OneGadget::Gadget.add(build_id, 406442,
- constraints: ["ebx is the GOT address of libc", "eax == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"],
effect: "execl(\"/bin/sh\", eax)")
OneGadget::Gadget.add(build_id, 406446,
- constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"],
effect: "execl(\"/bin/sh\", [esp+0x4])")
diff --git a/lib/one_gadget/builds/libc-2.19-c7cab037359898862b1584a1e3c3372683daad3f.rb b/lib/one_gadget/builds/libc-2.19-c7cab037359898862b1584a1e3c3372683daad3f.rb
index 63799b4..37994c7 100644
--- a/lib/one_gadget/builds/libc-2.19-c7cab037359898862b1584a1e3c3372683daad3f.rb
+++ b/lib/one_gadget/builds/libc-2.19-c7cab037359898862b1584a1e3c3372683daad3f.rb
@@ -20,25 +20,28 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 266985,
+ constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 266992,
- constraints: ["rax == NULL"],
+ constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 267076,
- constraints: ["[rsp+0x30] == NULL"],
+ constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 765005,
- constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, r12)")
OneGadget::Gadget.add(build_id, 765084,
- constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL || [rbp-0x48] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", [rbp-0x48], r12)")
OneGadget::Gadget.add(build_id, 880199,
- constraints: ["[rsp+0x70] == NULL"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x70, environ)")
OneGadget::Gadget.add(build_id, 880211,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rax])")
OneGadget::Gadget.add(build_id, 895520,
- constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", r9, rdx)")
diff --git a/lib/one_gadget/builds/libc-2.19-c83833a5f5ca5636f8f914c2c9f1726860fce8b1.rb b/lib/one_gadget/builds/libc-2.19-c83833a5f5ca5636f8f914c2c9f1726860fce8b1.rb
index 95ed676..bdc5d85 100644
--- a/lib/one_gadget/builds/libc-2.19-c83833a5f5ca5636f8f914c2c9f1726860fce8b1.rb
+++ b/lib/one_gadget/builds/libc-2.19-c83833a5f5ca5636f8f914c2c9f1726860fce8b1.rb
@@ -19,21 +19,27 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 452940,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
+OneGadget::Gadget.add(build_id, 452962,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
+ effect: "execve(\"/bin/sh\", esp+0x30, [esp+0x8])")
OneGadget::Gadget.add(build_id, 452966,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp+0x8])")
OneGadget::Gadget.add(build_id, 452970,
- constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])")
+OneGadget::Gadget.add(build_id, 609411,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"],
+ effect: "execl(\"/bin/sh\", \"sh\", eax)")
OneGadget::Gadget.add(build_id, 609415,
- constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"],
effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])")
OneGadget::Gadget.add(build_id, 609421,
- constraints: ["ebx is the GOT address of libc", "eax == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"],
effect: "execl(\"/bin/sh\", eax)")
OneGadget::Gadget.add(build_id, 609425,
- constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"],
effect: "execl(\"/bin/sh\", [esp+0x4])")
diff --git a/lib/one_gadget/builds/libc-2.19-cad76dba04139f928612ee55bf9e14b74e1b7c3f.rb b/lib/one_gadget/builds/libc-2.19-cad76dba04139f928612ee55bf9e14b74e1b7c3f.rb
index 8b0dc33..35ada2a 100644
--- a/lib/one_gadget/builds/libc-2.19-cad76dba04139f928612ee55bf9e14b74e1b7c3f.rb
+++ b/lib/one_gadget/builds/libc-2.19-cad76dba04139f928612ee55bf9e14b74e1b7c3f.rb
@@ -19,21 +19,27 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 461228,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
+OneGadget::Gadget.add(build_id, 461250,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
+ effect: "execve(\"/bin/sh\", esp+0x30, [esp+0x8])")
OneGadget::Gadget.add(build_id, 461254,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp+0x8])")
OneGadget::Gadget.add(build_id, 461258,
- constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])")
+OneGadget::Gadget.add(build_id, 609752,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"],
+ effect: "execl(\"/bin/sh\", \"sh\", eax)")
OneGadget::Gadget.add(build_id, 609756,
- constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"],
effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])")
OneGadget::Gadget.add(build_id, 609762,
- constraints: ["ebx is the GOT address of libc", "eax == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"],
effect: "execl(\"/bin/sh\", eax)")
OneGadget::Gadget.add(build_id, 609766,
- constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"],
effect: "execl(\"/bin/sh\", [esp+0x4])")
diff --git a/lib/one_gadget/builds/libc-2.19-cafa8de523249f48aebec877e9f45f904e4d62a4.rb b/lib/one_gadget/builds/libc-2.19-cafa8de523249f48aebec877e9f45f904e4d62a4.rb
index 7ced12c..1bac4be 100644
--- a/lib/one_gadget/builds/libc-2.19-cafa8de523249f48aebec877e9f45f904e4d62a4.rb
+++ b/lib/one_gadget/builds/libc-2.19-cafa8de523249f48aebec877e9f45f904e4d62a4.rb
@@ -20,22 +20,31 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 254599,
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x34, environ)")
+OneGadget::Gadget.add(build_id, 254606,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 254615,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 254651,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp+0x8])")
OneGadget::Gadget.add(build_id, 254655,
- constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])")
+OneGadget::Gadget.add(build_id, 412743,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"],
+ effect: "execl(\"/bin/sh\", \"sh\", eax)")
OneGadget::Gadget.add(build_id, 412747,
- constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"],
effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])")
OneGadget::Gadget.add(build_id, 412753,
- constraints: ["ebx is the GOT address of libc", "eax == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"],
effect: "execl(\"/bin/sh\", eax)")
OneGadget::Gadget.add(build_id, 412757,
- constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"],
effect: "execl(\"/bin/sh\", [esp+0x4])")
diff --git a/lib/one_gadget/builds/libc-2.19-cb46f5139038116d66a73281a3aca373f8ac7428.rb b/lib/one_gadget/builds/libc-2.19-cb46f5139038116d66a73281a3aca373f8ac7428.rb
index 8731b08..3a57fa3 100644
--- a/lib/one_gadget/builds/libc-2.19-cb46f5139038116d66a73281a3aca373f8ac7428.rb
+++ b/lib/one_gadget/builds/libc-2.19-cb46f5139038116d66a73281a3aca373f8ac7428.rb
@@ -19,22 +19,31 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 249239,
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x38, environ)")
+OneGadget::Gadget.add(build_id, 249246,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x38, environ)")
OneGadget::Gadget.add(build_id, 249255,
- constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x38, environ)")
OneGadget::Gadget.add(build_id, 249291,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp+0x8])")
OneGadget::Gadget.add(build_id, 249295,
- constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])")
+OneGadget::Gadget.add(build_id, 409216,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"],
+ effect: "execl(\"/bin/sh\", \"sh\", eax)")
OneGadget::Gadget.add(build_id, 409220,
- constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"],
effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])")
OneGadget::Gadget.add(build_id, 409226,
- constraints: ["ebx is the GOT address of libc", "eax == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"],
effect: "execl(\"/bin/sh\", eax)")
OneGadget::Gadget.add(build_id, 409230,
- constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"],
effect: "execl(\"/bin/sh\", [esp+0x4])")
diff --git a/lib/one_gadget/builds/libc-2.19-cb6e2a7a6812e08f621a5c6b5b3372ab5126fc84.rb b/lib/one_gadget/builds/libc-2.19-cb6e2a7a6812e08f621a5c6b5b3372ab5126fc84.rb
index e00a680..bed53dd 100644
--- a/lib/one_gadget/builds/libc-2.19-cb6e2a7a6812e08f621a5c6b5b3372ab5126fc84.rb
+++ b/lib/one_gadget/builds/libc-2.19-cb6e2a7a6812e08f621a5c6b5b3372ab5126fc84.rb
@@ -21,22 +21,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 242643,
- constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x28, environ)")
OneGadget::Gadget.add(build_id, 242645,
- constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 242649,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 242656,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 242691,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 242692,
- constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 412228,
constraints: ["ebx is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.19-cb8c8a8edf5ff17d2df7e68e63f6cb242d85b524.rb b/lib/one_gadget/builds/libc-2.19-cb8c8a8edf5ff17d2df7e68e63f6cb242d85b524.rb
index 0c143ff..02c00e2 100644
--- a/lib/one_gadget/builds/libc-2.19-cb8c8a8edf5ff17d2df7e68e63f6cb242d85b524.rb
+++ b/lib/one_gadget/builds/libc-2.19-cb8c8a8edf5ff17d2df7e68e63f6cb242d85b524.rb
@@ -19,22 +19,31 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 248599,
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x38, environ)")
+OneGadget::Gadget.add(build_id, 248606,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x38, environ)")
OneGadget::Gadget.add(build_id, 248615,
- constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x38, environ)")
OneGadget::Gadget.add(build_id, 248651,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp+0x8])")
OneGadget::Gadget.add(build_id, 248655,
- constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])")
+OneGadget::Gadget.add(build_id, 406432,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"],
+ effect: "execl(\"/bin/sh\", \"sh\", eax)")
OneGadget::Gadget.add(build_id, 406436,
- constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"],
effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])")
OneGadget::Gadget.add(build_id, 406442,
- constraints: ["ebx is the GOT address of libc", "eax == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"],
effect: "execl(\"/bin/sh\", eax)")
OneGadget::Gadget.add(build_id, 406446,
- constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"],
effect: "execl(\"/bin/sh\", [esp+0x4])")
diff --git a/lib/one_gadget/builds/libc-2.19-cba6f22d1ee9163390664add53a9ef135c664903.rb b/lib/one_gadget/builds/libc-2.19-cba6f22d1ee9163390664add53a9ef135c664903.rb
index de89bc9..e29b62a 100644
--- a/lib/one_gadget/builds/libc-2.19-cba6f22d1ee9163390664add53a9ef135c664903.rb
+++ b/lib/one_gadget/builds/libc-2.19-cba6f22d1ee9163390664add53a9ef135c664903.rb
@@ -19,21 +19,27 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 454092,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
+OneGadget::Gadget.add(build_id, 454114,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
+ effect: "execve(\"/bin/sh\", esp+0x30, [esp+0x8])")
OneGadget::Gadget.add(build_id, 454118,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp+0x8])")
OneGadget::Gadget.add(build_id, 454122,
- constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])")
+OneGadget::Gadget.add(build_id, 606995,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"],
+ effect: "execl(\"/bin/sh\", \"sh\", eax)")
OneGadget::Gadget.add(build_id, 606999,
- constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"],
effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])")
OneGadget::Gadget.add(build_id, 607005,
- constraints: ["ebx is the GOT address of libc", "eax == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"],
effect: "execl(\"/bin/sh\", eax)")
OneGadget::Gadget.add(build_id, 607009,
- constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"],
effect: "execl(\"/bin/sh\", [esp+0x4])")
diff --git a/lib/one_gadget/builds/libc-2.19-ce25be66ee91861336df34413f53446cb41a2601.rb b/lib/one_gadget/builds/libc-2.19-ce25be66ee91861336df34413f53446cb41a2601.rb
index dfc4aa6..ac9316b 100644
--- a/lib/one_gadget/builds/libc-2.19-ce25be66ee91861336df34413f53446cb41a2601.rb
+++ b/lib/one_gadget/builds/libc-2.19-ce25be66ee91861336df34413f53446cb41a2601.rb
@@ -20,25 +20,28 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 267081,
+ constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 267088,
- constraints: ["rax == NULL"],
+ constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 267172,
- constraints: ["[rsp+0x30] == NULL"],
+ constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 754717,
- constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, r12)")
OneGadget::Gadget.add(build_id, 754796,
- constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL || [rbp-0x48] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", [rbp-0x48], r12)")
OneGadget::Gadget.add(build_id, 870583,
- constraints: ["[rsp+0x70] == NULL"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x70, environ)")
OneGadget::Gadget.add(build_id, 870595,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rax])")
OneGadget::Gadget.add(build_id, 885904,
- constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", r9, rdx)")
diff --git a/lib/one_gadget/builds/libc-2.19-cf43a056242aa025a153e4a7b6698edd7497f305.rb b/lib/one_gadget/builds/libc-2.19-cf43a056242aa025a153e4a7b6698edd7497f305.rb
index 3e16226..d431dd1 100644
--- a/lib/one_gadget/builds/libc-2.19-cf43a056242aa025a153e4a7b6698edd7497f305.rb
+++ b/lib/one_gadget/builds/libc-2.19-cf43a056242aa025a153e4a7b6698edd7497f305.rb
@@ -19,21 +19,27 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 454092,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
+OneGadget::Gadget.add(build_id, 454114,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
+ effect: "execve(\"/bin/sh\", esp+0x30, [esp+0x8])")
OneGadget::Gadget.add(build_id, 454118,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp+0x8])")
OneGadget::Gadget.add(build_id, 454122,
- constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])")
+OneGadget::Gadget.add(build_id, 607171,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"],
+ effect: "execl(\"/bin/sh\", \"sh\", eax)")
OneGadget::Gadget.add(build_id, 607175,
- constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"],
effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])")
OneGadget::Gadget.add(build_id, 607181,
- constraints: ["ebx is the GOT address of libc", "eax == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"],
effect: "execl(\"/bin/sh\", eax)")
OneGadget::Gadget.add(build_id, 607185,
- constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"],
effect: "execl(\"/bin/sh\", [esp+0x4])")
diff --git a/lib/one_gadget/builds/libc-2.19-cf699a15caae64f50311fc4655b86dc39a479789.rb b/lib/one_gadget/builds/libc-2.19-cf699a15caae64f50311fc4655b86dc39a479789.rb
index f6f81f4..1ad575d 100644
--- a/lib/one_gadget/builds/libc-2.19-cf699a15caae64f50311fc4655b86dc39a479789.rb
+++ b/lib/one_gadget/builds/libc-2.19-cf699a15caae64f50311fc4655b86dc39a479789.rb
@@ -20,28 +20,31 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 287777,
+ constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 287784,
- constraints: ["rax == NULL"],
+ constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 287868,
- constraints: ["[rsp+0x30] == NULL"],
+ constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 793507,
- constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, r12)")
OneGadget::Gadget.add(build_id, 793586,
- constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL || [rbp-0x48] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", [rbp-0x48], r12)")
OneGadget::Gadget.add(build_id, 936296,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rbp-0xf0]] == NULL || [rbp-0xf0] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rbp-0xf0]] == NULL || [rbp-0xf0] == NULL || [rbp-0xf0] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rbp-0xf0])")
OneGadget::Gadget.add(build_id, 939877,
- constraints: ["[rsp+0x50] == NULL"],
+ constraints: ["[rsp+0x50] == NULL || {[rsp+0x50], [rsp+0x58], [rsp+0x60], [rsp+0x68], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x50, environ)")
OneGadget::Gadget.add(build_id, 939889,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rax])")
OneGadget::Gadget.add(build_id, 943805,
- constraints: ["[rsp+0x70] == NULL"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x70, environ)")
diff --git a/lib/one_gadget/builds/libc-2.19-d06fb2560475e149d6d2401eae955164eb8262fa.rb b/lib/one_gadget/builds/libc-2.19-d06fb2560475e149d6d2401eae955164eb8262fa.rb
index 7314592..dd102c8 100644
--- a/lib/one_gadget/builds/libc-2.19-d06fb2560475e149d6d2401eae955164eb8262fa.rb
+++ b/lib/one_gadget/builds/libc-2.19-d06fb2560475e149d6d2401eae955164eb8262fa.rb
@@ -19,21 +19,27 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 461228,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
+OneGadget::Gadget.add(build_id, 461250,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
+ effect: "execve(\"/bin/sh\", esp+0x30, [esp+0x8])")
OneGadget::Gadget.add(build_id, 461254,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp+0x8])")
OneGadget::Gadget.add(build_id, 461258,
- constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])")
+OneGadget::Gadget.add(build_id, 609752,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"],
+ effect: "execl(\"/bin/sh\", \"sh\", eax)")
OneGadget::Gadget.add(build_id, 609756,
- constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"],
effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])")
OneGadget::Gadget.add(build_id, 609762,
- constraints: ["ebx is the GOT address of libc", "eax == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"],
effect: "execl(\"/bin/sh\", eax)")
OneGadget::Gadget.add(build_id, 609766,
- constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"],
effect: "execl(\"/bin/sh\", [esp+0x4])")
diff --git a/lib/one_gadget/builds/libc-2.19-d11506d7facb213bd2c6063f010a42fa9d723879.rb b/lib/one_gadget/builds/libc-2.19-d11506d7facb213bd2c6063f010a42fa9d723879.rb
index 830d9fe..6b374a1 100644
--- a/lib/one_gadget/builds/libc-2.19-d11506d7facb213bd2c6063f010a42fa9d723879.rb
+++ b/lib/one_gadget/builds/libc-2.19-d11506d7facb213bd2c6063f010a42fa9d723879.rb
@@ -19,21 +19,27 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 454092,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
+OneGadget::Gadget.add(build_id, 454114,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
+ effect: "execve(\"/bin/sh\", esp+0x30, [esp+0x8])")
OneGadget::Gadget.add(build_id, 454118,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp+0x8])")
OneGadget::Gadget.add(build_id, 454122,
- constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])")
+OneGadget::Gadget.add(build_id, 607171,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"],
+ effect: "execl(\"/bin/sh\", \"sh\", eax)")
OneGadget::Gadget.add(build_id, 607175,
- constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"],
effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])")
OneGadget::Gadget.add(build_id, 607181,
- constraints: ["ebx is the GOT address of libc", "eax == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"],
effect: "execl(\"/bin/sh\", eax)")
OneGadget::Gadget.add(build_id, 607185,
- constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"],
effect: "execl(\"/bin/sh\", [esp+0x4])")
diff --git a/lib/one_gadget/builds/libc-2.19-d1c6ec21d9d74bb0d866a08635b1fc075c4a2e40.rb b/lib/one_gadget/builds/libc-2.19-d1c6ec21d9d74bb0d866a08635b1fc075c4a2e40.rb
index 158dfa9..3201835 100644
--- a/lib/one_gadget/builds/libc-2.19-d1c6ec21d9d74bb0d866a08635b1fc075c4a2e40.rb
+++ b/lib/one_gadget/builds/libc-2.19-d1c6ec21d9d74bb0d866a08635b1fc075c4a2e40.rb
@@ -19,22 +19,31 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 248599,
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x38, environ)")
+OneGadget::Gadget.add(build_id, 248606,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x38, environ)")
OneGadget::Gadget.add(build_id, 248615,
- constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x38, environ)")
OneGadget::Gadget.add(build_id, 248651,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp+0x8])")
OneGadget::Gadget.add(build_id, 248655,
- constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])")
+OneGadget::Gadget.add(build_id, 406432,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"],
+ effect: "execl(\"/bin/sh\", \"sh\", eax)")
OneGadget::Gadget.add(build_id, 406436,
- constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"],
effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])")
OneGadget::Gadget.add(build_id, 406442,
- constraints: ["ebx is the GOT address of libc", "eax == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"],
effect: "execl(\"/bin/sh\", eax)")
OneGadget::Gadget.add(build_id, 406446,
- constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"],
effect: "execl(\"/bin/sh\", [esp+0x4])")
diff --git a/lib/one_gadget/builds/libc-2.19-d2b9e70520a7dbf92895b3d08c9e6a92010571cf.rb b/lib/one_gadget/builds/libc-2.19-d2b9e70520a7dbf92895b3d08c9e6a92010571cf.rb
index 67e1729..de14c2a 100644
--- a/lib/one_gadget/builds/libc-2.19-d2b9e70520a7dbf92895b3d08c9e6a92010571cf.rb
+++ b/lib/one_gadget/builds/libc-2.19-d2b9e70520a7dbf92895b3d08c9e6a92010571cf.rb
@@ -20,22 +20,31 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 254599,
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x34, environ)")
+OneGadget::Gadget.add(build_id, 254606,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 254615,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 254651,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp+0x8])")
OneGadget::Gadget.add(build_id, 254655,
- constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])")
+OneGadget::Gadget.add(build_id, 412743,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"],
+ effect: "execl(\"/bin/sh\", \"sh\", eax)")
OneGadget::Gadget.add(build_id, 412747,
- constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"],
effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])")
OneGadget::Gadget.add(build_id, 412753,
- constraints: ["ebx is the GOT address of libc", "eax == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"],
effect: "execl(\"/bin/sh\", eax)")
OneGadget::Gadget.add(build_id, 412757,
- constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"],
effect: "execl(\"/bin/sh\", [esp+0x4])")
diff --git a/lib/one_gadget/builds/libc-2.19-d56aa9d47cf61192f75e28fef805c0ce20502157.rb b/lib/one_gadget/builds/libc-2.19-d56aa9d47cf61192f75e28fef805c0ce20502157.rb
index 9067c24..8a8074e 100644
--- a/lib/one_gadget/builds/libc-2.19-d56aa9d47cf61192f75e28fef805c0ce20502157.rb
+++ b/lib/one_gadget/builds/libc-2.19-d56aa9d47cf61192f75e28fef805c0ce20502157.rb
@@ -19,25 +19,28 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 263451,
+ constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbp, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 263458,
- constraints: ["rax == NULL"],
+ constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbp, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 263542,
- constraints: ["[rsp+0x30] == NULL"],
+ constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 701565,
- constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, r12)")
OneGadget::Gadget.add(build_id, 701644,
- constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL || [rbp-0x48] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", [rbp-0x48], r12)")
OneGadget::Gadget.add(build_id, 823243,
- constraints: ["[rsp+0x70] == NULL"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x70, environ)")
OneGadget::Gadget.add(build_id, 823255,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rax])")
OneGadget::Gadget.add(build_id, 838384,
- constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", r9, rdx)")
diff --git a/lib/one_gadget/builds/libc-2.19-d66b201cb2987a585890d4be28cf92dad14cb760.rb b/lib/one_gadget/builds/libc-2.19-d66b201cb2987a585890d4be28cf92dad14cb760.rb
index ec592ce..4b58a42 100644
--- a/lib/one_gadget/builds/libc-2.19-d66b201cb2987a585890d4be28cf92dad14cb760.rb
+++ b/lib/one_gadget/builds/libc-2.19-d66b201cb2987a585890d4be28cf92dad14cb760.rb
@@ -20,25 +20,28 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 267865,
+ constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 267872,
- constraints: ["rax == NULL"],
+ constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 267956,
- constraints: ["[rsp+0x30] == NULL"],
+ constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 754877,
- constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, r12)")
OneGadget::Gadget.add(build_id, 754956,
- constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL || [rbp-0x48] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", [rbp-0x48], r12)")
OneGadget::Gadget.add(build_id, 870503,
- constraints: ["[rsp+0x70] == NULL"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x70, environ)")
OneGadget::Gadget.add(build_id, 870515,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rax])")
OneGadget::Gadget.add(build_id, 885520,
- constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", r9, rdx)")
diff --git a/lib/one_gadget/builds/libc-2.19-d6c3d9e55db8600672a2ef744f57aa84e6bea41a.rb b/lib/one_gadget/builds/libc-2.19-d6c3d9e55db8600672a2ef744f57aa84e6bea41a.rb
index cd10ca7..15f241b 100644
--- a/lib/one_gadget/builds/libc-2.19-d6c3d9e55db8600672a2ef744f57aa84e6bea41a.rb
+++ b/lib/one_gadget/builds/libc-2.19-d6c3d9e55db8600672a2ef744f57aa84e6bea41a.rb
@@ -19,22 +19,31 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 255911,
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x38, environ)")
+OneGadget::Gadget.add(build_id, 255918,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x38, environ)")
OneGadget::Gadget.add(build_id, 255927,
- constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x38, environ)")
OneGadget::Gadget.add(build_id, 255963,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp+0x8])")
OneGadget::Gadget.add(build_id, 255967,
- constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])")
+OneGadget::Gadget.add(build_id, 409024,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"],
+ effect: "execl(\"/bin/sh\", \"sh\", eax)")
OneGadget::Gadget.add(build_id, 409028,
- constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"],
effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])")
OneGadget::Gadget.add(build_id, 409034,
- constraints: ["ebx is the GOT address of libc", "eax == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"],
effect: "execl(\"/bin/sh\", eax)")
OneGadget::Gadget.add(build_id, 409038,
- constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"],
effect: "execl(\"/bin/sh\", [esp+0x4])")
diff --git a/lib/one_gadget/builds/libc-2.19-d80f3b321f845a71f3c47d913dd3e65152565863.rb b/lib/one_gadget/builds/libc-2.19-d80f3b321f845a71f3c47d913dd3e65152565863.rb
index 93d4db7..f0109a9 100644
--- a/lib/one_gadget/builds/libc-2.19-d80f3b321f845a71f3c47d913dd3e65152565863.rb
+++ b/lib/one_gadget/builds/libc-2.19-d80f3b321f845a71f3c47d913dd3e65152565863.rb
@@ -19,22 +19,31 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 255911,
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x38, environ)")
+OneGadget::Gadget.add(build_id, 255918,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x38, environ)")
OneGadget::Gadget.add(build_id, 255927,
- constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x38, environ)")
OneGadget::Gadget.add(build_id, 255963,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp+0x8])")
OneGadget::Gadget.add(build_id, 255967,
- constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])")
+OneGadget::Gadget.add(build_id, 409024,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"],
+ effect: "execl(\"/bin/sh\", \"sh\", eax)")
OneGadget::Gadget.add(build_id, 409028,
- constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"],
effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])")
OneGadget::Gadget.add(build_id, 409034,
- constraints: ["ebx is the GOT address of libc", "eax == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"],
effect: "execl(\"/bin/sh\", eax)")
OneGadget::Gadget.add(build_id, 409038,
- constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"],
effect: "execl(\"/bin/sh\", [esp+0x4])")
diff --git a/lib/one_gadget/builds/libc-2.19-d8adddcd7476a6b09bdf02fe1e1d73bd393b6ed7.rb b/lib/one_gadget/builds/libc-2.19-d8adddcd7476a6b09bdf02fe1e1d73bd393b6ed7.rb
index 328e169..3fbc87d 100644
--- a/lib/one_gadget/builds/libc-2.19-d8adddcd7476a6b09bdf02fe1e1d73bd393b6ed7.rb
+++ b/lib/one_gadget/builds/libc-2.19-d8adddcd7476a6b09bdf02fe1e1d73bd393b6ed7.rb
@@ -20,25 +20,28 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 266985,
+ constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 266992,
- constraints: ["rax == NULL"],
+ constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 267076,
- constraints: ["[rsp+0x30] == NULL"],
+ constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 765005,
- constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, r12)")
OneGadget::Gadget.add(build_id, 765084,
- constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL || [rbp-0x48] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", [rbp-0x48], r12)")
OneGadget::Gadget.add(build_id, 880199,
- constraints: ["[rsp+0x70] == NULL"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x70, environ)")
OneGadget::Gadget.add(build_id, 880211,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rax])")
OneGadget::Gadget.add(build_id, 895520,
- constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", r9, rdx)")
diff --git a/lib/one_gadget/builds/libc-2.19-d9a10b8ef90300628dd0a3a535106967714d7328.rb b/lib/one_gadget/builds/libc-2.19-d9a10b8ef90300628dd0a3a535106967714d7328.rb
index 87a251f..7eb687b 100644
--- a/lib/one_gadget/builds/libc-2.19-d9a10b8ef90300628dd0a3a535106967714d7328.rb
+++ b/lib/one_gadget/builds/libc-2.19-d9a10b8ef90300628dd0a3a535106967714d7328.rb
@@ -20,28 +20,31 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 287777,
+ constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 287784,
- constraints: ["rax == NULL"],
+ constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 287868,
- constraints: ["[rsp+0x30] == NULL"],
+ constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 809715,
- constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, r12)")
OneGadget::Gadget.add(build_id, 809794,
- constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL || [rbp-0x48] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", [rbp-0x48], r12)")
OneGadget::Gadget.add(build_id, 951832,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rbp-0xf0]] == NULL || [rbp-0xf0] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rbp-0xf0]] == NULL || [rbp-0xf0] == NULL || [rbp-0xf0] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rbp-0xf0])")
OneGadget::Gadget.add(build_id, 955413,
- constraints: ["[rsp+0x50] == NULL"],
+ constraints: ["[rsp+0x50] == NULL || {[rsp+0x50], [rsp+0x58], [rsp+0x60], [rsp+0x68], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x50, environ)")
OneGadget::Gadget.add(build_id, 955425,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rax])")
OneGadget::Gadget.add(build_id, 959341,
- constraints: ["[rsp+0x70] == NULL"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x70, environ)")
diff --git a/lib/one_gadget/builds/libc-2.19-db3fac1541a95bdab2d9ae20bdef3c2f1c13b7e0.rb b/lib/one_gadget/builds/libc-2.19-db3fac1541a95bdab2d9ae20bdef3c2f1c13b7e0.rb
index 3c3bdf8..627fa4e 100644
--- a/lib/one_gadget/builds/libc-2.19-db3fac1541a95bdab2d9ae20bdef3c2f1c13b7e0.rb
+++ b/lib/one_gadget/builds/libc-2.19-db3fac1541a95bdab2d9ae20bdef3c2f1c13b7e0.rb
@@ -20,22 +20,31 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 254599,
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x34, environ)")
+OneGadget::Gadget.add(build_id, 254606,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 254615,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 254651,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp+0x8])")
OneGadget::Gadget.add(build_id, 254655,
- constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])")
+OneGadget::Gadget.add(build_id, 412743,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"],
+ effect: "execl(\"/bin/sh\", \"sh\", eax)")
OneGadget::Gadget.add(build_id, 412747,
- constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"],
effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])")
OneGadget::Gadget.add(build_id, 412753,
- constraints: ["ebx is the GOT address of libc", "eax == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"],
effect: "execl(\"/bin/sh\", eax)")
OneGadget::Gadget.add(build_id, 412757,
- constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"],
effect: "execl(\"/bin/sh\", [esp+0x4])")
diff --git a/lib/one_gadget/builds/libc-2.19-dd1b1c22eae3c8f0faa0b355bbcdca8f7c0cd91d.rb b/lib/one_gadget/builds/libc-2.19-dd1b1c22eae3c8f0faa0b355bbcdca8f7c0cd91d.rb
index 8fe76a5..0d5123f 100644
--- a/lib/one_gadget/builds/libc-2.19-dd1b1c22eae3c8f0faa0b355bbcdca8f7c0cd91d.rb
+++ b/lib/one_gadget/builds/libc-2.19-dd1b1c22eae3c8f0faa0b355bbcdca8f7c0cd91d.rb
@@ -19,22 +19,31 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 256039,
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x38, environ)")
+OneGadget::Gadget.add(build_id, 256046,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x38, environ)")
OneGadget::Gadget.add(build_id, 256055,
- constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x38, environ)")
OneGadget::Gadget.add(build_id, 256091,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp+0x8])")
OneGadget::Gadget.add(build_id, 256095,
- constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])")
+OneGadget::Gadget.add(build_id, 409184,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"],
+ effect: "execl(\"/bin/sh\", \"sh\", eax)")
OneGadget::Gadget.add(build_id, 409188,
- constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"],
effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])")
OneGadget::Gadget.add(build_id, 409194,
- constraints: ["ebx is the GOT address of libc", "eax == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"],
effect: "execl(\"/bin/sh\", eax)")
OneGadget::Gadget.add(build_id, 409198,
- constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"],
effect: "execl(\"/bin/sh\", [esp+0x4])")
diff --git a/lib/one_gadget/builds/libc-2.19-df559a150829d9f3cdd0b5ce1e5b4d512d20f55f.rb b/lib/one_gadget/builds/libc-2.19-df559a150829d9f3cdd0b5ce1e5b4d512d20f55f.rb
index a3be304..d49b1fc 100644
--- a/lib/one_gadget/builds/libc-2.19-df559a150829d9f3cdd0b5ce1e5b4d512d20f55f.rb
+++ b/lib/one_gadget/builds/libc-2.19-df559a150829d9f3cdd0b5ce1e5b4d512d20f55f.rb
@@ -22,22 +22,31 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 255187,
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x34, environ)")
+OneGadget::Gadget.add(build_id, 255194,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 255203,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 255239,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp+0x8])")
OneGadget::Gadget.add(build_id, 255243,
- constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])")
+OneGadget::Gadget.add(build_id, 416847,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"],
+ effect: "execl(\"/bin/sh\", \"sh\", eax)")
OneGadget::Gadget.add(build_id, 416851,
- constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"],
effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])")
OneGadget::Gadget.add(build_id, 416857,
- constraints: ["ebx is the GOT address of libc", "eax == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"],
effect: "execl(\"/bin/sh\", eax)")
OneGadget::Gadget.add(build_id, 416861,
- constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"],
effect: "execl(\"/bin/sh\", [esp+0x4])")
diff --git a/lib/one_gadget/builds/libc-2.19-e01fa6a6b4685ecaebc6756679c283c6572eb6f2.rb b/lib/one_gadget/builds/libc-2.19-e01fa6a6b4685ecaebc6756679c283c6572eb6f2.rb
index a2dfb63..7bc5936 100644
--- a/lib/one_gadget/builds/libc-2.19-e01fa6a6b4685ecaebc6756679c283c6572eb6f2.rb
+++ b/lib/one_gadget/builds/libc-2.19-e01fa6a6b4685ecaebc6756679c283c6572eb6f2.rb
@@ -19,21 +19,27 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 454796,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
+OneGadget::Gadget.add(build_id, 454818,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
+ effect: "execve(\"/bin/sh\", esp+0x30, [esp+0x8])")
OneGadget::Gadget.add(build_id, 454822,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp+0x8])")
OneGadget::Gadget.add(build_id, 454826,
- constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])")
+OneGadget::Gadget.add(build_id, 610051,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"],
+ effect: "execl(\"/bin/sh\", \"sh\", eax)")
OneGadget::Gadget.add(build_id, 610055,
- constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"],
effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])")
OneGadget::Gadget.add(build_id, 610061,
- constraints: ["ebx is the GOT address of libc", "eax == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"],
effect: "execl(\"/bin/sh\", eax)")
OneGadget::Gadget.add(build_id, 610065,
- constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"],
effect: "execl(\"/bin/sh\", [esp+0x4])")
diff --git a/lib/one_gadget/builds/libc-2.19-e10149c2a9bf0df3c9149b351168fcd32adb41c6.rb b/lib/one_gadget/builds/libc-2.19-e10149c2a9bf0df3c9149b351168fcd32adb41c6.rb
index ec9b825..15afa7e 100644
--- a/lib/one_gadget/builds/libc-2.19-e10149c2a9bf0df3c9149b351168fcd32adb41c6.rb
+++ b/lib/one_gadget/builds/libc-2.19-e10149c2a9bf0df3c9149b351168fcd32adb41c6.rb
@@ -19,25 +19,28 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 262555,
+ constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbp, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 262562,
- constraints: ["rax == NULL"],
+ constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbp, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 262646,
- constraints: ["[rsp+0x30] == NULL"],
+ constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 701405,
- constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, r12)")
OneGadget::Gadget.add(build_id, 701484,
- constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL || [rbp-0x48] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", [rbp-0x48], r12)")
OneGadget::Gadget.add(build_id, 823359,
- constraints: ["[rsp+0x70] == NULL"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x70, environ)")
OneGadget::Gadget.add(build_id, 823371,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rax])")
OneGadget::Gadget.add(build_id, 838688,
- constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", r9, rdx)")
diff --git a/lib/one_gadget/builds/libc-2.19-e13d310493f24ceb84f232c5f72469cbe516d57a.rb b/lib/one_gadget/builds/libc-2.19-e13d310493f24ceb84f232c5f72469cbe516d57a.rb
index 793b2f8..b11649c 100644
--- a/lib/one_gadget/builds/libc-2.19-e13d310493f24ceb84f232c5f72469cbe516d57a.rb
+++ b/lib/one_gadget/builds/libc-2.19-e13d310493f24ceb84f232c5f72469cbe516d57a.rb
@@ -20,22 +20,31 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 254471,
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x34, environ)")
+OneGadget::Gadget.add(build_id, 254478,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 254487,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 254523,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp+0x8])")
OneGadget::Gadget.add(build_id, 254527,
- constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])")
+OneGadget::Gadget.add(build_id, 412647,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"],
+ effect: "execl(\"/bin/sh\", \"sh\", eax)")
OneGadget::Gadget.add(build_id, 412651,
- constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"],
effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])")
OneGadget::Gadget.add(build_id, 412657,
- constraints: ["ebx is the GOT address of libc", "eax == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"],
effect: "execl(\"/bin/sh\", eax)")
OneGadget::Gadget.add(build_id, 412661,
- constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"],
effect: "execl(\"/bin/sh\", [esp+0x4])")
diff --git a/lib/one_gadget/builds/libc-2.19-e2773917e0ca89ebc16787d8cbc96400088583ec.rb b/lib/one_gadget/builds/libc-2.19-e2773917e0ca89ebc16787d8cbc96400088583ec.rb
index 90bb84d..0b1f11b 100644
--- a/lib/one_gadget/builds/libc-2.19-e2773917e0ca89ebc16787d8cbc96400088583ec.rb
+++ b/lib/one_gadget/builds/libc-2.19-e2773917e0ca89ebc16787d8cbc96400088583ec.rb
@@ -19,22 +19,31 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 249239,
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x38, environ)")
+OneGadget::Gadget.add(build_id, 249246,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x38, environ)")
OneGadget::Gadget.add(build_id, 249255,
- constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x38, environ)")
OneGadget::Gadget.add(build_id, 249291,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp+0x8])")
OneGadget::Gadget.add(build_id, 249295,
- constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])")
+OneGadget::Gadget.add(build_id, 409248,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"],
+ effect: "execl(\"/bin/sh\", \"sh\", eax)")
OneGadget::Gadget.add(build_id, 409252,
- constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"],
effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])")
OneGadget::Gadget.add(build_id, 409258,
- constraints: ["ebx is the GOT address of libc", "eax == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"],
effect: "execl(\"/bin/sh\", eax)")
OneGadget::Gadget.add(build_id, 409262,
- constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"],
effect: "execl(\"/bin/sh\", [esp+0x4])")
diff --git a/lib/one_gadget/builds/libc-2.19-e4c3a6a564aeddbafa8be691efffc79e755fa8a4.rb b/lib/one_gadget/builds/libc-2.19-e4c3a6a564aeddbafa8be691efffc79e755fa8a4.rb
index d1aeac8..8fe0d2d 100644
--- a/lib/one_gadget/builds/libc-2.19-e4c3a6a564aeddbafa8be691efffc79e755fa8a4.rb
+++ b/lib/one_gadget/builds/libc-2.19-e4c3a6a564aeddbafa8be691efffc79e755fa8a4.rb
@@ -19,22 +19,31 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 248599,
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x38, environ)")
+OneGadget::Gadget.add(build_id, 248606,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x38, environ)")
OneGadget::Gadget.add(build_id, 248615,
- constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x38, environ)")
OneGadget::Gadget.add(build_id, 248651,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp+0x8])")
OneGadget::Gadget.add(build_id, 248655,
- constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])")
+OneGadget::Gadget.add(build_id, 406400,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"],
+ effect: "execl(\"/bin/sh\", \"sh\", eax)")
OneGadget::Gadget.add(build_id, 406404,
- constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"],
effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])")
OneGadget::Gadget.add(build_id, 406410,
- constraints: ["ebx is the GOT address of libc", "eax == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"],
effect: "execl(\"/bin/sh\", eax)")
OneGadget::Gadget.add(build_id, 406414,
- constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"],
effect: "execl(\"/bin/sh\", [esp+0x4])")
diff --git a/lib/one_gadget/builds/libc-2.19-e53d50e134c10f91f8cf52b1778f85b7926147cc.rb b/lib/one_gadget/builds/libc-2.19-e53d50e134c10f91f8cf52b1778f85b7926147cc.rb
index fccf947..15c16ae 100644
--- a/lib/one_gadget/builds/libc-2.19-e53d50e134c10f91f8cf52b1778f85b7926147cc.rb
+++ b/lib/one_gadget/builds/libc-2.19-e53d50e134c10f91f8cf52b1778f85b7926147cc.rb
@@ -19,21 +19,27 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 452940,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
+OneGadget::Gadget.add(build_id, 452962,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
+ effect: "execve(\"/bin/sh\", esp+0x30, [esp+0x8])")
OneGadget::Gadget.add(build_id, 452966,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp+0x8])")
OneGadget::Gadget.add(build_id, 452970,
- constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])")
+OneGadget::Gadget.add(build_id, 606707,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"],
+ effect: "execl(\"/bin/sh\", \"sh\", eax)")
OneGadget::Gadget.add(build_id, 606711,
- constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"],
effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])")
OneGadget::Gadget.add(build_id, 606717,
- constraints: ["ebx is the GOT address of libc", "eax == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"],
effect: "execl(\"/bin/sh\", eax)")
OneGadget::Gadget.add(build_id, 606721,
- constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"],
effect: "execl(\"/bin/sh\", [esp+0x4])")
diff --git a/lib/one_gadget/builds/libc-2.19-e540f810b37a33fab5b3116fdbf8bcaacc000c16.rb b/lib/one_gadget/builds/libc-2.19-e540f810b37a33fab5b3116fdbf8bcaacc000c16.rb
index c9e5cce..3b58310 100644
--- a/lib/one_gadget/builds/libc-2.19-e540f810b37a33fab5b3116fdbf8bcaacc000c16.rb
+++ b/lib/one_gadget/builds/libc-2.19-e540f810b37a33fab5b3116fdbf8bcaacc000c16.rb
@@ -19,21 +19,27 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 452924,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
+OneGadget::Gadget.add(build_id, 452946,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
+ effect: "execve(\"/bin/sh\", esp+0x30, [esp+0x8])")
OneGadget::Gadget.add(build_id, 452950,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp+0x8])")
OneGadget::Gadget.add(build_id, 452954,
- constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])")
+OneGadget::Gadget.add(build_id, 609395,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"],
+ effect: "execl(\"/bin/sh\", \"sh\", eax)")
OneGadget::Gadget.add(build_id, 609399,
- constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"],
effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])")
OneGadget::Gadget.add(build_id, 609405,
- constraints: ["ebx is the GOT address of libc", "eax == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"],
effect: "execl(\"/bin/sh\", eax)")
OneGadget::Gadget.add(build_id, 609409,
- constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"],
effect: "execl(\"/bin/sh\", [esp+0x4])")
diff --git a/lib/one_gadget/builds/libc-2.19-e5bd51e1eefbc5c3d96a3aba4dcb50a0cec162de.rb b/lib/one_gadget/builds/libc-2.19-e5bd51e1eefbc5c3d96a3aba4dcb50a0cec162de.rb
index ca26f13..eedd99c 100644
--- a/lib/one_gadget/builds/libc-2.19-e5bd51e1eefbc5c3d96a3aba4dcb50a0cec162de.rb
+++ b/lib/one_gadget/builds/libc-2.19-e5bd51e1eefbc5c3d96a3aba4dcb50a0cec162de.rb
@@ -20,22 +20,31 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 255467,
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x34, environ)")
+OneGadget::Gadget.add(build_id, 255474,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 255483,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 255519,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp+0x8])")
OneGadget::Gadget.add(build_id, 255523,
- constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])")
+OneGadget::Gadget.add(build_id, 417007,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"],
+ effect: "execl(\"/bin/sh\", \"sh\", eax)")
OneGadget::Gadget.add(build_id, 417011,
- constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"],
effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])")
OneGadget::Gadget.add(build_id, 417017,
- constraints: ["ebx is the GOT address of libc", "eax == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"],
effect: "execl(\"/bin/sh\", eax)")
OneGadget::Gadget.add(build_id, 417021,
- constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"],
effect: "execl(\"/bin/sh\", [esp+0x4])")
diff --git a/lib/one_gadget/builds/libc-2.19-e6ac06f6c982d98a419cec51de313ea609f2b1f2.rb b/lib/one_gadget/builds/libc-2.19-e6ac06f6c982d98a419cec51de313ea609f2b1f2.rb
index 2c7f031..6a6d85f 100644
--- a/lib/one_gadget/builds/libc-2.19-e6ac06f6c982d98a419cec51de313ea609f2b1f2.rb
+++ b/lib/one_gadget/builds/libc-2.19-e6ac06f6c982d98a419cec51de313ea609f2b1f2.rb
@@ -20,22 +20,31 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 255223,
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x34, environ)")
+OneGadget::Gadget.add(build_id, 255230,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 255239,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 255275,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp+0x8])")
OneGadget::Gadget.add(build_id, 255279,
- constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])")
+OneGadget::Gadget.add(build_id, 415431,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"],
+ effect: "execl(\"/bin/sh\", \"sh\", eax)")
OneGadget::Gadget.add(build_id, 415435,
- constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"],
effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])")
OneGadget::Gadget.add(build_id, 415441,
- constraints: ["ebx is the GOT address of libc", "eax == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"],
effect: "execl(\"/bin/sh\", eax)")
OneGadget::Gadget.add(build_id, 415445,
- constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"],
effect: "execl(\"/bin/sh\", [esp+0x4])")
diff --git a/lib/one_gadget/builds/libc-2.19-e6e4c4588d098e16d0fba7e15ba9c81f294074a4.rb b/lib/one_gadget/builds/libc-2.19-e6e4c4588d098e16d0fba7e15ba9c81f294074a4.rb
index 7cbf26b..2b4972c 100644
--- a/lib/one_gadget/builds/libc-2.19-e6e4c4588d098e16d0fba7e15ba9c81f294074a4.rb
+++ b/lib/one_gadget/builds/libc-2.19-e6e4c4588d098e16d0fba7e15ba9c81f294074a4.rb
@@ -19,22 +19,31 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 248167,
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x38, environ)")
+OneGadget::Gadget.add(build_id, 248174,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x38, environ)")
OneGadget::Gadget.add(build_id, 248183,
- constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x38, environ)")
OneGadget::Gadget.add(build_id, 248219,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp+0x8])")
OneGadget::Gadget.add(build_id, 248223,
- constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])")
+OneGadget::Gadget.add(build_id, 406672,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"],
+ effect: "execl(\"/bin/sh\", \"sh\", eax)")
OneGadget::Gadget.add(build_id, 406676,
- constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"],
effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])")
OneGadget::Gadget.add(build_id, 406682,
- constraints: ["ebx is the GOT address of libc", "eax == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"],
effect: "execl(\"/bin/sh\", eax)")
OneGadget::Gadget.add(build_id, 406686,
- constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"],
effect: "execl(\"/bin/sh\", [esp+0x4])")
diff --git a/lib/one_gadget/builds/libc-2.19-e70d0551a6ce8feb294de6c138135b58d8763e85.rb b/lib/one_gadget/builds/libc-2.19-e70d0551a6ce8feb294de6c138135b58d8763e85.rb
index 0fe5993..1b9d774 100644
--- a/lib/one_gadget/builds/libc-2.19-e70d0551a6ce8feb294de6c138135b58d8763e85.rb
+++ b/lib/one_gadget/builds/libc-2.19-e70d0551a6ce8feb294de6c138135b58d8763e85.rb
@@ -20,25 +20,28 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 267865,
+ constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 267872,
- constraints: ["rax == NULL"],
+ constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 267956,
- constraints: ["[rsp+0x30] == NULL"],
+ constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 754877,
- constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, r12)")
OneGadget::Gadget.add(build_id, 754956,
- constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL || [rbp-0x48] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", [rbp-0x48], r12)")
OneGadget::Gadget.add(build_id, 870503,
- constraints: ["[rsp+0x70] == NULL"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x70, environ)")
OneGadget::Gadget.add(build_id, 870515,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rax])")
OneGadget::Gadget.add(build_id, 885520,
- constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", r9, rdx)")
diff --git a/lib/one_gadget/builds/libc-2.19-e806961cc6bc18acfd55df2613b100a9e733cebd.rb b/lib/one_gadget/builds/libc-2.19-e806961cc6bc18acfd55df2613b100a9e733cebd.rb
index 45a2141..6d5943c 100644
--- a/lib/one_gadget/builds/libc-2.19-e806961cc6bc18acfd55df2613b100a9e733cebd.rb
+++ b/lib/one_gadget/builds/libc-2.19-e806961cc6bc18acfd55df2613b100a9e733cebd.rb
@@ -21,22 +21,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 242643,
- constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x28, environ)")
OneGadget::Gadget.add(build_id, 242645,
- constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 242649,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 242656,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 242691,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 242692,
- constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 412228,
constraints: ["ebx is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.19-e882a1c9195b6bc1a62b3aeda9b63733109abd2f.rb b/lib/one_gadget/builds/libc-2.19-e882a1c9195b6bc1a62b3aeda9b63733109abd2f.rb
index 65df71b..2edcb29 100644
--- a/lib/one_gadget/builds/libc-2.19-e882a1c9195b6bc1a62b3aeda9b63733109abd2f.rb
+++ b/lib/one_gadget/builds/libc-2.19-e882a1c9195b6bc1a62b3aeda9b63733109abd2f.rb
@@ -19,22 +19,31 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 255911,
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x38, environ)")
+OneGadget::Gadget.add(build_id, 255918,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x38, environ)")
OneGadget::Gadget.add(build_id, 255927,
- constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x38, environ)")
OneGadget::Gadget.add(build_id, 255963,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp+0x8])")
OneGadget::Gadget.add(build_id, 255967,
- constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])")
+OneGadget::Gadget.add(build_id, 409056,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"],
+ effect: "execl(\"/bin/sh\", \"sh\", eax)")
OneGadget::Gadget.add(build_id, 409060,
- constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"],
effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])")
OneGadget::Gadget.add(build_id, 409066,
- constraints: ["ebx is the GOT address of libc", "eax == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"],
effect: "execl(\"/bin/sh\", eax)")
OneGadget::Gadget.add(build_id, 409070,
- constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"],
effect: "execl(\"/bin/sh\", [esp+0x4])")
diff --git a/lib/one_gadget/builds/libc-2.19-e892e2e9d5818511e2390e642edd1d4cf2331885.rb b/lib/one_gadget/builds/libc-2.19-e892e2e9d5818511e2390e642edd1d4cf2331885.rb
index 01abf6a..e212228 100644
--- a/lib/one_gadget/builds/libc-2.19-e892e2e9d5818511e2390e642edd1d4cf2331885.rb
+++ b/lib/one_gadget/builds/libc-2.19-e892e2e9d5818511e2390e642edd1d4cf2331885.rb
@@ -20,25 +20,28 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 274841,
+ constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 274848,
- constraints: ["rax == NULL"],
+ constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 274932,
- constraints: ["[rsp+0x30] == NULL"],
+ constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 755165,
- constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, r12)")
OneGadget::Gadget.add(build_id, 755244,
- constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL || [rbp-0x48] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", [rbp-0x48], r12)")
OneGadget::Gadget.add(build_id, 870176,
- constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", r9, rdx)")
OneGadget::Gadget.add(build_id, 874775,
- constraints: ["[rsp+0x70] == NULL"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x70, environ)")
OneGadget::Gadget.add(build_id, 874787,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rax])")
diff --git a/lib/one_gadget/builds/libc-2.19-e89b2153fd6795f03d6cd1dd789241326a7ee458.rb b/lib/one_gadget/builds/libc-2.19-e89b2153fd6795f03d6cd1dd789241326a7ee458.rb
index 10c4798..7a34493 100644
--- a/lib/one_gadget/builds/libc-2.19-e89b2153fd6795f03d6cd1dd789241326a7ee458.rb
+++ b/lib/one_gadget/builds/libc-2.19-e89b2153fd6795f03d6cd1dd789241326a7ee458.rb
@@ -19,22 +19,31 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 248567,
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x38, environ)")
+OneGadget::Gadget.add(build_id, 248574,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x38, environ)")
OneGadget::Gadget.add(build_id, 248583,
- constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x38, environ)")
OneGadget::Gadget.add(build_id, 248619,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp+0x8])")
OneGadget::Gadget.add(build_id, 248623,
- constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])")
+OneGadget::Gadget.add(build_id, 408560,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"],
+ effect: "execl(\"/bin/sh\", \"sh\", eax)")
OneGadget::Gadget.add(build_id, 408564,
- constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"],
effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])")
OneGadget::Gadget.add(build_id, 408570,
- constraints: ["ebx is the GOT address of libc", "eax == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"],
effect: "execl(\"/bin/sh\", eax)")
OneGadget::Gadget.add(build_id, 408574,
- constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"],
effect: "execl(\"/bin/sh\", [esp+0x4])")
diff --git a/lib/one_gadget/builds/libc-2.19-ebc3c6d17edbddfdcb000366fae4e7cab6ba420c.rb b/lib/one_gadget/builds/libc-2.19-ebc3c6d17edbddfdcb000366fae4e7cab6ba420c.rb
index 10ae3ec..e61d593 100644
--- a/lib/one_gadget/builds/libc-2.19-ebc3c6d17edbddfdcb000366fae4e7cab6ba420c.rb
+++ b/lib/one_gadget/builds/libc-2.19-ebc3c6d17edbddfdcb000366fae4e7cab6ba420c.rb
@@ -19,21 +19,27 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 452924,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
+OneGadget::Gadget.add(build_id, 452946,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
+ effect: "execve(\"/bin/sh\", esp+0x30, [esp+0x8])")
OneGadget::Gadget.add(build_id, 452950,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp+0x8])")
OneGadget::Gadget.add(build_id, 452954,
- constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])")
+OneGadget::Gadget.add(build_id, 606867,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"],
+ effect: "execl(\"/bin/sh\", \"sh\", eax)")
OneGadget::Gadget.add(build_id, 606871,
- constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"],
effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])")
OneGadget::Gadget.add(build_id, 606877,
- constraints: ["ebx is the GOT address of libc", "eax == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"],
effect: "execl(\"/bin/sh\", eax)")
OneGadget::Gadget.add(build_id, 606881,
- constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"],
effect: "execl(\"/bin/sh\", [esp+0x4])")
diff --git a/lib/one_gadget/builds/libc-2.19-ecc10e3f1443d65007126bef8184ac84bfdf6b7c.rb b/lib/one_gadget/builds/libc-2.19-ecc10e3f1443d65007126bef8184ac84bfdf6b7c.rb
index 6f2cc15..44d51ad 100644
--- a/lib/one_gadget/builds/libc-2.19-ecc10e3f1443d65007126bef8184ac84bfdf6b7c.rb
+++ b/lib/one_gadget/builds/libc-2.19-ecc10e3f1443d65007126bef8184ac84bfdf6b7c.rb
@@ -20,25 +20,28 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 267849,
+ constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 267856,
- constraints: ["rax == NULL"],
+ constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 267940,
- constraints: ["[rsp+0x30] == NULL"],
+ constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 755037,
- constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, r12)")
OneGadget::Gadget.add(build_id, 755116,
- constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL || [rbp-0x48] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", [rbp-0x48], r12)")
OneGadget::Gadget.add(build_id, 870647,
- constraints: ["[rsp+0x70] == NULL"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x70, environ)")
OneGadget::Gadget.add(build_id, 870659,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rax])")
OneGadget::Gadget.add(build_id, 885760,
- constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", r9, rdx)")
diff --git a/lib/one_gadget/builds/libc-2.19-edc2302cd47e8eedfc2e45da9fddecbdb07b4f21.rb b/lib/one_gadget/builds/libc-2.19-edc2302cd47e8eedfc2e45da9fddecbdb07b4f21.rb
index f36c204..da6106f 100644
--- a/lib/one_gadget/builds/libc-2.19-edc2302cd47e8eedfc2e45da9fddecbdb07b4f21.rb
+++ b/lib/one_gadget/builds/libc-2.19-edc2302cd47e8eedfc2e45da9fddecbdb07b4f21.rb
@@ -20,22 +20,31 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 254471,
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x34, environ)")
+OneGadget::Gadget.add(build_id, 254478,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 254487,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 254523,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp+0x8])")
OneGadget::Gadget.add(build_id, 254527,
- constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])")
+OneGadget::Gadget.add(build_id, 414679,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"],
+ effect: "execl(\"/bin/sh\", \"sh\", eax)")
OneGadget::Gadget.add(build_id, 414683,
- constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"],
effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])")
OneGadget::Gadget.add(build_id, 414689,
- constraints: ["ebx is the GOT address of libc", "eax == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"],
effect: "execl(\"/bin/sh\", eax)")
OneGadget::Gadget.add(build_id, 414693,
- constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"],
effect: "execl(\"/bin/sh\", [esp+0x4])")
diff --git a/lib/one_gadget/builds/libc-2.19-edd5ba629053d507cb963d5269db6e7ae5bde36e.rb b/lib/one_gadget/builds/libc-2.19-edd5ba629053d507cb963d5269db6e7ae5bde36e.rb
index 134859d..e05ede0 100644
--- a/lib/one_gadget/builds/libc-2.19-edd5ba629053d507cb963d5269db6e7ae5bde36e.rb
+++ b/lib/one_gadget/builds/libc-2.19-edd5ba629053d507cb963d5269db6e7ae5bde36e.rb
@@ -20,25 +20,28 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 266985,
+ constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 266992,
- constraints: ["rax == NULL"],
+ constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 267076,
- constraints: ["[rsp+0x30] == NULL"],
+ constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 765005,
- constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, r12)")
OneGadget::Gadget.add(build_id, 765084,
- constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL || [rbp-0x48] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", [rbp-0x48], r12)")
OneGadget::Gadget.add(build_id, 880871,
- constraints: ["[rsp+0x70] == NULL"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x70, environ)")
OneGadget::Gadget.add(build_id, 880883,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rax])")
OneGadget::Gadget.add(build_id, 896192,
- constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", r9, rdx)")
diff --git a/lib/one_gadget/builds/libc-2.19-f3a1e60201c31bb9fef972279d08dfc33dbb3ce9.rb b/lib/one_gadget/builds/libc-2.19-f3a1e60201c31bb9fef972279d08dfc33dbb3ce9.rb
index 162bdd1..68828d7 100644
--- a/lib/one_gadget/builds/libc-2.19-f3a1e60201c31bb9fef972279d08dfc33dbb3ce9.rb
+++ b/lib/one_gadget/builds/libc-2.19-f3a1e60201c31bb9fef972279d08dfc33dbb3ce9.rb
@@ -20,22 +20,31 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 254471,
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x34, environ)")
+OneGadget::Gadget.add(build_id, 254478,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 254487,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 254523,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp+0x8])")
OneGadget::Gadget.add(build_id, 254527,
- constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])")
+OneGadget::Gadget.add(build_id, 412647,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"],
+ effect: "execl(\"/bin/sh\", \"sh\", eax)")
OneGadget::Gadget.add(build_id, 412651,
- constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"],
effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])")
OneGadget::Gadget.add(build_id, 412657,
- constraints: ["ebx is the GOT address of libc", "eax == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"],
effect: "execl(\"/bin/sh\", eax)")
OneGadget::Gadget.add(build_id, 412661,
- constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"],
effect: "execl(\"/bin/sh\", [esp+0x4])")
diff --git a/lib/one_gadget/builds/libc-2.19-f5c375701c2c4406306201e19b42521f504175ec.rb b/lib/one_gadget/builds/libc-2.19-f5c375701c2c4406306201e19b42521f504175ec.rb
index c90f7a0..518a37a 100644
--- a/lib/one_gadget/builds/libc-2.19-f5c375701c2c4406306201e19b42521f504175ec.rb
+++ b/lib/one_gadget/builds/libc-2.19-f5c375701c2c4406306201e19b42521f504175ec.rb
@@ -19,22 +19,31 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 248599,
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x38, environ)")
+OneGadget::Gadget.add(build_id, 248606,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x38, environ)")
OneGadget::Gadget.add(build_id, 248615,
- constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x38, environ)")
OneGadget::Gadget.add(build_id, 248651,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp+0x8])")
OneGadget::Gadget.add(build_id, 248655,
- constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])")
+OneGadget::Gadget.add(build_id, 406400,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"],
+ effect: "execl(\"/bin/sh\", \"sh\", eax)")
OneGadget::Gadget.add(build_id, 406404,
- constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"],
effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])")
OneGadget::Gadget.add(build_id, 406410,
- constraints: ["ebx is the GOT address of libc", "eax == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"],
effect: "execl(\"/bin/sh\", eax)")
OneGadget::Gadget.add(build_id, 406414,
- constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"],
effect: "execl(\"/bin/sh\", [esp+0x4])")
diff --git a/lib/one_gadget/builds/libc-2.19-f5e1349016d93661914069bcc7254e702434e445.rb b/lib/one_gadget/builds/libc-2.19-f5e1349016d93661914069bcc7254e702434e445.rb
index fccaf6d..b3d6e30 100644
--- a/lib/one_gadget/builds/libc-2.19-f5e1349016d93661914069bcc7254e702434e445.rb
+++ b/lib/one_gadget/builds/libc-2.19-f5e1349016d93661914069bcc7254e702434e445.rb
@@ -19,22 +19,31 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 248599,
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x38, environ)")
+OneGadget::Gadget.add(build_id, 248606,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x38, environ)")
OneGadget::Gadget.add(build_id, 248615,
- constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x38, environ)")
OneGadget::Gadget.add(build_id, 248651,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp+0x8])")
OneGadget::Gadget.add(build_id, 248655,
- constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])")
+OneGadget::Gadget.add(build_id, 406432,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"],
+ effect: "execl(\"/bin/sh\", \"sh\", eax)")
OneGadget::Gadget.add(build_id, 406436,
- constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"],
effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])")
OneGadget::Gadget.add(build_id, 406442,
- constraints: ["ebx is the GOT address of libc", "eax == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"],
effect: "execl(\"/bin/sh\", eax)")
OneGadget::Gadget.add(build_id, 406446,
- constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"],
effect: "execl(\"/bin/sh\", [esp+0x4])")
diff --git a/lib/one_gadget/builds/libc-2.19-f6248141094bb965d660fd2ce31d8534593c1003.rb b/lib/one_gadget/builds/libc-2.19-f6248141094bb965d660fd2ce31d8534593c1003.rb
index d7acd8e..5456dd6 100644
--- a/lib/one_gadget/builds/libc-2.19-f6248141094bb965d660fd2ce31d8534593c1003.rb
+++ b/lib/one_gadget/builds/libc-2.19-f6248141094bb965d660fd2ce31d8534593c1003.rb
@@ -20,22 +20,31 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 254311,
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x34, environ)")
+OneGadget::Gadget.add(build_id, 254318,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 254327,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 254363,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp+0x8])")
OneGadget::Gadget.add(build_id, 254367,
- constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])")
+OneGadget::Gadget.add(build_id, 414551,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"],
+ effect: "execl(\"/bin/sh\", \"sh\", eax)")
OneGadget::Gadget.add(build_id, 414555,
- constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"],
effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])")
OneGadget::Gadget.add(build_id, 414561,
- constraints: ["ebx is the GOT address of libc", "eax == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"],
effect: "execl(\"/bin/sh\", eax)")
OneGadget::Gadget.add(build_id, 414565,
- constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"],
effect: "execl(\"/bin/sh\", [esp+0x4])")
diff --git a/lib/one_gadget/builds/libc-2.19-f6ba6844f5bba0603e13b577328b9f326d4fef8a.rb b/lib/one_gadget/builds/libc-2.19-f6ba6844f5bba0603e13b577328b9f326d4fef8a.rb
index 38d2c69..92d8815 100644
--- a/lib/one_gadget/builds/libc-2.19-f6ba6844f5bba0603e13b577328b9f326d4fef8a.rb
+++ b/lib/one_gadget/builds/libc-2.19-f6ba6844f5bba0603e13b577328b9f326d4fef8a.rb
@@ -19,21 +19,27 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 461228,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
+OneGadget::Gadget.add(build_id, 461250,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
+ effect: "execve(\"/bin/sh\", esp+0x30, [esp+0x8])")
OneGadget::Gadget.add(build_id, 461254,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp+0x8])")
OneGadget::Gadget.add(build_id, 461258,
- constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])")
+OneGadget::Gadget.add(build_id, 609752,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"],
+ effect: "execl(\"/bin/sh\", \"sh\", eax)")
OneGadget::Gadget.add(build_id, 609756,
- constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"],
effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])")
OneGadget::Gadget.add(build_id, 609762,
- constraints: ["ebx is the GOT address of libc", "eax == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"],
effect: "execl(\"/bin/sh\", eax)")
OneGadget::Gadget.add(build_id, 609766,
- constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"],
effect: "execl(\"/bin/sh\", [esp+0x4])")
diff --git a/lib/one_gadget/builds/libc-2.19-f8cc1a32de8229e21b61215844be0462c6ac49a6.rb b/lib/one_gadget/builds/libc-2.19-f8cc1a32de8229e21b61215844be0462c6ac49a6.rb
index f8b2f29..b809cb3 100644
--- a/lib/one_gadget/builds/libc-2.19-f8cc1a32de8229e21b61215844be0462c6ac49a6.rb
+++ b/lib/one_gadget/builds/libc-2.19-f8cc1a32de8229e21b61215844be0462c6ac49a6.rb
@@ -19,21 +19,27 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 452940,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
+OneGadget::Gadget.add(build_id, 452962,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
+ effect: "execve(\"/bin/sh\", esp+0x30, [esp+0x8])")
OneGadget::Gadget.add(build_id, 452966,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp+0x8])")
OneGadget::Gadget.add(build_id, 452970,
- constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])")
+OneGadget::Gadget.add(build_id, 609587,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"],
+ effect: "execl(\"/bin/sh\", \"sh\", eax)")
OneGadget::Gadget.add(build_id, 609591,
- constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"],
effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])")
OneGadget::Gadget.add(build_id, 609597,
- constraints: ["ebx is the GOT address of libc", "eax == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"],
effect: "execl(\"/bin/sh\", eax)")
OneGadget::Gadget.add(build_id, 609601,
- constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"],
effect: "execl(\"/bin/sh\", [esp+0x4])")
diff --git a/lib/one_gadget/builds/libc-2.19-f9b5531180de2f0ce620bc03b5fc4d7f8570fd18.rb b/lib/one_gadget/builds/libc-2.19-f9b5531180de2f0ce620bc03b5fc4d7f8570fd18.rb
index dfd3931..7f147e6 100644
--- a/lib/one_gadget/builds/libc-2.19-f9b5531180de2f0ce620bc03b5fc4d7f8570fd18.rb
+++ b/lib/one_gadget/builds/libc-2.19-f9b5531180de2f0ce620bc03b5fc4d7f8570fd18.rb
@@ -20,22 +20,31 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 262187,
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x34, environ)")
+OneGadget::Gadget.add(build_id, 262194,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 262203,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 262239,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp+0x8])")
OneGadget::Gadget.add(build_id, 262243,
- constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])")
+OneGadget::Gadget.add(build_id, 414981,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"],
+ effect: "execl(\"/bin/sh\", \"sh\", eax)")
OneGadget::Gadget.add(build_id, 414985,
- constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"],
effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])")
OneGadget::Gadget.add(build_id, 414991,
- constraints: ["ebx is the GOT address of libc", "eax == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"],
effect: "execl(\"/bin/sh\", eax)")
OneGadget::Gadget.add(build_id, 414995,
- constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"],
effect: "execl(\"/bin/sh\", [esp+0x4])")
diff --git a/lib/one_gadget/builds/libc-2.19-fb899b514fa6763ad006688efb32ecf9ca691ff3.rb b/lib/one_gadget/builds/libc-2.19-fb899b514fa6763ad006688efb32ecf9ca691ff3.rb
index 9bece8c..caf5c87 100644
--- a/lib/one_gadget/builds/libc-2.19-fb899b514fa6763ad006688efb32ecf9ca691ff3.rb
+++ b/lib/one_gadget/builds/libc-2.19-fb899b514fa6763ad006688efb32ecf9ca691ff3.rb
@@ -19,22 +19,31 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 249111,
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x38, environ)")
+OneGadget::Gadget.add(build_id, 249118,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x38, environ)")
OneGadget::Gadget.add(build_id, 249127,
- constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x38, environ)")
OneGadget::Gadget.add(build_id, 249163,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp+0x8])")
OneGadget::Gadget.add(build_id, 249167,
- constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])")
+OneGadget::Gadget.add(build_id, 409680,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"],
+ effect: "execl(\"/bin/sh\", \"sh\", eax)")
OneGadget::Gadget.add(build_id, 409684,
- constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"],
effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])")
OneGadget::Gadget.add(build_id, 409690,
- constraints: ["ebx is the GOT address of libc", "eax == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"],
effect: "execl(\"/bin/sh\", eax)")
OneGadget::Gadget.add(build_id, 409694,
- constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"],
effect: "execl(\"/bin/sh\", [esp+0x4])")
diff --git a/lib/one_gadget/builds/libc-2.19-fd51b20e670e9a9f60dc3b06dc9761fb08c9358b.rb b/lib/one_gadget/builds/libc-2.19-fd51b20e670e9a9f60dc3b06dc9761fb08c9358b.rb
index e798e35..8287cc3 100644
--- a/lib/one_gadget/builds/libc-2.19-fd51b20e670e9a9f60dc3b06dc9761fb08c9358b.rb
+++ b/lib/one_gadget/builds/libc-2.19-fd51b20e670e9a9f60dc3b06dc9761fb08c9358b.rb
@@ -20,22 +20,31 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 261399,
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x34, environ)")
+OneGadget::Gadget.add(build_id, 261406,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 261415,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 261451,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp+0x8])")
OneGadget::Gadget.add(build_id, 261455,
- constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])")
+OneGadget::Gadget.add(build_id, 412768,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"],
+ effect: "execl(\"/bin/sh\", \"sh\", eax)")
OneGadget::Gadget.add(build_id, 412772,
- constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"],
effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])")
OneGadget::Gadget.add(build_id, 412778,
- constraints: ["ebx is the GOT address of libc", "eax == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"],
effect: "execl(\"/bin/sh\", eax)")
OneGadget::Gadget.add(build_id, 412782,
- constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"],
effect: "execl(\"/bin/sh\", [esp+0x4])")
diff --git a/lib/one_gadget/builds/libc-2.19-fd5df0d8007d692d1c00226f81ba04b4f734b5b2.rb b/lib/one_gadget/builds/libc-2.19-fd5df0d8007d692d1c00226f81ba04b4f734b5b2.rb
index 8f1594e..9f60b71 100644
--- a/lib/one_gadget/builds/libc-2.19-fd5df0d8007d692d1c00226f81ba04b4f734b5b2.rb
+++ b/lib/one_gadget/builds/libc-2.19-fd5df0d8007d692d1c00226f81ba04b4f734b5b2.rb
@@ -20,22 +20,31 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 254967,
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x34, environ)")
+OneGadget::Gadget.add(build_id, 254974,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 254983,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 255019,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp+0x8])")
OneGadget::Gadget.add(build_id, 255023,
- constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])")
+OneGadget::Gadget.add(build_id, 415207,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"],
+ effect: "execl(\"/bin/sh\", \"sh\", eax)")
OneGadget::Gadget.add(build_id, 415211,
- constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"],
effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])")
OneGadget::Gadget.add(build_id, 415217,
- constraints: ["ebx is the GOT address of libc", "eax == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"],
effect: "execl(\"/bin/sh\", eax)")
OneGadget::Gadget.add(build_id, 415221,
- constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"],
effect: "execl(\"/bin/sh\", [esp+0x4])")
diff --git a/lib/one_gadget/builds/libc-2.19-fe493bf9ecadc1f26aa36d4a95c718e9f227ad3a.rb b/lib/one_gadget/builds/libc-2.19-fe493bf9ecadc1f26aa36d4a95c718e9f227ad3a.rb
index 9536f46..527ff7c 100644
--- a/lib/one_gadget/builds/libc-2.19-fe493bf9ecadc1f26aa36d4a95c718e9f227ad3a.rb
+++ b/lib/one_gadget/builds/libc-2.19-fe493bf9ecadc1f26aa36d4a95c718e9f227ad3a.rb
@@ -20,22 +20,31 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 254471,
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x34, environ)")
+OneGadget::Gadget.add(build_id, 254478,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 254487,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 254523,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp+0x8])")
OneGadget::Gadget.add(build_id, 254527,
- constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])")
+OneGadget::Gadget.add(build_id, 412647,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"],
+ effect: "execl(\"/bin/sh\", \"sh\", eax)")
OneGadget::Gadget.add(build_id, 412651,
- constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"],
effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])")
OneGadget::Gadget.add(build_id, 412657,
- constraints: ["ebx is the GOT address of libc", "eax == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"],
effect: "execl(\"/bin/sh\", eax)")
OneGadget::Gadget.add(build_id, 412661,
- constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"],
effect: "execl(\"/bin/sh\", [esp+0x4])")
diff --git a/lib/one_gadget/builds/libc-2.19-fe76e177d397e9bdccf270232cc7e3a06e84aeb1.rb b/lib/one_gadget/builds/libc-2.19-fe76e177d397e9bdccf270232cc7e3a06e84aeb1.rb
index cb4103c..88a87c7 100644
--- a/lib/one_gadget/builds/libc-2.19-fe76e177d397e9bdccf270232cc7e3a06e84aeb1.rb
+++ b/lib/one_gadget/builds/libc-2.19-fe76e177d397e9bdccf270232cc7e3a06e84aeb1.rb
@@ -19,22 +19,31 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 249239,
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x38, environ)")
+OneGadget::Gadget.add(build_id, 249246,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x38, environ)")
OneGadget::Gadget.add(build_id, 249255,
- constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x38, environ)")
OneGadget::Gadget.add(build_id, 249291,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp+0x8])")
OneGadget::Gadget.add(build_id, 249295,
- constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])")
+OneGadget::Gadget.add(build_id, 409216,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"],
+ effect: "execl(\"/bin/sh\", \"sh\", eax)")
OneGadget::Gadget.add(build_id, 409220,
- constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"],
effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])")
OneGadget::Gadget.add(build_id, 409226,
- constraints: ["ebx is the GOT address of libc", "eax == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"],
effect: "execl(\"/bin/sh\", eax)")
OneGadget::Gadget.add(build_id, 409230,
- constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"],
effect: "execl(\"/bin/sh\", [esp+0x4])")
diff --git a/lib/one_gadget/builds/libc-2.20-024df4febc9c789a8eeb052385d5e780b98a379f.rb b/lib/one_gadget/builds/libc-2.20-024df4febc9c789a8eeb052385d5e780b98a379f.rb
index d0ed437..0fca0b9 100644
--- a/lib/one_gadget/builds/libc-2.20-024df4febc9c789a8eeb052385d5e780b98a379f.rb
+++ b/lib/one_gadget/builds/libc-2.20-024df4febc9c789a8eeb052385d5e780b98a379f.rb
@@ -22,22 +22,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 248462,
- constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x28, environ)")
OneGadget::Gadget.add(build_id, 248464,
- constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 248468,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 248475,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 248510,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 248511,
- constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 416308,
constraints: ["ebx is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.20-074a896d13132ebfb22b89fd4d026b8608b84d01.rb b/lib/one_gadget/builds/libc-2.20-074a896d13132ebfb22b89fd4d026b8608b84d01.rb
index 8e52fab..cf7178f 100644
--- a/lib/one_gadget/builds/libc-2.20-074a896d13132ebfb22b89fd4d026b8608b84d01.rb
+++ b/lib/one_gadget/builds/libc-2.20-074a896d13132ebfb22b89fd4d026b8608b84d01.rb
@@ -19,25 +19,28 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 261711,
+ constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 261718,
- constraints: ["rax == NULL"],
+ constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 261802,
- constraints: ["[rsp+0x30] == NULL"],
+ constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 754576,
- constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, r12)")
OneGadget::Gadget.add(build_id, 754796,
- constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL || [rbp-0x40] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", [rbp-0x40], r12)")
OneGadget::Gadget.add(build_id, 878539,
- constraints: ["[rsp+0x70] == NULL"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x70, environ)")
OneGadget::Gadget.add(build_id, 878551,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rax])")
OneGadget::Gadget.add(build_id, 893777,
- constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", r9, rdx)")
diff --git a/lib/one_gadget/builds/libc-2.20-0a1de0cc524dacd5b00c678daf50dde4d4539203.rb b/lib/one_gadget/builds/libc-2.20-0a1de0cc524dacd5b00c678daf50dde4d4539203.rb
index bfbd803..c0ea994 100644
--- a/lib/one_gadget/builds/libc-2.20-0a1de0cc524dacd5b00c678daf50dde4d4539203.rb
+++ b/lib/one_gadget/builds/libc-2.20-0a1de0cc524dacd5b00c678daf50dde4d4539203.rb
@@ -20,22 +20,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 241422,
- constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x28, environ)")
OneGadget::Gadget.add(build_id, 241424,
- constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 241428,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 241435,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 241470,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 241471,
- constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 408836,
constraints: ["ebx is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.20-22fcfb6d820fec1bd07ebc3506236a1c10d2a74e.rb b/lib/one_gadget/builds/libc-2.20-22fcfb6d820fec1bd07ebc3506236a1c10d2a74e.rb
index e0e87d1..0266ccd 100644
--- a/lib/one_gadget/builds/libc-2.20-22fcfb6d820fec1bd07ebc3506236a1c10d2a74e.rb
+++ b/lib/one_gadget/builds/libc-2.20-22fcfb6d820fec1bd07ebc3506236a1c10d2a74e.rb
@@ -20,22 +20,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 241374,
- constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x28, environ)")
OneGadget::Gadget.add(build_id, 241376,
- constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 241380,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 241387,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 241422,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 241423,
- constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 408788,
constraints: ["ebx is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.20-317589ae8050581abdfc414151c4655abc3cdfcd.rb b/lib/one_gadget/builds/libc-2.20-317589ae8050581abdfc414151c4655abc3cdfcd.rb
index fafe614..40c6ef9 100644
--- a/lib/one_gadget/builds/libc-2.20-317589ae8050581abdfc414151c4655abc3cdfcd.rb
+++ b/lib/one_gadget/builds/libc-2.20-317589ae8050581abdfc414151c4655abc3cdfcd.rb
@@ -22,22 +22,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 247414,
- constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x28, environ)")
OneGadget::Gadget.add(build_id, 247416,
- constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 247420,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 247427,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 247462,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 247463,
- constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 413860,
constraints: ["ebx is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.20-370ce0ece788e8e73d938f2fb3ce6adb890eb417.rb b/lib/one_gadget/builds/libc-2.20-370ce0ece788e8e73d938f2fb3ce6adb890eb417.rb
index c42938c..c3cff6a 100644
--- a/lib/one_gadget/builds/libc-2.20-370ce0ece788e8e73d938f2fb3ce6adb890eb417.rb
+++ b/lib/one_gadget/builds/libc-2.20-370ce0ece788e8e73d938f2fb3ce6adb890eb417.rb
@@ -22,22 +22,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 248462,
- constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x28, environ)")
OneGadget::Gadget.add(build_id, 248464,
- constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 248468,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 248475,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 248510,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 248511,
- constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 419764,
constraints: ["ebx is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.20-389e645d86ab23c5f6acd039caacb18a02c3cfa2.rb b/lib/one_gadget/builds/libc-2.20-389e645d86ab23c5f6acd039caacb18a02c3cfa2.rb
index a3ceaae..0ffec1b 100644
--- a/lib/one_gadget/builds/libc-2.20-389e645d86ab23c5f6acd039caacb18a02c3cfa2.rb
+++ b/lib/one_gadget/builds/libc-2.20-389e645d86ab23c5f6acd039caacb18a02c3cfa2.rb
@@ -20,22 +20,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 241374,
- constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x28, environ)")
OneGadget::Gadget.add(build_id, 241376,
- constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 241380,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 241387,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 241422,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 241423,
- constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 408788,
constraints: ["ebx is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.20-398115bd423958b1769317a6f7e4928df141eb57.rb b/lib/one_gadget/builds/libc-2.20-398115bd423958b1769317a6f7e4928df141eb57.rb
index 21eacd5..6fe9c75 100644
--- a/lib/one_gadget/builds/libc-2.20-398115bd423958b1769317a6f7e4928df141eb57.rb
+++ b/lib/one_gadget/builds/libc-2.20-398115bd423958b1769317a6f7e4928df141eb57.rb
@@ -20,22 +20,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 241374,
- constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x28, environ)")
OneGadget::Gadget.add(build_id, 241376,
- constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 241380,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 241387,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 241422,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 241423,
- constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 409988,
constraints: ["ebx is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.20-62fa1628ae33cc45efe8313a24ec8c475c9dffa6.rb b/lib/one_gadget/builds/libc-2.20-62fa1628ae33cc45efe8313a24ec8c475c9dffa6.rb
index d67202c..2bd7c9c 100644
--- a/lib/one_gadget/builds/libc-2.20-62fa1628ae33cc45efe8313a24ec8c475c9dffa6.rb
+++ b/lib/one_gadget/builds/libc-2.20-62fa1628ae33cc45efe8313a24ec8c475c9dffa6.rb
@@ -20,22 +20,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 241381,
- constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x28, environ)")
OneGadget::Gadget.add(build_id, 241383,
- constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 241387,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 241394,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 241429,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 241430,
- constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 410628,
constraints: ["ebx is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.20-6daaba13e3623d964ca116f91948afc5231732a8.rb b/lib/one_gadget/builds/libc-2.20-6daaba13e3623d964ca116f91948afc5231732a8.rb
index 179d7ec..6e43f5f 100644
--- a/lib/one_gadget/builds/libc-2.20-6daaba13e3623d964ca116f91948afc5231732a8.rb
+++ b/lib/one_gadget/builds/libc-2.20-6daaba13e3623d964ca116f91948afc5231732a8.rb
@@ -22,22 +22,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 247414,
- constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x28, environ)")
OneGadget::Gadget.add(build_id, 247416,
- constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 247420,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 247427,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 247462,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 247463,
- constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 417140,
constraints: ["ebx is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.20-765f172661014a4db8bb05b203bbc07c8686aa25.rb b/lib/one_gadget/builds/libc-2.20-765f172661014a4db8bb05b203bbc07c8686aa25.rb
index f96493f..745af6c 100644
--- a/lib/one_gadget/builds/libc-2.20-765f172661014a4db8bb05b203bbc07c8686aa25.rb
+++ b/lib/one_gadget/builds/libc-2.20-765f172661014a4db8bb05b203bbc07c8686aa25.rb
@@ -19,25 +19,28 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 261446,
+ constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 261453,
- constraints: ["rax == NULL"],
+ constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 261537,
- constraints: ["[rsp+0x30] == NULL"],
+ constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 754928,
- constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, r12)")
OneGadget::Gadget.add(build_id, 755148,
- constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL || [rbp-0x40] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", [rbp-0x40], r12)")
OneGadget::Gadget.add(build_id, 878860,
- constraints: ["[rsp+0x70] == NULL"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x70, environ)")
OneGadget::Gadget.add(build_id, 878872,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rax])")
OneGadget::Gadget.add(build_id, 894049,
- constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", r9, rdx)")
diff --git a/lib/one_gadget/builds/libc-2.20-8bb8c78658cc612de895ec59a8026a08c86662e5.rb b/lib/one_gadget/builds/libc-2.20-8bb8c78658cc612de895ec59a8026a08c86662e5.rb
index 6c9a824..6830fa7 100644
--- a/lib/one_gadget/builds/libc-2.20-8bb8c78658cc612de895ec59a8026a08c86662e5.rb
+++ b/lib/one_gadget/builds/libc-2.20-8bb8c78658cc612de895ec59a8026a08c86662e5.rb
@@ -20,22 +20,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 241422,
- constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x28, environ)")
OneGadget::Gadget.add(build_id, 241424,
- constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 241428,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 241435,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 241470,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 241471,
- constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 410036,
constraints: ["ebx is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.20-a8e57776dcdd5da9b7c9f60e65d28eaeb5b8173f.rb b/lib/one_gadget/builds/libc-2.20-a8e57776dcdd5da9b7c9f60e65d28eaeb5b8173f.rb
index fe1556f..9a2d360 100644
--- a/lib/one_gadget/builds/libc-2.20-a8e57776dcdd5da9b7c9f60e65d28eaeb5b8173f.rb
+++ b/lib/one_gadget/builds/libc-2.20-a8e57776dcdd5da9b7c9f60e65d28eaeb5b8173f.rb
@@ -20,22 +20,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 241333,
- constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x28, environ)")
OneGadget::Gadget.add(build_id, 241335,
- constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 241339,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 241346,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 241381,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 241382,
- constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 410580,
constraints: ["ebx is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.20-ad272c3f76f36f4fe1357514d4b207a06f7f536c.rb b/lib/one_gadget/builds/libc-2.20-ad272c3f76f36f4fe1357514d4b207a06f7f536c.rb
index 35bef83..46156f5 100644
--- a/lib/one_gadget/builds/libc-2.20-ad272c3f76f36f4fe1357514d4b207a06f7f536c.rb
+++ b/lib/one_gadget/builds/libc-2.20-ad272c3f76f36f4fe1357514d4b207a06f7f536c.rb
@@ -20,22 +20,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 241333,
- constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x28, environ)")
OneGadget::Gadget.add(build_id, 241335,
- constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 241339,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 241346,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 241381,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 241382,
- constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 410580,
constraints: ["ebx is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.20-aefe2d045393dbe3e0a2acef88b6f31a78d3a27c.rb b/lib/one_gadget/builds/libc-2.20-aefe2d045393dbe3e0a2acef88b6f31a78d3a27c.rb
index 7428ec7..a557791 100644
--- a/lib/one_gadget/builds/libc-2.20-aefe2d045393dbe3e0a2acef88b6f31a78d3a27c.rb
+++ b/lib/one_gadget/builds/libc-2.20-aefe2d045393dbe3e0a2acef88b6f31a78d3a27c.rb
@@ -20,22 +20,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 241381,
- constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x28, environ)")
OneGadget::Gadget.add(build_id, 241383,
- constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 241387,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 241394,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 241429,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 241430,
- constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 410628,
constraints: ["ebx is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.20-b1217615db4b7a86b90436982610bf86a03ca881.rb b/lib/one_gadget/builds/libc-2.20-b1217615db4b7a86b90436982610bf86a03ca881.rb
index 8b6b54f..d546f36 100644
--- a/lib/one_gadget/builds/libc-2.20-b1217615db4b7a86b90436982610bf86a03ca881.rb
+++ b/lib/one_gadget/builds/libc-2.20-b1217615db4b7a86b90436982610bf86a03ca881.rb
@@ -19,25 +19,28 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 261446,
+ constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 261453,
- constraints: ["rax == NULL"],
+ constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 261537,
- constraints: ["[rsp+0x30] == NULL"],
+ constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 754960,
- constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, r12)")
OneGadget::Gadget.add(build_id, 755180,
- constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL || [rbp-0x40] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", [rbp-0x40], r12)")
OneGadget::Gadget.add(build_id, 878892,
- constraints: ["[rsp+0x70] == NULL"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x70, environ)")
OneGadget::Gadget.add(build_id, 878904,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rax])")
OneGadget::Gadget.add(build_id, 894081,
- constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", r9, rdx)")
diff --git a/lib/one_gadget/builds/libc-2.20-f3063b7115d5a383189937852ce356f4c60fd190.rb b/lib/one_gadget/builds/libc-2.20-f3063b7115d5a383189937852ce356f4c60fd190.rb
index 1a2a541..038026e 100644
--- a/lib/one_gadget/builds/libc-2.20-f3063b7115d5a383189937852ce356f4c60fd190.rb
+++ b/lib/one_gadget/builds/libc-2.20-f3063b7115d5a383189937852ce356f4c60fd190.rb
@@ -19,25 +19,28 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 261711,
+ constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 261718,
- constraints: ["rax == NULL"],
+ constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 261802,
- constraints: ["[rsp+0x30] == NULL"],
+ constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 755456,
- constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, r12)")
OneGadget::Gadget.add(build_id, 755676,
- constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL || [rbp-0x40] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", [rbp-0x40], r12)")
OneGadget::Gadget.add(build_id, 879419,
- constraints: ["[rsp+0x70] == NULL"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x70, environ)")
OneGadget::Gadget.add(build_id, 879431,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rax])")
OneGadget::Gadget.add(build_id, 894657,
- constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", r9, rdx)")
diff --git a/lib/one_gadget/builds/libc-2.20-f53b8ad377a1988dcf6329bbdfa7b1201431656e.rb b/lib/one_gadget/builds/libc-2.20-f53b8ad377a1988dcf6329bbdfa7b1201431656e.rb
index 3ee2602..57d0053 100644
--- a/lib/one_gadget/builds/libc-2.20-f53b8ad377a1988dcf6329bbdfa7b1201431656e.rb
+++ b/lib/one_gadget/builds/libc-2.20-f53b8ad377a1988dcf6329bbdfa7b1201431656e.rb
@@ -19,25 +19,28 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 261711,
+ constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 261718,
- constraints: ["rax == NULL"],
+ constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 261802,
- constraints: ["[rsp+0x30] == NULL"],
+ constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 754576,
- constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, r12)")
OneGadget::Gadget.add(build_id, 754796,
- constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL || [rbp-0x40] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", [rbp-0x40], r12)")
OneGadget::Gadget.add(build_id, 878539,
- constraints: ["[rsp+0x70] == NULL"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x70, environ)")
OneGadget::Gadget.add(build_id, 878551,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rax])")
OneGadget::Gadget.add(build_id, 893777,
- constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", r9, rdx)")
diff --git a/lib/one_gadget/builds/libc-2.21-04f18629ef42b062ed0c8f60d5bfaa40a7d28ef7.rb b/lib/one_gadget/builds/libc-2.21-04f18629ef42b062ed0c8f60d5bfaa40a7d28ef7.rb
index b9200e7..731d2e5 100644
--- a/lib/one_gadget/builds/libc-2.21-04f18629ef42b062ed0c8f60d5bfaa40a7d28ef7.rb
+++ b/lib/one_gadget/builds/libc-2.21-04f18629ef42b062ed0c8f60d5bfaa40a7d28ef7.rb
@@ -20,22 +20,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 240831,
- constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x28, environ)")
OneGadget::Gadget.add(build_id, 240833,
- constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 240837,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 240844,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 240879,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 240880,
- constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 402660,
constraints: ["ebx is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.21-092fa8483d177952f4b38a4b9be8305baef60466.rb b/lib/one_gadget/builds/libc-2.21-092fa8483d177952f4b38a4b9be8305baef60466.rb
index 742cd34..db5e6f1 100644
--- a/lib/one_gadget/builds/libc-2.21-092fa8483d177952f4b38a4b9be8305baef60466.rb
+++ b/lib/one_gadget/builds/libc-2.21-092fa8483d177952f4b38a4b9be8305baef60466.rb
@@ -20,22 +20,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 240534,
- constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x28, environ)")
OneGadget::Gadget.add(build_id, 240536,
- constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 240540,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 240547,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 240582,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 240583,
- constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 400324,
constraints: ["ebx is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.21-096d4c9ce21618defe0b3e4694dc5380e0189009.rb b/lib/one_gadget/builds/libc-2.21-096d4c9ce21618defe0b3e4694dc5380e0189009.rb
index 9920cc9..c2b8bea 100644
--- a/lib/one_gadget/builds/libc-2.21-096d4c9ce21618defe0b3e4694dc5380e0189009.rb
+++ b/lib/one_gadget/builds/libc-2.21-096d4c9ce21618defe0b3e4694dc5380e0189009.rb
@@ -21,22 +21,31 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 245465,
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x34, environ)")
+OneGadget::Gadget.add(build_id, 245472,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 245481,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 245517,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp+0x8])")
OneGadget::Gadget.add(build_id, 245521,
- constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])")
+OneGadget::Gadget.add(build_id, 405823,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"],
+ effect: "execl(\"/bin/sh\", \"sh\", eax)")
OneGadget::Gadget.add(build_id, 405827,
- constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"],
effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])")
OneGadget::Gadget.add(build_id, 405833,
- constraints: ["ebx is the GOT address of libc", "eax == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"],
effect: "execl(\"/bin/sh\", eax)")
OneGadget::Gadget.add(build_id, 405837,
- constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"],
effect: "execl(\"/bin/sh\", [esp+0x4])")
diff --git a/lib/one_gadget/builds/libc-2.21-13495a0bf9fc076d41056041922792ddb58ac456.rb b/lib/one_gadget/builds/libc-2.21-13495a0bf9fc076d41056041922792ddb58ac456.rb
index 2e0d008..ae8e3ca 100644
--- a/lib/one_gadget/builds/libc-2.21-13495a0bf9fc076d41056041922792ddb58ac456.rb
+++ b/lib/one_gadget/builds/libc-2.21-13495a0bf9fc076d41056041922792ddb58ac456.rb
@@ -20,22 +20,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 241030,
- constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x28, environ)")
OneGadget::Gadget.add(build_id, 241032,
- constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 241036,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 241043,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 241078,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 241079,
- constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 400820,
constraints: ["ebx is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.21-169a143e9c40cfd9d09695333e45fd67743cd2d6.rb b/lib/one_gadget/builds/libc-2.21-169a143e9c40cfd9d09695333e45fd67743cd2d6.rb
index 799791a..f9900dd 100644
--- a/lib/one_gadget/builds/libc-2.21-169a143e9c40cfd9d09695333e45fd67743cd2d6.rb
+++ b/lib/one_gadget/builds/libc-2.21-169a143e9c40cfd9d09695333e45fd67743cd2d6.rb
@@ -19,14 +19,23 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 252888,
+ constraints: ["writable: x19+0x2a0", "{\"sh\", \"-c\", x23, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", sp+0x58, environ)")
+OneGadget::Gadget.add(build_id, 252896,
+ constraints: ["writable: x19+0x2a0", "writable: x20+0x4", "x4+0x9d8 == NULL || {x4+0x9d8, \"-c\", x23, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", sp+0x58, environ)")
OneGadget::Gadget.add(build_id, 252900,
- constraints: ["writable: x19+0x2a0", "writable: x20+0x4", "x4+0x9d8 == NULL"],
+ constraints: ["writable: x19+0x2a0", "writable: x20+0x4", "x4+0x9d8 == NULL || {x4+0x9d8, x3+0x9e0, x23, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", sp+0x58, environ)")
+OneGadget::Gadget.add(build_id, 252904,
+ constraints: ["writable: x19+0x2a0", "writable: x20+0x4", "x4 == NULL || {x4, x3+0x9e0, x23, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", sp+0x58, environ)")
OneGadget::Gadget.add(build_id, 252908,
- constraints: ["writable: x19+0x2a0", "writable: x20+0x4", "x4 == NULL"],
+ constraints: ["writable: x19+0x2a0", "writable: x20+0x4", "x4 == NULL || {x4, x3, x23, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", sp+0x58, environ)")
OneGadget::Gadget.add(build_id, 252976,
- constraints: ["writable: x20+0x4", "[sp+0x58] == NULL"],
+ constraints: ["writable: x20+0x4", "[sp+0x58] == NULL || {[sp+0x58], [sp+0x60], [sp+0x68], [sp+0x70], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", sp+0x58, environ)")
OneGadget::Gadget.add(build_id, 408244,
constraints: ["x2+0x9e0 == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.21-1800fb8ed39680604091e8268cd21cb8ee6f747f.rb b/lib/one_gadget/builds/libc-2.21-1800fb8ed39680604091e8268cd21cb8ee6f747f.rb
index b010f1a..9c3b56b 100644
--- a/lib/one_gadget/builds/libc-2.21-1800fb8ed39680604091e8268cd21cb8ee6f747f.rb
+++ b/lib/one_gadget/builds/libc-2.21-1800fb8ed39680604091e8268cd21cb8ee6f747f.rb
@@ -20,22 +20,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 240438,
- constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x28, environ)")
OneGadget::Gadget.add(build_id, 240440,
- constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 240444,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 240451,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 240486,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 240487,
- constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 400228,
constraints: ["ebx is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.21-185ab573783653be4ea1784a59be3a1499ca64c7.rb b/lib/one_gadget/builds/libc-2.21-185ab573783653be4ea1784a59be3a1499ca64c7.rb
index 845da52..27f1c63 100644
--- a/lib/one_gadget/builds/libc-2.21-185ab573783653be4ea1784a59be3a1499ca64c7.rb
+++ b/lib/one_gadget/builds/libc-2.21-185ab573783653be4ea1784a59be3a1499ca64c7.rb
@@ -20,22 +20,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 240534,
- constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x28, environ)")
OneGadget::Gadget.add(build_id, 240536,
- constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 240540,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 240547,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 240582,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 240583,
- constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 400324,
constraints: ["ebx is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.21-1a266f551f39283eff85f4ab8913d8b6d57fb290.rb b/lib/one_gadget/builds/libc-2.21-1a266f551f39283eff85f4ab8913d8b6d57fb290.rb
index 667c4f3..0144393 100644
--- a/lib/one_gadget/builds/libc-2.21-1a266f551f39283eff85f4ab8913d8b6d57fb290.rb
+++ b/lib/one_gadget/builds/libc-2.21-1a266f551f39283eff85f4ab8913d8b6d57fb290.rb
@@ -20,22 +20,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 234245,
- constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 234247,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 234251,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 234258,
- constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x38, environ)")
OneGadget::Gadget.add(build_id, 234293,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 234294,
- constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 393791,
constraints: ["ebx is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.21-1dfdbdb3ed58b70e07e1a94ff3e95d84652cb0f1.rb b/lib/one_gadget/builds/libc-2.21-1dfdbdb3ed58b70e07e1a94ff3e95d84652cb0f1.rb
index f7a38d1..7b77a71 100644
--- a/lib/one_gadget/builds/libc-2.21-1dfdbdb3ed58b70e07e1a94ff3e95d84652cb0f1.rb
+++ b/lib/one_gadget/builds/libc-2.21-1dfdbdb3ed58b70e07e1a94ff3e95d84652cb0f1.rb
@@ -19,25 +19,28 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 260175,
+ constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 260182,
- constraints: ["rax == NULL"],
+ constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 260266,
- constraints: ["[rsp+0x30] == NULL"],
+ constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 757536,
- constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, r12)")
OneGadget::Gadget.add(build_id, 757756,
- constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL || [rbp-0x40] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", [rbp-0x40], r12)")
OneGadget::Gadget.add(build_id, 879645,
- constraints: ["[rsp+0x70] == NULL"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x70, environ)")
OneGadget::Gadget.add(build_id, 879657,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rax])")
OneGadget::Gadget.add(build_id, 894929,
- constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", r9, rdx)")
diff --git a/lib/one_gadget/builds/libc-2.21-1ee253f6aeaec7a001984e257b86ad7224e46469.rb b/lib/one_gadget/builds/libc-2.21-1ee253f6aeaec7a001984e257b86ad7224e46469.rb
index a8ddb0c..6a9cb55 100644
--- a/lib/one_gadget/builds/libc-2.21-1ee253f6aeaec7a001984e257b86ad7224e46469.rb
+++ b/lib/one_gadget/builds/libc-2.21-1ee253f6aeaec7a001984e257b86ad7224e46469.rb
@@ -19,25 +19,28 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 259791,
+ constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 259798,
- constraints: ["rax == NULL"],
+ constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 259882,
- constraints: ["[rsp+0x30] == NULL"],
+ constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 758032,
- constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, r12)")
OneGadget::Gadget.add(build_id, 758252,
- constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL || [rbp-0x40] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", [rbp-0x40], r12)")
OneGadget::Gadget.add(build_id, 880141,
- constraints: ["[rsp+0x70] == NULL"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x70, environ)")
OneGadget::Gadget.add(build_id, 880153,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rax])")
OneGadget::Gadget.add(build_id, 895425,
- constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", r9, rdx)")
diff --git a/lib/one_gadget/builds/libc-2.21-20b088455f100a9a72e94a69e843b6e0831cbedb.rb b/lib/one_gadget/builds/libc-2.21-20b088455f100a9a72e94a69e843b6e0831cbedb.rb
index 1789f00..a471263 100644
--- a/lib/one_gadget/builds/libc-2.21-20b088455f100a9a72e94a69e843b6e0831cbedb.rb
+++ b/lib/one_gadget/builds/libc-2.21-20b088455f100a9a72e94a69e843b6e0831cbedb.rb
@@ -19,25 +19,28 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 260127,
+ constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 260134,
- constraints: ["rax == NULL"],
+ constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 260218,
- constraints: ["[rsp+0x30] == NULL"],
+ constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 757472,
- constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, r12)")
OneGadget::Gadget.add(build_id, 757692,
- constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL || [rbp-0x40] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", [rbp-0x40], r12)")
OneGadget::Gadget.add(build_id, 879581,
- constraints: ["[rsp+0x70] == NULL"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x70, environ)")
OneGadget::Gadget.add(build_id, 879593,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rax])")
OneGadget::Gadget.add(build_id, 894865,
- constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", r9, rdx)")
diff --git a/lib/one_gadget/builds/libc-2.21-2466292818ad2b41c64ea7107123fe96010e1b96.rb b/lib/one_gadget/builds/libc-2.21-2466292818ad2b41c64ea7107123fe96010e1b96.rb
index 65dcce4..5f00ecb 100644
--- a/lib/one_gadget/builds/libc-2.21-2466292818ad2b41c64ea7107123fe96010e1b96.rb
+++ b/lib/one_gadget/builds/libc-2.21-2466292818ad2b41c64ea7107123fe96010e1b96.rb
@@ -20,22 +20,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 240438,
- constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x28, environ)")
OneGadget::Gadget.add(build_id, 240440,
- constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 240444,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 240451,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 240486,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 240487,
- constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 400228,
constraints: ["ebx is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.21-24c3f01054f36f8184ba673743310b5178354334.rb b/lib/one_gadget/builds/libc-2.21-24c3f01054f36f8184ba673743310b5178354334.rb
index bed47b2..5b0aeb8 100644
--- a/lib/one_gadget/builds/libc-2.21-24c3f01054f36f8184ba673743310b5178354334.rb
+++ b/lib/one_gadget/builds/libc-2.21-24c3f01054f36f8184ba673743310b5178354334.rb
@@ -20,22 +20,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 240614,
- constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x28, environ)")
OneGadget::Gadget.add(build_id, 240616,
- constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 240620,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 240627,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 240662,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 240663,
- constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 401556,
constraints: ["ebx is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.21-25dd428fb4c350c16dfee20491f1a06484a2bfa3.rb b/lib/one_gadget/builds/libc-2.21-25dd428fb4c350c16dfee20491f1a06484a2bfa3.rb
index 81faad2..a00d0c1 100644
--- a/lib/one_gadget/builds/libc-2.21-25dd428fb4c350c16dfee20491f1a06484a2bfa3.rb
+++ b/lib/one_gadget/builds/libc-2.21-25dd428fb4c350c16dfee20491f1a06484a2bfa3.rb
@@ -20,22 +20,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 241710,
- constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x28, environ)")
OneGadget::Gadget.add(build_id, 241712,
- constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 241716,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 241723,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 241758,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 241759,
- constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 403588,
constraints: ["ebx is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.21-2c092eb4091e8d3a20313a09194418595efca9db.rb b/lib/one_gadget/builds/libc-2.21-2c092eb4091e8d3a20313a09194418595efca9db.rb
index f298525..0b9ea8f 100644
--- a/lib/one_gadget/builds/libc-2.21-2c092eb4091e8d3a20313a09194418595efca9db.rb
+++ b/lib/one_gadget/builds/libc-2.21-2c092eb4091e8d3a20313a09194418595efca9db.rb
@@ -20,22 +20,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 240502,
- constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x28, environ)")
OneGadget::Gadget.add(build_id, 240504,
- constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 240508,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 240515,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 240550,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 240551,
- constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 400292,
constraints: ["ebx is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.21-2e9718e58257bda1dc0d751665a3ee233bf606f2.rb b/lib/one_gadget/builds/libc-2.21-2e9718e58257bda1dc0d751665a3ee233bf606f2.rb
index e4ecf7f..ce76f2a 100644
--- a/lib/one_gadget/builds/libc-2.21-2e9718e58257bda1dc0d751665a3ee233bf606f2.rb
+++ b/lib/one_gadget/builds/libc-2.21-2e9718e58257bda1dc0d751665a3ee233bf606f2.rb
@@ -19,14 +19,23 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 252888,
+ constraints: ["writable: x19+0x2a0", "{\"sh\", \"-c\", x23, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", sp+0x58, environ)")
+OneGadget::Gadget.add(build_id, 252896,
+ constraints: ["writable: x19+0x2a0", "writable: x20+0x4", "x4+0x5d8 == NULL || {x4+0x5d8, \"-c\", x23, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", sp+0x58, environ)")
OneGadget::Gadget.add(build_id, 252900,
- constraints: ["writable: x19+0x2a0", "writable: x20+0x4", "x4+0x5d8 == NULL"],
+ constraints: ["writable: x19+0x2a0", "writable: x20+0x4", "x4+0x5d8 == NULL || {x4+0x5d8, x3+0x5e0, x23, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", sp+0x58, environ)")
+OneGadget::Gadget.add(build_id, 252904,
+ constraints: ["writable: x19+0x2a0", "writable: x20+0x4", "x4 == NULL || {x4, x3+0x5e0, x23, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", sp+0x58, environ)")
OneGadget::Gadget.add(build_id, 252908,
- constraints: ["writable: x19+0x2a0", "writable: x20+0x4", "x4 == NULL"],
+ constraints: ["writable: x19+0x2a0", "writable: x20+0x4", "x4 == NULL || {x4, x3, x23, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", sp+0x58, environ)")
OneGadget::Gadget.add(build_id, 252976,
- constraints: ["writable: x20+0x4", "[sp+0x58] == NULL"],
+ constraints: ["writable: x20+0x4", "[sp+0x58] == NULL || {[sp+0x58], [sp+0x60], [sp+0x68], [sp+0x70], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", sp+0x58, environ)")
OneGadget::Gadget.add(build_id, 408388,
constraints: ["x2+0x5e0 == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.21-3141017330a2057c655dcb61bd3d9b2c98399181.rb b/lib/one_gadget/builds/libc-2.21-3141017330a2057c655dcb61bd3d9b2c98399181.rb
index f2533e9..0671232 100644
--- a/lib/one_gadget/builds/libc-2.21-3141017330a2057c655dcb61bd3d9b2c98399181.rb
+++ b/lib/one_gadget/builds/libc-2.21-3141017330a2057c655dcb61bd3d9b2c98399181.rb
@@ -20,22 +20,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 240614,
- constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x28, environ)")
OneGadget::Gadget.add(build_id, 240616,
- constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 240620,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 240627,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 240662,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 240663,
- constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 401556,
constraints: ["ebx is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.21-39f1a0bc7f66ea42f3341c0d629bae8caef2346d.rb b/lib/one_gadget/builds/libc-2.21-39f1a0bc7f66ea42f3341c0d629bae8caef2346d.rb
index 7a742a3..72791c5 100644
--- a/lib/one_gadget/builds/libc-2.21-39f1a0bc7f66ea42f3341c0d629bae8caef2346d.rb
+++ b/lib/one_gadget/builds/libc-2.21-39f1a0bc7f66ea42f3341c0d629bae8caef2346d.rb
@@ -20,22 +20,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 233925,
- constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 233927,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 233931,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 233938,
- constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x38, environ)")
OneGadget::Gadget.add(build_id, 233973,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 233974,
- constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 394991,
constraints: ["ebx is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.21-3af67b618c87a9cfadcf4be33331e34f77f5c842.rb b/lib/one_gadget/builds/libc-2.21-3af67b618c87a9cfadcf4be33331e34f77f5c842.rb
index 701c60a..8029210 100644
--- a/lib/one_gadget/builds/libc-2.21-3af67b618c87a9cfadcf4be33331e34f77f5c842.rb
+++ b/lib/one_gadget/builds/libc-2.21-3af67b618c87a9cfadcf4be33331e34f77f5c842.rb
@@ -20,22 +20,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 240438,
- constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x28, environ)")
OneGadget::Gadget.add(build_id, 240440,
- constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 240444,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 240451,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 240486,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 240487,
- constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 400228,
constraints: ["ebx is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.21-3b9bef61c919475929cfcc3608bdadb86c3b1c6e.rb b/lib/one_gadget/builds/libc-2.21-3b9bef61c919475929cfcc3608bdadb86c3b1c6e.rb
index 2f46717..2737e25 100644
--- a/lib/one_gadget/builds/libc-2.21-3b9bef61c919475929cfcc3608bdadb86c3b1c6e.rb
+++ b/lib/one_gadget/builds/libc-2.21-3b9bef61c919475929cfcc3608bdadb86c3b1c6e.rb
@@ -19,25 +19,28 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 260127,
+ constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 260134,
- constraints: ["rax == NULL"],
+ constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 260218,
- constraints: ["[rsp+0x30] == NULL"],
+ constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 757472,
- constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, r12)")
OneGadget::Gadget.add(build_id, 757692,
- constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL || [rbp-0x40] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", [rbp-0x40], r12)")
OneGadget::Gadget.add(build_id, 879581,
- constraints: ["[rsp+0x70] == NULL"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x70, environ)")
OneGadget::Gadget.add(build_id, 879593,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rax])")
OneGadget::Gadget.add(build_id, 894865,
- constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", r9, rdx)")
diff --git a/lib/one_gadget/builds/libc-2.21-3c9e3250b31dfe4b5e139cda266e7beabc47e504.rb b/lib/one_gadget/builds/libc-2.21-3c9e3250b31dfe4b5e139cda266e7beabc47e504.rb
index d23f450..8093552 100644
--- a/lib/one_gadget/builds/libc-2.21-3c9e3250b31dfe4b5e139cda266e7beabc47e504.rb
+++ b/lib/one_gadget/builds/libc-2.21-3c9e3250b31dfe4b5e139cda266e7beabc47e504.rb
@@ -19,25 +19,28 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 260175,
+ constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 260182,
- constraints: ["rax == NULL"],
+ constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 260266,
- constraints: ["[rsp+0x30] == NULL"],
+ constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 758320,
- constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, r12)")
OneGadget::Gadget.add(build_id, 758540,
- constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL || [rbp-0x40] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", [rbp-0x40], r12)")
OneGadget::Gadget.add(build_id, 880429,
- constraints: ["[rsp+0x70] == NULL"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x70, environ)")
OneGadget::Gadget.add(build_id, 880441,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rax])")
OneGadget::Gadget.add(build_id, 895713,
- constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", r9, rdx)")
diff --git a/lib/one_gadget/builds/libc-2.21-3eab56f86f3ee1745baa9e6fa771e652340487cc.rb b/lib/one_gadget/builds/libc-2.21-3eab56f86f3ee1745baa9e6fa771e652340487cc.rb
index a6b8975..0474d55 100644
--- a/lib/one_gadget/builds/libc-2.21-3eab56f86f3ee1745baa9e6fa771e652340487cc.rb
+++ b/lib/one_gadget/builds/libc-2.21-3eab56f86f3ee1745baa9e6fa771e652340487cc.rb
@@ -20,22 +20,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 240470,
- constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x28, environ)")
OneGadget::Gadget.add(build_id, 240472,
- constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 240476,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 240483,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 240518,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 240519,
- constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 400260,
constraints: ["ebx is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.21-3f08a19432b31835c71ea7d5b3687562cef053e3.rb b/lib/one_gadget/builds/libc-2.21-3f08a19432b31835c71ea7d5b3687562cef053e3.rb
index 8776443..fc40b02 100644
--- a/lib/one_gadget/builds/libc-2.21-3f08a19432b31835c71ea7d5b3687562cef053e3.rb
+++ b/lib/one_gadget/builds/libc-2.21-3f08a19432b31835c71ea7d5b3687562cef053e3.rb
@@ -19,25 +19,28 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 260175,
+ constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 260182,
- constraints: ["rax == NULL"],
+ constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 260266,
- constraints: ["[rsp+0x30] == NULL"],
+ constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 757552,
- constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, r12)")
OneGadget::Gadget.add(build_id, 757772,
- constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL || [rbp-0x40] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", [rbp-0x40], r12)")
OneGadget::Gadget.add(build_id, 879661,
- constraints: ["[rsp+0x70] == NULL"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x70, environ)")
OneGadget::Gadget.add(build_id, 879673,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rax])")
OneGadget::Gadget.add(build_id, 894945,
- constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", r9, rdx)")
diff --git a/lib/one_gadget/builds/libc-2.21-3faf7b9bab86ba7024b62d99c859136333b8a70d.rb b/lib/one_gadget/builds/libc-2.21-3faf7b9bab86ba7024b62d99c859136333b8a70d.rb
index 7d0066e..be485cc 100644
--- a/lib/one_gadget/builds/libc-2.21-3faf7b9bab86ba7024b62d99c859136333b8a70d.rb
+++ b/lib/one_gadget/builds/libc-2.21-3faf7b9bab86ba7024b62d99c859136333b8a70d.rb
@@ -19,19 +19,19 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 436370,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 436389,
- constraints: ["ebx is the GOT address of libc", "[esp+0x24] == NULL", "[[eax]] == NULL || [eax] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x24] == NULL || {[esp+0x24], [esp+0x28], [esp+0x2c], [esp+0x30], ...} is a valid argv", "[[eax]] == NULL || [eax] == NULL || [eax] is a valid envp"],
effect: "execve(\"/bin/sh\", esp+0x24, [eax])")
OneGadget::Gadget.add(build_id, 436391,
- constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", esp+0x28, [esp])")
OneGadget::Gadget.add(build_id, 436395,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 436396,
- constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 597056,
constraints: ["ebx is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.21-3fc95a6cdd31b66c550d64d90d0431f68ed43571.rb b/lib/one_gadget/builds/libc-2.21-3fc95a6cdd31b66c550d64d90d0431f68ed43571.rb
index ce2d548..cd0b8ca 100644
--- a/lib/one_gadget/builds/libc-2.21-3fc95a6cdd31b66c550d64d90d0431f68ed43571.rb
+++ b/lib/one_gadget/builds/libc-2.21-3fc95a6cdd31b66c550d64d90d0431f68ed43571.rb
@@ -19,25 +19,28 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 260079,
+ constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 260086,
- constraints: ["rax == NULL"],
+ constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 260170,
- constraints: ["[rsp+0x30] == NULL"],
+ constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 757616,
- constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, r12)")
OneGadget::Gadget.add(build_id, 757836,
- constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL || [rbp-0x40] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", [rbp-0x40], r12)")
OneGadget::Gadget.add(build_id, 879709,
- constraints: ["[rsp+0x70] == NULL"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x70, environ)")
OneGadget::Gadget.add(build_id, 879721,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rax])")
OneGadget::Gadget.add(build_id, 894993,
- constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", r9, rdx)")
diff --git a/lib/one_gadget/builds/libc-2.21-41530fe252a0d5854827649ddf6e2c8fba9d1653.rb b/lib/one_gadget/builds/libc-2.21-41530fe252a0d5854827649ddf6e2c8fba9d1653.rb
index 2fd6582..2a2b3d7 100644
--- a/lib/one_gadget/builds/libc-2.21-41530fe252a0d5854827649ddf6e2c8fba9d1653.rb
+++ b/lib/one_gadget/builds/libc-2.21-41530fe252a0d5854827649ddf6e2c8fba9d1653.rb
@@ -20,22 +20,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 240438,
- constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x28, environ)")
OneGadget::Gadget.add(build_id, 240440,
- constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 240444,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 240451,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 240486,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 240487,
- constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 400228,
constraints: ["ebx is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.21-4a0864552f6b027689c7a69efa12e277009c5999.rb b/lib/one_gadget/builds/libc-2.21-4a0864552f6b027689c7a69efa12e277009c5999.rb
index 74d58a4..76f1f4f 100644
--- a/lib/one_gadget/builds/libc-2.21-4a0864552f6b027689c7a69efa12e277009c5999.rb
+++ b/lib/one_gadget/builds/libc-2.21-4a0864552f6b027689c7a69efa12e277009c5999.rb
@@ -20,22 +20,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 240566,
- constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x28, environ)")
OneGadget::Gadget.add(build_id, 240568,
- constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 240572,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 240579,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 240614,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 240615,
- constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 400356,
constraints: ["ebx is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.21-4b7de972132a4762898ccb1210ffb7cfc0e6f14e.rb b/lib/one_gadget/builds/libc-2.21-4b7de972132a4762898ccb1210ffb7cfc0e6f14e.rb
index bd3b33c..c1af13a 100644
--- a/lib/one_gadget/builds/libc-2.21-4b7de972132a4762898ccb1210ffb7cfc0e6f14e.rb
+++ b/lib/one_gadget/builds/libc-2.21-4b7de972132a4762898ccb1210ffb7cfc0e6f14e.rb
@@ -20,22 +20,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 240702,
- constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x28, environ)")
OneGadget::Gadget.add(build_id, 240704,
- constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 240708,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 240715,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 240750,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 240751,
- constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 402036,
constraints: ["ebx is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.21-4ce84d266a07230287b230ac4ce8ba2d2f3f854e.rb b/lib/one_gadget/builds/libc-2.21-4ce84d266a07230287b230ac4ce8ba2d2f3f854e.rb
index d475e8c..4ee9741 100644
--- a/lib/one_gadget/builds/libc-2.21-4ce84d266a07230287b230ac4ce8ba2d2f3f854e.rb
+++ b/lib/one_gadget/builds/libc-2.21-4ce84d266a07230287b230ac4ce8ba2d2f3f854e.rb
@@ -20,22 +20,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 233861,
- constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 233863,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 233867,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 233874,
- constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x38, environ)")
OneGadget::Gadget.add(build_id, 233909,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 233910,
- constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 394927,
constraints: ["ebx is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.21-4dec520cda38e785c80e30db8fcd5428cee0f324.rb b/lib/one_gadget/builds/libc-2.21-4dec520cda38e785c80e30db8fcd5428cee0f324.rb
index e866bc9..c4a2389 100644
--- a/lib/one_gadget/builds/libc-2.21-4dec520cda38e785c80e30db8fcd5428cee0f324.rb
+++ b/lib/one_gadget/builds/libc-2.21-4dec520cda38e785c80e30db8fcd5428cee0f324.rb
@@ -19,19 +19,19 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 436306,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 436325,
- constraints: ["ebx is the GOT address of libc", "[esp+0x24] == NULL", "[[eax]] == NULL || [eax] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x24] == NULL || {[esp+0x24], [esp+0x28], [esp+0x2c], [esp+0x30], ...} is a valid argv", "[[eax]] == NULL || [eax] == NULL || [eax] is a valid envp"],
effect: "execve(\"/bin/sh\", esp+0x24, [eax])")
OneGadget::Gadget.add(build_id, 436327,
- constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", esp+0x28, [esp])")
OneGadget::Gadget.add(build_id, 436331,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 436332,
- constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 596272,
constraints: ["ebx is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.21-4f14eb66c408453973042c95d25f4e014bf4e364.rb b/lib/one_gadget/builds/libc-2.21-4f14eb66c408453973042c95d25f4e014bf4e364.rb
index e76b415..3adbfa2 100644
--- a/lib/one_gadget/builds/libc-2.21-4f14eb66c408453973042c95d25f4e014bf4e364.rb
+++ b/lib/one_gadget/builds/libc-2.21-4f14eb66c408453973042c95d25f4e014bf4e364.rb
@@ -19,25 +19,28 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 255778,
+ constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", r12, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 255785,
- constraints: ["rax == NULL"],
+ constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", r12, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 255869,
- constraints: ["[rsp+0x30] == NULL"],
+ constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 708656,
- constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, r12)")
OneGadget::Gadget.add(build_id, 708876,
- constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL || [rbp-0x40] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", [rbp-0x40], r12)")
OneGadget::Gadget.add(build_id, 837619,
- constraints: ["[rsp+0x70] == NULL"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x70, environ)")
OneGadget::Gadget.add(build_id, 837631,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rax])")
OneGadget::Gadget.add(build_id, 852625,
- constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", r9, rdx)")
diff --git a/lib/one_gadget/builds/libc-2.21-503c5dd98cc9529359e601c1595c995cf359df30.rb b/lib/one_gadget/builds/libc-2.21-503c5dd98cc9529359e601c1595c995cf359df30.rb
index 932daef..baab00e 100644
--- a/lib/one_gadget/builds/libc-2.21-503c5dd98cc9529359e601c1595c995cf359df30.rb
+++ b/lib/one_gadget/builds/libc-2.21-503c5dd98cc9529359e601c1595c995cf359df30.rb
@@ -20,22 +20,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 234245,
- constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 234247,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 234251,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 234258,
- constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x38, environ)")
OneGadget::Gadget.add(build_id, 234293,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 234294,
- constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 393791,
constraints: ["ebx is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.21-505a88bc8f93a7ba339895ce27dc4ad8331cad7d.rb b/lib/one_gadget/builds/libc-2.21-505a88bc8f93a7ba339895ce27dc4ad8331cad7d.rb
index 8947b5c..dac25ed 100644
--- a/lib/one_gadget/builds/libc-2.21-505a88bc8f93a7ba339895ce27dc4ad8331cad7d.rb
+++ b/lib/one_gadget/builds/libc-2.21-505a88bc8f93a7ba339895ce27dc4ad8331cad7d.rb
@@ -19,25 +19,28 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 260143,
+ constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 260150,
- constraints: ["rax == NULL"],
+ constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 260234,
- constraints: ["[rsp+0x30] == NULL"],
+ constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 757520,
- constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, r12)")
OneGadget::Gadget.add(build_id, 757740,
- constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL || [rbp-0x40] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", [rbp-0x40], r12)")
OneGadget::Gadget.add(build_id, 879629,
- constraints: ["[rsp+0x70] == NULL"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x70, environ)")
OneGadget::Gadget.add(build_id, 879641,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rax])")
OneGadget::Gadget.add(build_id, 894913,
- constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", r9, rdx)")
diff --git a/lib/one_gadget/builds/libc-2.21-53377f31675a81af793df0c63b40e193a4a6999b.rb b/lib/one_gadget/builds/libc-2.21-53377f31675a81af793df0c63b40e193a4a6999b.rb
index db22543..351b9e1 100644
--- a/lib/one_gadget/builds/libc-2.21-53377f31675a81af793df0c63b40e193a4a6999b.rb
+++ b/lib/one_gadget/builds/libc-2.21-53377f31675a81af793df0c63b40e193a4a6999b.rb
@@ -20,22 +20,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 240614,
- constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x28, environ)")
OneGadget::Gadget.add(build_id, 240616,
- constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 240620,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 240627,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 240662,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 240663,
- constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 400404,
constraints: ["ebx is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.21-53b6f3047638b0703bf1091fe4c3afe79445d546.rb b/lib/one_gadget/builds/libc-2.21-53b6f3047638b0703bf1091fe4c3afe79445d546.rb
index 9529961..f6a495c 100644
--- a/lib/one_gadget/builds/libc-2.21-53b6f3047638b0703bf1091fe4c3afe79445d546.rb
+++ b/lib/one_gadget/builds/libc-2.21-53b6f3047638b0703bf1091fe4c3afe79445d546.rb
@@ -19,25 +19,28 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 260111,
+ constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 260118,
- constraints: ["rax == NULL"],
+ constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 260202,
- constraints: ["[rsp+0x30] == NULL"],
+ constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 757488,
- constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, r12)")
OneGadget::Gadget.add(build_id, 757708,
- constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL || [rbp-0x40] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", [rbp-0x40], r12)")
OneGadget::Gadget.add(build_id, 879597,
- constraints: ["[rsp+0x70] == NULL"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x70, environ)")
OneGadget::Gadget.add(build_id, 879609,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rax])")
OneGadget::Gadget.add(build_id, 894881,
- constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", r9, rdx)")
diff --git a/lib/one_gadget/builds/libc-2.21-570c7051e379d909016cb81933bc5701daecd428.rb b/lib/one_gadget/builds/libc-2.21-570c7051e379d909016cb81933bc5701daecd428.rb
index 421cfc2..c4d389e 100644
--- a/lib/one_gadget/builds/libc-2.21-570c7051e379d909016cb81933bc5701daecd428.rb
+++ b/lib/one_gadget/builds/libc-2.21-570c7051e379d909016cb81933bc5701daecd428.rb
@@ -20,22 +20,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 240470,
- constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x28, environ)")
OneGadget::Gadget.add(build_id, 240472,
- constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 240476,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 240483,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 240518,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 240519,
- constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 400260,
constraints: ["ebx is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.21-591e5a56f9d466a7c70baf6684d99843ab8c45d1.rb b/lib/one_gadget/builds/libc-2.21-591e5a56f9d466a7c70baf6684d99843ab8c45d1.rb
index ab4353f..c31ab7e 100644
--- a/lib/one_gadget/builds/libc-2.21-591e5a56f9d466a7c70baf6684d99843ab8c45d1.rb
+++ b/lib/one_gadget/builds/libc-2.21-591e5a56f9d466a7c70baf6684d99843ab8c45d1.rb
@@ -20,22 +20,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 234181,
- constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 234183,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 234187,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 234194,
- constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x38, environ)")
OneGadget::Gadget.add(build_id, 234229,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 234230,
- constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 393727,
constraints: ["ebx is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.21-59b7200857a55acdfa5de730a573eed0cfec0962.rb b/lib/one_gadget/builds/libc-2.21-59b7200857a55acdfa5de730a573eed0cfec0962.rb
index d8c99b2..e48c236 100644
--- a/lib/one_gadget/builds/libc-2.21-59b7200857a55acdfa5de730a573eed0cfec0962.rb
+++ b/lib/one_gadget/builds/libc-2.21-59b7200857a55acdfa5de730a573eed0cfec0962.rb
@@ -20,22 +20,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 241030,
- constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x28, environ)")
OneGadget::Gadget.add(build_id, 241032,
- constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 241036,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 241043,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 241078,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 241079,
- constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 400820,
constraints: ["ebx is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.21-59c981c8e0e729ae7c562daa00be2cdb8e0c090a.rb b/lib/one_gadget/builds/libc-2.21-59c981c8e0e729ae7c562daa00be2cdb8e0c090a.rb
index ab6a6d1..104ae75 100644
--- a/lib/one_gadget/builds/libc-2.21-59c981c8e0e729ae7c562daa00be2cdb8e0c090a.rb
+++ b/lib/one_gadget/builds/libc-2.21-59c981c8e0e729ae7c562daa00be2cdb8e0c090a.rb
@@ -19,25 +19,28 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 260127,
+ constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 260134,
- constraints: ["rax == NULL"],
+ constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 260218,
- constraints: ["[rsp+0x30] == NULL"],
+ constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 757472,
- constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, r12)")
OneGadget::Gadget.add(build_id, 757692,
- constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL || [rbp-0x40] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", [rbp-0x40], r12)")
OneGadget::Gadget.add(build_id, 879581,
- constraints: ["[rsp+0x70] == NULL"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x70, environ)")
OneGadget::Gadget.add(build_id, 879593,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rax])")
OneGadget::Gadget.add(build_id, 894865,
- constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", r9, rdx)")
diff --git a/lib/one_gadget/builds/libc-2.21-59eae8a903584dcbc14cf07c719cd23b9f65e230.rb b/lib/one_gadget/builds/libc-2.21-59eae8a903584dcbc14cf07c719cd23b9f65e230.rb
index 6af6c62..8650515 100644
--- a/lib/one_gadget/builds/libc-2.21-59eae8a903584dcbc14cf07c719cd23b9f65e230.rb
+++ b/lib/one_gadget/builds/libc-2.21-59eae8a903584dcbc14cf07c719cd23b9f65e230.rb
@@ -19,28 +19,31 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 279119,
+ constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 279126,
- constraints: ["rax == NULL"],
+ constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 279210,
- constraints: ["[rsp+0x30] == NULL"],
+ constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 833888,
- constraints: ["[rcx] == NULL || rcx == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[rcx] == NULL || rcx == NULL || rcx is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", rcx, r12)")
OneGadget::Gadget.add(build_id, 834112,
- constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL || [rbp-0x40] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", [rbp-0x40], r12)")
OneGadget::Gadget.add(build_id, 985072,
- constraints: ["[rsp+0x50] == NULL"],
+ constraints: ["[rsp+0x50] == NULL || {[rsp+0x50], [rsp+0x58], [rsp+0x60], [rsp+0x68], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x50, environ)")
OneGadget::Gadget.add(build_id, 985084,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rax])")
OneGadget::Gadget.add(build_id, 988861,
- constraints: ["[rsp+0x70] == NULL"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x70, environ)")
OneGadget::Gadget.add(build_id, 1009920,
- constraints: ["[r8] == NULL || r8 == NULL", "[[rbp-0xf8]] == NULL || [rbp-0xf8] == NULL"],
+ constraints: ["[r8] == NULL || r8 == NULL || r8 is a valid argv", "[[rbp-0xf8]] == NULL || [rbp-0xf8] == NULL || [rbp-0xf8] is a valid envp"],
effect: "execve(\"/bin/sh\", r8, [rbp-0xf8])")
diff --git a/lib/one_gadget/builds/libc-2.21-5a22b7ec63fd7c5dc6a92875046515f4beac727d.rb b/lib/one_gadget/builds/libc-2.21-5a22b7ec63fd7c5dc6a92875046515f4beac727d.rb
index c8d0816..9c24de4 100644
--- a/lib/one_gadget/builds/libc-2.21-5a22b7ec63fd7c5dc6a92875046515f4beac727d.rb
+++ b/lib/one_gadget/builds/libc-2.21-5a22b7ec63fd7c5dc6a92875046515f4beac727d.rb
@@ -19,19 +19,19 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 436370,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 436389,
- constraints: ["ebx is the GOT address of libc", "[esp+0x24] == NULL", "[[eax]] == NULL || [eax] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x24] == NULL || {[esp+0x24], [esp+0x28], [esp+0x2c], [esp+0x30], ...} is a valid argv", "[[eax]] == NULL || [eax] == NULL || [eax] is a valid envp"],
effect: "execve(\"/bin/sh\", esp+0x24, [eax])")
OneGadget::Gadget.add(build_id, 436391,
- constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", esp+0x28, [esp])")
OneGadget::Gadget.add(build_id, 436395,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 436396,
- constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 597056,
constraints: ["ebx is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.21-5c9f149296e581c181529723f7eb44bf10a7d746.rb b/lib/one_gadget/builds/libc-2.21-5c9f149296e581c181529723f7eb44bf10a7d746.rb
index 2b1f0dd..4697af2 100644
--- a/lib/one_gadget/builds/libc-2.21-5c9f149296e581c181529723f7eb44bf10a7d746.rb
+++ b/lib/one_gadget/builds/libc-2.21-5c9f149296e581c181529723f7eb44bf10a7d746.rb
@@ -19,25 +19,28 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 260239,
+ constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 260246,
- constraints: ["rax == NULL"],
+ constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 260330,
- constraints: ["[rsp+0x30] == NULL"],
+ constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 757584,
- constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, r12)")
OneGadget::Gadget.add(build_id, 757804,
- constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL || [rbp-0x40] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", [rbp-0x40], r12)")
OneGadget::Gadget.add(build_id, 879677,
- constraints: ["[rsp+0x70] == NULL"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x70, environ)")
OneGadget::Gadget.add(build_id, 879689,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rax])")
OneGadget::Gadget.add(build_id, 894961,
- constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", r9, rdx)")
diff --git a/lib/one_gadget/builds/libc-2.21-5ccd94c4e3483df05be240ff1fb8a3f53794cc6f.rb b/lib/one_gadget/builds/libc-2.21-5ccd94c4e3483df05be240ff1fb8a3f53794cc6f.rb
index 596aa10..91a83c8 100644
--- a/lib/one_gadget/builds/libc-2.21-5ccd94c4e3483df05be240ff1fb8a3f53794cc6f.rb
+++ b/lib/one_gadget/builds/libc-2.21-5ccd94c4e3483df05be240ff1fb8a3f53794cc6f.rb
@@ -19,28 +19,31 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 279039,
+ constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 279046,
- constraints: ["rax == NULL"],
+ constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 279130,
- constraints: ["[rsp+0x30] == NULL"],
+ constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 834544,
- constraints: ["[rcx] == NULL || rcx == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[rcx] == NULL || rcx == NULL || rcx is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", rcx, r12)")
OneGadget::Gadget.add(build_id, 834768,
- constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL || [rbp-0x40] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", [rbp-0x40], r12)")
OneGadget::Gadget.add(build_id, 985728,
- constraints: ["[rsp+0x50] == NULL"],
+ constraints: ["[rsp+0x50] == NULL || {[rsp+0x50], [rsp+0x58], [rsp+0x60], [rsp+0x68], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x50, environ)")
OneGadget::Gadget.add(build_id, 985740,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rax])")
OneGadget::Gadget.add(build_id, 989517,
- constraints: ["[rsp+0x70] == NULL"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x70, environ)")
OneGadget::Gadget.add(build_id, 1010576,
- constraints: ["[r8] == NULL || r8 == NULL", "[[rbp-0xf8]] == NULL || [rbp-0xf8] == NULL"],
+ constraints: ["[r8] == NULL || r8 == NULL || r8 is a valid argv", "[[rbp-0xf8]] == NULL || [rbp-0xf8] == NULL || [rbp-0xf8] is a valid envp"],
effect: "execve(\"/bin/sh\", r8, [rbp-0xf8])")
diff --git a/lib/one_gadget/builds/libc-2.21-5f977df2af6a6a25e48e60dd867680d79dc6da8e.rb b/lib/one_gadget/builds/libc-2.21-5f977df2af6a6a25e48e60dd867680d79dc6da8e.rb
index 04a0f61..33f64db 100644
--- a/lib/one_gadget/builds/libc-2.21-5f977df2af6a6a25e48e60dd867680d79dc6da8e.rb
+++ b/lib/one_gadget/builds/libc-2.21-5f977df2af6a6a25e48e60dd867680d79dc6da8e.rb
@@ -19,25 +19,28 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 260079,
+ constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 260086,
- constraints: ["rax == NULL"],
+ constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 260170,
- constraints: ["[rsp+0x30] == NULL"],
+ constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 757456,
- constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, r12)")
OneGadget::Gadget.add(build_id, 757676,
- constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL || [rbp-0x40] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", [rbp-0x40], r12)")
OneGadget::Gadget.add(build_id, 879565,
- constraints: ["[rsp+0x70] == NULL"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x70, environ)")
OneGadget::Gadget.add(build_id, 879577,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rax])")
OneGadget::Gadget.add(build_id, 894849,
- constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", r9, rdx)")
diff --git a/lib/one_gadget/builds/libc-2.21-60e1d8111d5fec5580da9105670e78a63287732e.rb b/lib/one_gadget/builds/libc-2.21-60e1d8111d5fec5580da9105670e78a63287732e.rb
index e57077b..b7ed172 100644
--- a/lib/one_gadget/builds/libc-2.21-60e1d8111d5fec5580da9105670e78a63287732e.rb
+++ b/lib/one_gadget/builds/libc-2.21-60e1d8111d5fec5580da9105670e78a63287732e.rb
@@ -19,25 +19,28 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 260111,
+ constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 260118,
- constraints: ["rax == NULL"],
+ constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 260202,
- constraints: ["[rsp+0x30] == NULL"],
+ constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 757488,
- constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, r12)")
OneGadget::Gadget.add(build_id, 757708,
- constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL || [rbp-0x40] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", [rbp-0x40], r12)")
OneGadget::Gadget.add(build_id, 879597,
- constraints: ["[rsp+0x70] == NULL"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x70, environ)")
OneGadget::Gadget.add(build_id, 879609,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rax])")
OneGadget::Gadget.add(build_id, 894881,
- constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", r9, rdx)")
diff --git a/lib/one_gadget/builds/libc-2.21-629ae1554ea01c67fdedb7874de4686f6c30b6e3.rb b/lib/one_gadget/builds/libc-2.21-629ae1554ea01c67fdedb7874de4686f6c30b6e3.rb
index 0617ce2..5358782 100644
--- a/lib/one_gadget/builds/libc-2.21-629ae1554ea01c67fdedb7874de4686f6c30b6e3.rb
+++ b/lib/one_gadget/builds/libc-2.21-629ae1554ea01c67fdedb7874de4686f6c30b6e3.rb
@@ -20,22 +20,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 234101,
- constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 234103,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 234107,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 234114,
- constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x38, environ)")
OneGadget::Gadget.add(build_id, 234149,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 234150,
- constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 394623,
constraints: ["ebx is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.21-63c3d4b45af73dff54258c5a5cab9e3d828cc766.rb b/lib/one_gadget/builds/libc-2.21-63c3d4b45af73dff54258c5a5cab9e3d828cc766.rb
index ad497fc..1fed0ba 100644
--- a/lib/one_gadget/builds/libc-2.21-63c3d4b45af73dff54258c5a5cab9e3d828cc766.rb
+++ b/lib/one_gadget/builds/libc-2.21-63c3d4b45af73dff54258c5a5cab9e3d828cc766.rb
@@ -20,22 +20,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 234181,
- constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 234183,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 234187,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 234194,
- constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x38, environ)")
OneGadget::Gadget.add(build_id, 234229,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 234230,
- constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 393727,
constraints: ["ebx is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.21-64125575d05a0aedbfe187ef0f95431229c5aac8.rb b/lib/one_gadget/builds/libc-2.21-64125575d05a0aedbfe187ef0f95431229c5aac8.rb
index 22dae40..e1b73af 100644
--- a/lib/one_gadget/builds/libc-2.21-64125575d05a0aedbfe187ef0f95431229c5aac8.rb
+++ b/lib/one_gadget/builds/libc-2.21-64125575d05a0aedbfe187ef0f95431229c5aac8.rb
@@ -19,19 +19,19 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 436306,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 436325,
- constraints: ["ebx is the GOT address of libc", "[esp+0x24] == NULL", "[[eax]] == NULL || [eax] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x24] == NULL || {[esp+0x24], [esp+0x28], [esp+0x2c], [esp+0x30], ...} is a valid argv", "[[eax]] == NULL || [eax] == NULL || [eax] is a valid envp"],
effect: "execve(\"/bin/sh\", esp+0x24, [eax])")
OneGadget::Gadget.add(build_id, 436327,
- constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", esp+0x28, [esp])")
OneGadget::Gadget.add(build_id, 436331,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 436332,
- constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 596992,
constraints: ["ebx is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.21-6980ac7f9370d2bbb2aade5ceeedc8afc4f02f3e.rb b/lib/one_gadget/builds/libc-2.21-6980ac7f9370d2bbb2aade5ceeedc8afc4f02f3e.rb
index 458d083..ad2da00 100644
--- a/lib/one_gadget/builds/libc-2.21-6980ac7f9370d2bbb2aade5ceeedc8afc4f02f3e.rb
+++ b/lib/one_gadget/builds/libc-2.21-6980ac7f9370d2bbb2aade5ceeedc8afc4f02f3e.rb
@@ -20,22 +20,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 234181,
- constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 234183,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 234187,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 234194,
- constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x38, environ)")
OneGadget::Gadget.add(build_id, 234229,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 234230,
- constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 393727,
constraints: ["ebx is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.21-7b173624b62ee3bd8049bdeaaff990839eb4cb36.rb b/lib/one_gadget/builds/libc-2.21-7b173624b62ee3bd8049bdeaaff990839eb4cb36.rb
index c4911ae..fb84868 100644
--- a/lib/one_gadget/builds/libc-2.21-7b173624b62ee3bd8049bdeaaff990839eb4cb36.rb
+++ b/lib/one_gadget/builds/libc-2.21-7b173624b62ee3bd8049bdeaaff990839eb4cb36.rb
@@ -20,22 +20,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 240502,
- constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x28, environ)")
OneGadget::Gadget.add(build_id, 240504,
- constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 240508,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 240515,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 240550,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 240551,
- constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 400292,
constraints: ["ebx is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.21-7d672538d6a08ce14e4bd6e931392bf63156f490.rb b/lib/one_gadget/builds/libc-2.21-7d672538d6a08ce14e4bd6e931392bf63156f490.rb
index 564fd1e..cab8f22 100644
--- a/lib/one_gadget/builds/libc-2.21-7d672538d6a08ce14e4bd6e931392bf63156f490.rb
+++ b/lib/one_gadget/builds/libc-2.21-7d672538d6a08ce14e4bd6e931392bf63156f490.rb
@@ -20,22 +20,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 240598,
- constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x28, environ)")
OneGadget::Gadget.add(build_id, 240600,
- constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 240604,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 240611,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 240646,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 240647,
- constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 400388,
constraints: ["ebx is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.21-7f4a3fabc90bc1e410fe6377e2a1826d426c8f57.rb b/lib/one_gadget/builds/libc-2.21-7f4a3fabc90bc1e410fe6377e2a1826d426c8f57.rb
index 5aa15d8..59e9fc7 100644
--- a/lib/one_gadget/builds/libc-2.21-7f4a3fabc90bc1e410fe6377e2a1826d426c8f57.rb
+++ b/lib/one_gadget/builds/libc-2.21-7f4a3fabc90bc1e410fe6377e2a1826d426c8f57.rb
@@ -19,25 +19,28 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 260175,
+ constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 260182,
- constraints: ["rax == NULL"],
+ constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 260266,
- constraints: ["[rsp+0x30] == NULL"],
+ constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 757744,
- constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, r12)")
OneGadget::Gadget.add(build_id, 757964,
- constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL || [rbp-0x40] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", [rbp-0x40], r12)")
OneGadget::Gadget.add(build_id, 879853,
- constraints: ["[rsp+0x70] == NULL"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x70, environ)")
OneGadget::Gadget.add(build_id, 879865,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rax])")
OneGadget::Gadget.add(build_id, 895137,
- constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", r9, rdx)")
diff --git a/lib/one_gadget/builds/libc-2.21-80e8cfbc6550fde842cfb72ba97d916827d462df.rb b/lib/one_gadget/builds/libc-2.21-80e8cfbc6550fde842cfb72ba97d916827d462df.rb
index 1f0367f..beb64a4 100644
--- a/lib/one_gadget/builds/libc-2.21-80e8cfbc6550fde842cfb72ba97d916827d462df.rb
+++ b/lib/one_gadget/builds/libc-2.21-80e8cfbc6550fde842cfb72ba97d916827d462df.rb
@@ -20,22 +20,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 234245,
- constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 234247,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 234251,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 234258,
- constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x38, environ)")
OneGadget::Gadget.add(build_id, 234293,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 234294,
- constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 393791,
constraints: ["ebx is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.21-82d7d2a5db69a59c01ca5d2a63250ca6a6bd08a3.rb b/lib/one_gadget/builds/libc-2.21-82d7d2a5db69a59c01ca5d2a63250ca6a6bd08a3.rb
index 2f84599..d220e20 100644
--- a/lib/one_gadget/builds/libc-2.21-82d7d2a5db69a59c01ca5d2a63250ca6a6bd08a3.rb
+++ b/lib/one_gadget/builds/libc-2.21-82d7d2a5db69a59c01ca5d2a63250ca6a6bd08a3.rb
@@ -20,22 +20,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 240815,
- constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x28, environ)")
OneGadget::Gadget.add(build_id, 240817,
- constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 240821,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 240828,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 240863,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 240864,
- constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 402644,
constraints: ["ebx is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.21-834a46faae116cb9500c57d6c06e701f98a52e2e.rb b/lib/one_gadget/builds/libc-2.21-834a46faae116cb9500c57d6c06e701f98a52e2e.rb
index 4a07d31..06752d0 100644
--- a/lib/one_gadget/builds/libc-2.21-834a46faae116cb9500c57d6c06e701f98a52e2e.rb
+++ b/lib/one_gadget/builds/libc-2.21-834a46faae116cb9500c57d6c06e701f98a52e2e.rb
@@ -19,19 +19,19 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 436306,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 436325,
- constraints: ["ebx is the GOT address of libc", "[esp+0x24] == NULL", "[[eax]] == NULL || [eax] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x24] == NULL || {[esp+0x24], [esp+0x28], [esp+0x2c], [esp+0x30], ...} is a valid argv", "[[eax]] == NULL || [eax] == NULL || [eax] is a valid envp"],
effect: "execve(\"/bin/sh\", esp+0x24, [eax])")
OneGadget::Gadget.add(build_id, 436327,
- constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", esp+0x28, [esp])")
OneGadget::Gadget.add(build_id, 436331,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 436332,
- constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 596992,
constraints: ["ebx is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.21-83d46f5dc4d7894ea923bf566f6b38bfceedc6e1.rb b/lib/one_gadget/builds/libc-2.21-83d46f5dc4d7894ea923bf566f6b38bfceedc6e1.rb
index 559f437..c8c8d9e 100644
--- a/lib/one_gadget/builds/libc-2.21-83d46f5dc4d7894ea923bf566f6b38bfceedc6e1.rb
+++ b/lib/one_gadget/builds/libc-2.21-83d46f5dc4d7894ea923bf566f6b38bfceedc6e1.rb
@@ -20,22 +20,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 240438,
- constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x28, environ)")
OneGadget::Gadget.add(build_id, 240440,
- constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 240444,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 240451,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 240486,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 240487,
- constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 400228,
constraints: ["ebx is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.21-847fa75888ee989393032f4ae5a133902df3e2cb.rb b/lib/one_gadget/builds/libc-2.21-847fa75888ee989393032f4ae5a133902df3e2cb.rb
index 67a4a40..51f2d59 100644
--- a/lib/one_gadget/builds/libc-2.21-847fa75888ee989393032f4ae5a133902df3e2cb.rb
+++ b/lib/one_gadget/builds/libc-2.21-847fa75888ee989393032f4ae5a133902df3e2cb.rb
@@ -19,25 +19,28 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 255778,
+ constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", r12, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 255785,
- constraints: ["rax == NULL"],
+ constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", r12, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 255869,
- constraints: ["[rsp+0x30] == NULL"],
+ constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 708656,
- constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, r12)")
OneGadget::Gadget.add(build_id, 708876,
- constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL || [rbp-0x40] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", [rbp-0x40], r12)")
OneGadget::Gadget.add(build_id, 837619,
- constraints: ["[rsp+0x70] == NULL"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x70, environ)")
OneGadget::Gadget.add(build_id, 837631,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rax])")
OneGadget::Gadget.add(build_id, 852625,
- constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", r9, rdx)")
diff --git a/lib/one_gadget/builds/libc-2.21-8626995277c9a0db7fec384061c564c3ea50eeae.rb b/lib/one_gadget/builds/libc-2.21-8626995277c9a0db7fec384061c564c3ea50eeae.rb
index 9fc8f04..4ddb209 100644
--- a/lib/one_gadget/builds/libc-2.21-8626995277c9a0db7fec384061c564c3ea50eeae.rb
+++ b/lib/one_gadget/builds/libc-2.21-8626995277c9a0db7fec384061c564c3ea50eeae.rb
@@ -20,22 +20,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 240702,
- constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x28, environ)")
OneGadget::Gadget.add(build_id, 240704,
- constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 240708,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 240715,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 240750,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 240751,
- constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 402036,
constraints: ["ebx is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.21-86d752d92fbf1e8b558018e4b122dab52b304ab6.rb b/lib/one_gadget/builds/libc-2.21-86d752d92fbf1e8b558018e4b122dab52b304ab6.rb
index 17c21b7..28c6e4d 100644
--- a/lib/one_gadget/builds/libc-2.21-86d752d92fbf1e8b558018e4b122dab52b304ab6.rb
+++ b/lib/one_gadget/builds/libc-2.21-86d752d92fbf1e8b558018e4b122dab52b304ab6.rb
@@ -20,22 +20,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 240614,
- constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x28, environ)")
OneGadget::Gadget.add(build_id, 240616,
- constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 240620,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 240627,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 240662,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 240663,
- constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 401556,
constraints: ["ebx is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.21-879c9c4ffc5aabfd0a9c9d1b1c73d5f1df969aac.rb b/lib/one_gadget/builds/libc-2.21-879c9c4ffc5aabfd0a9c9d1b1c73d5f1df969aac.rb
index d6e5247..3fb421b 100644
--- a/lib/one_gadget/builds/libc-2.21-879c9c4ffc5aabfd0a9c9d1b1c73d5f1df969aac.rb
+++ b/lib/one_gadget/builds/libc-2.21-879c9c4ffc5aabfd0a9c9d1b1c73d5f1df969aac.rb
@@ -19,25 +19,28 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 259679,
+ constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 259686,
- constraints: ["rax == NULL"],
+ constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 259770,
- constraints: ["[rsp+0x30] == NULL"],
+ constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 756768,
- constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, r12)")
OneGadget::Gadget.add(build_id, 756988,
- constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL || [rbp-0x40] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", [rbp-0x40], r12)")
OneGadget::Gadget.add(build_id, 878733,
- constraints: ["[rsp+0x70] == NULL"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x70, environ)")
OneGadget::Gadget.add(build_id, 878745,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rax])")
OneGadget::Gadget.add(build_id, 894017,
- constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", r9, rdx)")
diff --git a/lib/one_gadget/builds/libc-2.21-87ded6f6ac3f40a59e17170307d0b15c1170552c.rb b/lib/one_gadget/builds/libc-2.21-87ded6f6ac3f40a59e17170307d0b15c1170552c.rb
index 38d0b75..8b14b9b 100644
--- a/lib/one_gadget/builds/libc-2.21-87ded6f6ac3f40a59e17170307d0b15c1170552c.rb
+++ b/lib/one_gadget/builds/libc-2.21-87ded6f6ac3f40a59e17170307d0b15c1170552c.rb
@@ -19,25 +19,28 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 255474,
+ constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", r12, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 255481,
- constraints: ["rax == NULL"],
+ constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", r12, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 255565,
- constraints: ["[rsp+0x30] == NULL"],
+ constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 709248,
- constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, r12)")
OneGadget::Gadget.add(build_id, 709468,
- constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL || [rbp-0x40] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", [rbp-0x40], r12)")
OneGadget::Gadget.add(build_id, 838211,
- constraints: ["[rsp+0x70] == NULL"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x70, environ)")
OneGadget::Gadget.add(build_id, 838223,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rax])")
OneGadget::Gadget.add(build_id, 853217,
- constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", r9, rdx)")
diff --git a/lib/one_gadget/builds/libc-2.21-8acd43cf74a9756cd727b8516b08679ee071a92d.rb b/lib/one_gadget/builds/libc-2.21-8acd43cf74a9756cd727b8516b08679ee071a92d.rb
index b57c333..58f68e0 100644
--- a/lib/one_gadget/builds/libc-2.21-8acd43cf74a9756cd727b8516b08679ee071a92d.rb
+++ b/lib/one_gadget/builds/libc-2.21-8acd43cf74a9756cd727b8516b08679ee071a92d.rb
@@ -19,28 +19,31 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 279119,
+ constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 279126,
- constraints: ["rax == NULL"],
+ constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 279210,
- constraints: ["[rsp+0x30] == NULL"],
+ constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 833984,
- constraints: ["[rcx] == NULL || rcx == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[rcx] == NULL || rcx == NULL || rcx is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", rcx, r12)")
OneGadget::Gadget.add(build_id, 834208,
- constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL || [rbp-0x40] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", [rbp-0x40], r12)")
OneGadget::Gadget.add(build_id, 985152,
- constraints: ["[rsp+0x50] == NULL"],
+ constraints: ["[rsp+0x50] == NULL || {[rsp+0x50], [rsp+0x58], [rsp+0x60], [rsp+0x68], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x50, environ)")
OneGadget::Gadget.add(build_id, 985164,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rax])")
OneGadget::Gadget.add(build_id, 988941,
- constraints: ["[rsp+0x70] == NULL"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x70, environ)")
OneGadget::Gadget.add(build_id, 1010000,
- constraints: ["[r8] == NULL || r8 == NULL", "[[rbp-0xf8]] == NULL || [rbp-0xf8] == NULL"],
+ constraints: ["[r8] == NULL || r8 == NULL || r8 is a valid argv", "[[rbp-0xf8]] == NULL || [rbp-0xf8] == NULL || [rbp-0xf8] is a valid envp"],
effect: "execve(\"/bin/sh\", r8, [rbp-0xf8])")
diff --git a/lib/one_gadget/builds/libc-2.21-8e845b188299cb419b70cf5de27c22a50f776fce.rb b/lib/one_gadget/builds/libc-2.21-8e845b188299cb419b70cf5de27c22a50f776fce.rb
index 5aadb6b..8877d26 100644
--- a/lib/one_gadget/builds/libc-2.21-8e845b188299cb419b70cf5de27c22a50f776fce.rb
+++ b/lib/one_gadget/builds/libc-2.21-8e845b188299cb419b70cf5de27c22a50f776fce.rb
@@ -20,22 +20,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 240438,
- constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x28, environ)")
OneGadget::Gadget.add(build_id, 240440,
- constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 240444,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 240451,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 240486,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 240487,
- constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 400228,
constraints: ["ebx is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.21-924acd9c6de558f26574bdc2eaa3048b597f2e5e.rb b/lib/one_gadget/builds/libc-2.21-924acd9c6de558f26574bdc2eaa3048b597f2e5e.rb
index 64b5ac3..7f4d6c6 100644
--- a/lib/one_gadget/builds/libc-2.21-924acd9c6de558f26574bdc2eaa3048b597f2e5e.rb
+++ b/lib/one_gadget/builds/libc-2.21-924acd9c6de558f26574bdc2eaa3048b597f2e5e.rb
@@ -20,22 +20,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 234181,
- constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 234183,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 234187,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 234194,
- constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x38, environ)")
OneGadget::Gadget.add(build_id, 234229,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 234230,
- constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 393727,
constraints: ["ebx is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.21-93d704dff1ec8dceb660b58863d2a36afd52b66e.rb b/lib/one_gadget/builds/libc-2.21-93d704dff1ec8dceb660b58863d2a36afd52b66e.rb
index 3765f30..34836c6 100644
--- a/lib/one_gadget/builds/libc-2.21-93d704dff1ec8dceb660b58863d2a36afd52b66e.rb
+++ b/lib/one_gadget/builds/libc-2.21-93d704dff1ec8dceb660b58863d2a36afd52b66e.rb
@@ -20,22 +20,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 234245,
- constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 234247,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 234251,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 234258,
- constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x38, environ)")
OneGadget::Gadget.add(build_id, 234293,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 234294,
- constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 393791,
constraints: ["ebx is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.21-9595d37f80a7925dc75efa522c839df34edb4b46.rb b/lib/one_gadget/builds/libc-2.21-9595d37f80a7925dc75efa522c839df34edb4b46.rb
index a903f79..9e20bc0 100644
--- a/lib/one_gadget/builds/libc-2.21-9595d37f80a7925dc75efa522c839df34edb4b46.rb
+++ b/lib/one_gadget/builds/libc-2.21-9595d37f80a7925dc75efa522c839df34edb4b46.rb
@@ -20,22 +20,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 233829,
- constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 233831,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 233835,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 233842,
- constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x38, environ)")
OneGadget::Gadget.add(build_id, 233877,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 233878,
- constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 395455,
constraints: ["ebx is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.21-9ac81172d5ff96f40d984fe7c10073a98f1a6b2e.rb b/lib/one_gadget/builds/libc-2.21-9ac81172d5ff96f40d984fe7c10073a98f1a6b2e.rb
index 72407f5..9ce0781 100644
--- a/lib/one_gadget/builds/libc-2.21-9ac81172d5ff96f40d984fe7c10073a98f1a6b2e.rb
+++ b/lib/one_gadget/builds/libc-2.21-9ac81172d5ff96f40d984fe7c10073a98f1a6b2e.rb
@@ -19,25 +19,28 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 259679,
+ constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 259686,
- constraints: ["rax == NULL"],
+ constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 259770,
- constraints: ["[rsp+0x30] == NULL"],
+ constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 756768,
- constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, r12)")
OneGadget::Gadget.add(build_id, 756988,
- constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL || [rbp-0x40] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", [rbp-0x40], r12)")
OneGadget::Gadget.add(build_id, 878733,
- constraints: ["[rsp+0x70] == NULL"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x70, environ)")
OneGadget::Gadget.add(build_id, 878745,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rax])")
OneGadget::Gadget.add(build_id, 894017,
- constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", r9, rdx)")
diff --git a/lib/one_gadget/builds/libc-2.21-9c764e8fb2df1bccb33ffedd92cd8659aab98e33.rb b/lib/one_gadget/builds/libc-2.21-9c764e8fb2df1bccb33ffedd92cd8659aab98e33.rb
index 7b08d41..a2e2c67 100644
--- a/lib/one_gadget/builds/libc-2.21-9c764e8fb2df1bccb33ffedd92cd8659aab98e33.rb
+++ b/lib/one_gadget/builds/libc-2.21-9c764e8fb2df1bccb33ffedd92cd8659aab98e33.rb
@@ -20,22 +20,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 234101,
- constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 234103,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 234107,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 234114,
- constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x38, environ)")
OneGadget::Gadget.add(build_id, 234149,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 234150,
- constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 394623,
constraints: ["ebx is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.21-9cf342a68f1a7b4b6ba4df62667c5f4ee8cf7687.rb b/lib/one_gadget/builds/libc-2.21-9cf342a68f1a7b4b6ba4df62667c5f4ee8cf7687.rb
index a9b9e6f..040a42c 100644
--- a/lib/one_gadget/builds/libc-2.21-9cf342a68f1a7b4b6ba4df62667c5f4ee8cf7687.rb
+++ b/lib/one_gadget/builds/libc-2.21-9cf342a68f1a7b4b6ba4df62667c5f4ee8cf7687.rb
@@ -20,22 +20,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 234181,
- constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 234183,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 234187,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 234194,
- constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x38, environ)")
OneGadget::Gadget.add(build_id, 234229,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 234230,
- constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 393727,
constraints: ["ebx is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.21-9d0884395161c74567d7fea747e15c9a31785e06.rb b/lib/one_gadget/builds/libc-2.21-9d0884395161c74567d7fea747e15c9a31785e06.rb
index 7544c84..1d67065 100644
--- a/lib/one_gadget/builds/libc-2.21-9d0884395161c74567d7fea747e15c9a31785e06.rb
+++ b/lib/one_gadget/builds/libc-2.21-9d0884395161c74567d7fea747e15c9a31785e06.rb
@@ -20,22 +20,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 240566,
- constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x28, environ)")
OneGadget::Gadget.add(build_id, 240568,
- constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 240572,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 240579,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 240614,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 240615,
- constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 400356,
constraints: ["ebx is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.21-a0ccdc12ed6ad0d67778aff9b49abc3c8eb30b9a.rb b/lib/one_gadget/builds/libc-2.21-a0ccdc12ed6ad0d67778aff9b49abc3c8eb30b9a.rb
index 42c2d81..3f528cc 100644
--- a/lib/one_gadget/builds/libc-2.21-a0ccdc12ed6ad0d67778aff9b49abc3c8eb30b9a.rb
+++ b/lib/one_gadget/builds/libc-2.21-a0ccdc12ed6ad0d67778aff9b49abc3c8eb30b9a.rb
@@ -20,22 +20,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 241694,
- constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x28, environ)")
OneGadget::Gadget.add(build_id, 241696,
- constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 241700,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 241707,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 241742,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 241743,
- constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 404388,
constraints: ["ebx is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.21-a167f5367b27f9493cefac9b23e68f180239e96c.rb b/lib/one_gadget/builds/libc-2.21-a167f5367b27f9493cefac9b23e68f180239e96c.rb
index e0a1735..1b8fd06 100644
--- a/lib/one_gadget/builds/libc-2.21-a167f5367b27f9493cefac9b23e68f180239e96c.rb
+++ b/lib/one_gadget/builds/libc-2.21-a167f5367b27f9493cefac9b23e68f180239e96c.rb
@@ -19,25 +19,28 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 255762,
+ constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", r12, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 255769,
- constraints: ["rax == NULL"],
+ constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", r12, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 255853,
- constraints: ["[rsp+0x30] == NULL"],
+ constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 708672,
- constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, r12)")
OneGadget::Gadget.add(build_id, 708892,
- constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL || [rbp-0x40] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", [rbp-0x40], r12)")
OneGadget::Gadget.add(build_id, 837635,
- constraints: ["[rsp+0x70] == NULL"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x70, environ)")
OneGadget::Gadget.add(build_id, 837647,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rax])")
OneGadget::Gadget.add(build_id, 852641,
- constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", r9, rdx)")
diff --git a/lib/one_gadget/builds/libc-2.21-a1f20771562e9a58f6d2746d38a09694d4cbc345.rb b/lib/one_gadget/builds/libc-2.21-a1f20771562e9a58f6d2746d38a09694d4cbc345.rb
index 60608bf..81d1001 100644
--- a/lib/one_gadget/builds/libc-2.21-a1f20771562e9a58f6d2746d38a09694d4cbc345.rb
+++ b/lib/one_gadget/builds/libc-2.21-a1f20771562e9a58f6d2746d38a09694d4cbc345.rb
@@ -20,22 +20,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 233861,
- constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 233863,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 233867,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 233874,
- constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x38, environ)")
OneGadget::Gadget.add(build_id, 233909,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 233910,
- constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 394927,
constraints: ["ebx is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.21-a235f288513fa6064a856c499e0453f9f4a44f8a.rb b/lib/one_gadget/builds/libc-2.21-a235f288513fa6064a856c499e0453f9f4a44f8a.rb
index 77a2ecb..f1c5ddb 100644
--- a/lib/one_gadget/builds/libc-2.21-a235f288513fa6064a856c499e0453f9f4a44f8a.rb
+++ b/lib/one_gadget/builds/libc-2.21-a235f288513fa6064a856c499e0453f9f4a44f8a.rb
@@ -20,22 +20,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 234181,
- constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 234183,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 234187,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 234194,
- constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x38, environ)")
OneGadget::Gadget.add(build_id, 234229,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 234230,
- constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 393727,
constraints: ["ebx is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.21-a5c1de4517ba044d2f7cfa479e69f29bbc673c6a.rb b/lib/one_gadget/builds/libc-2.21-a5c1de4517ba044d2f7cfa479e69f29bbc673c6a.rb
index bde1cc5..81fddcc 100644
--- a/lib/one_gadget/builds/libc-2.21-a5c1de4517ba044d2f7cfa479e69f29bbc673c6a.rb
+++ b/lib/one_gadget/builds/libc-2.21-a5c1de4517ba044d2f7cfa479e69f29bbc673c6a.rb
@@ -20,22 +20,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 242190,
- constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x28, environ)")
OneGadget::Gadget.add(build_id, 242192,
- constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 242196,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 242203,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 242238,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 242239,
- constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 404068,
constraints: ["ebx is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.21-a890a8ee268f8ae36ae0810b6eea7c45766b4133.rb b/lib/one_gadget/builds/libc-2.21-a890a8ee268f8ae36ae0810b6eea7c45766b4133.rb
index 02c66df..94879a2 100644
--- a/lib/one_gadget/builds/libc-2.21-a890a8ee268f8ae36ae0810b6eea7c45766b4133.rb
+++ b/lib/one_gadget/builds/libc-2.21-a890a8ee268f8ae36ae0810b6eea7c45766b4133.rb
@@ -19,25 +19,28 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 259791,
+ constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 259798,
- constraints: ["rax == NULL"],
+ constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 259882,
- constraints: ["[rsp+0x30] == NULL"],
+ constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 758240,
- constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, r12)")
OneGadget::Gadget.add(build_id, 758460,
- constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL || [rbp-0x40] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", [rbp-0x40], r12)")
OneGadget::Gadget.add(build_id, 880349,
- constraints: ["[rsp+0x70] == NULL"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x70, environ)")
OneGadget::Gadget.add(build_id, 880361,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rax])")
OneGadget::Gadget.add(build_id, 895633,
- constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", r9, rdx)")
diff --git a/lib/one_gadget/builds/libc-2.21-a9274e5d52fbb32ba32bae055f69ba1741771e79.rb b/lib/one_gadget/builds/libc-2.21-a9274e5d52fbb32ba32bae055f69ba1741771e79.rb
index 8b95270..f13d4a2 100644
--- a/lib/one_gadget/builds/libc-2.21-a9274e5d52fbb32ba32bae055f69ba1741771e79.rb
+++ b/lib/one_gadget/builds/libc-2.21-a9274e5d52fbb32ba32bae055f69ba1741771e79.rb
@@ -20,22 +20,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 240438,
- constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x28, environ)")
OneGadget::Gadget.add(build_id, 240440,
- constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 240444,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 240451,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 240486,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 240487,
- constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 400228,
constraints: ["ebx is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.21-ab066cff9171d55efb0dd884d31c18682ae6922b.rb b/lib/one_gadget/builds/libc-2.21-ab066cff9171d55efb0dd884d31c18682ae6922b.rb
index fdc16d2..09b9fe8 100644
--- a/lib/one_gadget/builds/libc-2.21-ab066cff9171d55efb0dd884d31c18682ae6922b.rb
+++ b/lib/one_gadget/builds/libc-2.21-ab066cff9171d55efb0dd884d31c18682ae6922b.rb
@@ -20,22 +20,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 240438,
- constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x28, environ)")
OneGadget::Gadget.add(build_id, 240440,
- constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 240444,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 240451,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 240486,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 240487,
- constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 400228,
constraints: ["ebx is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.21-af2daffab6880d8bc68db4143643c132164dc7ca.rb b/lib/one_gadget/builds/libc-2.21-af2daffab6880d8bc68db4143643c132164dc7ca.rb
index 827c2e9..592ee28 100644
--- a/lib/one_gadget/builds/libc-2.21-af2daffab6880d8bc68db4143643c132164dc7ca.rb
+++ b/lib/one_gadget/builds/libc-2.21-af2daffab6880d8bc68db4143643c132164dc7ca.rb
@@ -19,25 +19,28 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 260175,
+ constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 260182,
- constraints: ["rax == NULL"],
+ constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 260266,
- constraints: ["[rsp+0x30] == NULL"],
+ constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 758320,
- constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, r12)")
OneGadget::Gadget.add(build_id, 758540,
- constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL || [rbp-0x40] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", [rbp-0x40], r12)")
OneGadget::Gadget.add(build_id, 880429,
- constraints: ["[rsp+0x70] == NULL"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x70, environ)")
OneGadget::Gadget.add(build_id, 880441,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rax])")
OneGadget::Gadget.add(build_id, 895713,
- constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", r9, rdx)")
diff --git a/lib/one_gadget/builds/libc-2.21-b180bd3047be9b4b70fb28455365546001b76e85.rb b/lib/one_gadget/builds/libc-2.21-b180bd3047be9b4b70fb28455365546001b76e85.rb
index 9e05c47..46798e8 100644
--- a/lib/one_gadget/builds/libc-2.21-b180bd3047be9b4b70fb28455365546001b76e85.rb
+++ b/lib/one_gadget/builds/libc-2.21-b180bd3047be9b4b70fb28455365546001b76e85.rb
@@ -19,19 +19,19 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 436370,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 436389,
- constraints: ["ebx is the GOT address of libc", "[esp+0x24] == NULL", "[[eax]] == NULL || [eax] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x24] == NULL || {[esp+0x24], [esp+0x28], [esp+0x2c], [esp+0x30], ...} is a valid argv", "[[eax]] == NULL || [eax] == NULL || [eax] is a valid envp"],
effect: "execve(\"/bin/sh\", esp+0x24, [eax])")
OneGadget::Gadget.add(build_id, 436391,
- constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", esp+0x28, [esp])")
OneGadget::Gadget.add(build_id, 436395,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 436396,
- constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 597056,
constraints: ["ebx is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.21-b440183d6aefac5a9259f6e2de824e43e85ed341.rb b/lib/one_gadget/builds/libc-2.21-b440183d6aefac5a9259f6e2de824e43e85ed341.rb
index 34bfba5..0a772a4 100644
--- a/lib/one_gadget/builds/libc-2.21-b440183d6aefac5a9259f6e2de824e43e85ed341.rb
+++ b/lib/one_gadget/builds/libc-2.21-b440183d6aefac5a9259f6e2de824e43e85ed341.rb
@@ -19,25 +19,28 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 259743,
+ constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 259750,
- constraints: ["rax == NULL"],
+ constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 259834,
- constraints: ["[rsp+0x30] == NULL"],
+ constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 755223,
- constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, r12)")
OneGadget::Gadget.add(build_id, 755432,
- constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL || [rbp-0x40] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", [rbp-0x40], r12)")
OneGadget::Gadget.add(build_id, 877607,
- constraints: ["[rsp+0x70] == NULL"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x70, environ)")
OneGadget::Gadget.add(build_id, 877619,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rax])")
OneGadget::Gadget.add(build_id, 892481,
- constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", r9, rdx)")
diff --git a/lib/one_gadget/builds/libc-2.21-b551bf2740c7e79d1722776a6e0d35d65885d037.rb b/lib/one_gadget/builds/libc-2.21-b551bf2740c7e79d1722776a6e0d35d65885d037.rb
index 392b9ed..212f6ab 100644
--- a/lib/one_gadget/builds/libc-2.21-b551bf2740c7e79d1722776a6e0d35d65885d037.rb
+++ b/lib/one_gadget/builds/libc-2.21-b551bf2740c7e79d1722776a6e0d35d65885d037.rb
@@ -20,22 +20,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 242190,
- constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x28, environ)")
OneGadget::Gadget.add(build_id, 242192,
- constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 242196,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 242203,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 242238,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 242239,
- constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 404068,
constraints: ["ebx is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.21-b7ac9e99f0fc2fb83f98b6a01615c0508de638a8.rb b/lib/one_gadget/builds/libc-2.21-b7ac9e99f0fc2fb83f98b6a01615c0508de638a8.rb
index 7ac0d2f..6e827b9 100644
--- a/lib/one_gadget/builds/libc-2.21-b7ac9e99f0fc2fb83f98b6a01615c0508de638a8.rb
+++ b/lib/one_gadget/builds/libc-2.21-b7ac9e99f0fc2fb83f98b6a01615c0508de638a8.rb
@@ -19,25 +19,28 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 260239,
+ constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 260246,
- constraints: ["rax == NULL"],
+ constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 260330,
- constraints: ["[rsp+0x30] == NULL"],
+ constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 757600,
- constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, r12)")
OneGadget::Gadget.add(build_id, 757820,
- constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL || [rbp-0x40] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", [rbp-0x40], r12)")
OneGadget::Gadget.add(build_id, 879709,
- constraints: ["[rsp+0x70] == NULL"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x70, environ)")
OneGadget::Gadget.add(build_id, 879721,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rax])")
OneGadget::Gadget.add(build_id, 894993,
- constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", r9, rdx)")
diff --git a/lib/one_gadget/builds/libc-2.21-b8c6428b947bad767595961d6cb907493073183c.rb b/lib/one_gadget/builds/libc-2.21-b8c6428b947bad767595961d6cb907493073183c.rb
index b30621f..7c8c63e 100644
--- a/lib/one_gadget/builds/libc-2.21-b8c6428b947bad767595961d6cb907493073183c.rb
+++ b/lib/one_gadget/builds/libc-2.21-b8c6428b947bad767595961d6cb907493073183c.rb
@@ -20,22 +20,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 240438,
- constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x28, environ)")
OneGadget::Gadget.add(build_id, 240440,
- constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 240444,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 240451,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 240486,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 240487,
- constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 400228,
constraints: ["ebx is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.21-b8daa3ddab3acf64323b47fee32338d5c9591c4d.rb b/lib/one_gadget/builds/libc-2.21-b8daa3ddab3acf64323b47fee32338d5c9591c4d.rb
index c4debb4..e8448ba 100644
--- a/lib/one_gadget/builds/libc-2.21-b8daa3ddab3acf64323b47fee32338d5c9591c4d.rb
+++ b/lib/one_gadget/builds/libc-2.21-b8daa3ddab3acf64323b47fee32338d5c9591c4d.rb
@@ -20,22 +20,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 241742,
- constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x28, environ)")
OneGadget::Gadget.add(build_id, 241744,
- constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 241748,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 241755,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 241790,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 241791,
- constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 403620,
constraints: ["ebx is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.21-bbfccd958f34a2292058d60a0ddf19e1fcd4ec1e.rb b/lib/one_gadget/builds/libc-2.21-bbfccd958f34a2292058d60a0ddf19e1fcd4ec1e.rb
index cd21e93..9afec25 100644
--- a/lib/one_gadget/builds/libc-2.21-bbfccd958f34a2292058d60a0ddf19e1fcd4ec1e.rb
+++ b/lib/one_gadget/builds/libc-2.21-bbfccd958f34a2292058d60a0ddf19e1fcd4ec1e.rb
@@ -20,22 +20,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 240502,
- constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x28, environ)")
OneGadget::Gadget.add(build_id, 240504,
- constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 240508,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 240515,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 240550,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 240551,
- constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 400292,
constraints: ["ebx is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.21-bda2fd9acb85c5de61a1d4c7e2098fce25f3199f.rb b/lib/one_gadget/builds/libc-2.21-bda2fd9acb85c5de61a1d4c7e2098fce25f3199f.rb
index 2eba528..916bbc3 100644
--- a/lib/one_gadget/builds/libc-2.21-bda2fd9acb85c5de61a1d4c7e2098fce25f3199f.rb
+++ b/lib/one_gadget/builds/libc-2.21-bda2fd9acb85c5de61a1d4c7e2098fce25f3199f.rb
@@ -20,22 +20,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 234245,
- constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 234247,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 234251,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 234258,
- constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x38, environ)")
OneGadget::Gadget.add(build_id, 234293,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 234294,
- constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 393791,
constraints: ["ebx is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.21-c164b79c008a3ad0c2f0277688274a0c3c98e79b.rb b/lib/one_gadget/builds/libc-2.21-c164b79c008a3ad0c2f0277688274a0c3c98e79b.rb
index 5790979..1b4b7e3 100644
--- a/lib/one_gadget/builds/libc-2.21-c164b79c008a3ad0c2f0277688274a0c3c98e79b.rb
+++ b/lib/one_gadget/builds/libc-2.21-c164b79c008a3ad0c2f0277688274a0c3c98e79b.rb
@@ -20,22 +20,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 240502,
- constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x28, environ)")
OneGadget::Gadget.add(build_id, 240504,
- constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 240508,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 240515,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 240550,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 240551,
- constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 400292,
constraints: ["ebx is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.21-c2f12c8aed093770731d57b19dc039c32423246b.rb b/lib/one_gadget/builds/libc-2.21-c2f12c8aed093770731d57b19dc039c32423246b.rb
index 673f0ff..ef5dea1 100644
--- a/lib/one_gadget/builds/libc-2.21-c2f12c8aed093770731d57b19dc039c32423246b.rb
+++ b/lib/one_gadget/builds/libc-2.21-c2f12c8aed093770731d57b19dc039c32423246b.rb
@@ -20,22 +20,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 240614,
- constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x28, environ)")
OneGadget::Gadget.add(build_id, 240616,
- constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 240620,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 240627,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 240662,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 240663,
- constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 400404,
constraints: ["ebx is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.21-c3318940121036465913d946fa62fef61459b68a.rb b/lib/one_gadget/builds/libc-2.21-c3318940121036465913d946fa62fef61459b68a.rb
index 371f493..cbe732e 100644
--- a/lib/one_gadget/builds/libc-2.21-c3318940121036465913d946fa62fef61459b68a.rb
+++ b/lib/one_gadget/builds/libc-2.21-c3318940121036465913d946fa62fef61459b68a.rb
@@ -20,22 +20,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 240750,
- constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x28, environ)")
OneGadget::Gadget.add(build_id, 240752,
- constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 240756,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 240763,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 240798,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 240799,
- constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 402084,
constraints: ["ebx is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.21-c4969c549a0d0099304108e50a77ff68602ed922.rb b/lib/one_gadget/builds/libc-2.21-c4969c549a0d0099304108e50a77ff68602ed922.rb
index 502e81f..db2b747 100644
--- a/lib/one_gadget/builds/libc-2.21-c4969c549a0d0099304108e50a77ff68602ed922.rb
+++ b/lib/one_gadget/builds/libc-2.21-c4969c549a0d0099304108e50a77ff68602ed922.rb
@@ -20,22 +20,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 240502,
- constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x28, environ)")
OneGadget::Gadget.add(build_id, 240504,
- constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 240508,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 240515,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 240550,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 240551,
- constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 400292,
constraints: ["ebx is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.21-c51ca19ec6c53db97a15c67eea8ed00761570689.rb b/lib/one_gadget/builds/libc-2.21-c51ca19ec6c53db97a15c67eea8ed00761570689.rb
index aa064e8..67f9e8d 100644
--- a/lib/one_gadget/builds/libc-2.21-c51ca19ec6c53db97a15c67eea8ed00761570689.rb
+++ b/lib/one_gadget/builds/libc-2.21-c51ca19ec6c53db97a15c67eea8ed00761570689.rb
@@ -20,22 +20,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 240502,
- constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x28, environ)")
OneGadget::Gadget.add(build_id, 240504,
- constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 240508,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 240515,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 240550,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 240551,
- constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 400292,
constraints: ["ebx is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.21-c601601a621be82612e36dd2a981121c141c72c9.rb b/lib/one_gadget/builds/libc-2.21-c601601a621be82612e36dd2a981121c141c72c9.rb
index daf93db..0c17ddf 100644
--- a/lib/one_gadget/builds/libc-2.21-c601601a621be82612e36dd2a981121c141c72c9.rb
+++ b/lib/one_gadget/builds/libc-2.21-c601601a621be82612e36dd2a981121c141c72c9.rb
@@ -19,25 +19,28 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 255762,
+ constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", r12, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 255769,
- constraints: ["rax == NULL"],
+ constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", r12, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 255853,
- constraints: ["[rsp+0x30] == NULL"],
+ constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 708672,
- constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, r12)")
OneGadget::Gadget.add(build_id, 708892,
- constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL || [rbp-0x40] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", [rbp-0x40], r12)")
OneGadget::Gadget.add(build_id, 837635,
- constraints: ["[rsp+0x70] == NULL"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x70, environ)")
OneGadget::Gadget.add(build_id, 837647,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rax])")
OneGadget::Gadget.add(build_id, 852641,
- constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", r9, rdx)")
diff --git a/lib/one_gadget/builds/libc-2.21-c6654d8229ff494d5b5c067e8a1dbf184fcdd57d.rb b/lib/one_gadget/builds/libc-2.21-c6654d8229ff494d5b5c067e8a1dbf184fcdd57d.rb
index a02b57f..ee7344b 100644
--- a/lib/one_gadget/builds/libc-2.21-c6654d8229ff494d5b5c067e8a1dbf184fcdd57d.rb
+++ b/lib/one_gadget/builds/libc-2.21-c6654d8229ff494d5b5c067e8a1dbf184fcdd57d.rb
@@ -20,22 +20,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 240614,
- constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x28, environ)")
OneGadget::Gadget.add(build_id, 240616,
- constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 240620,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 240627,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 240662,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 240663,
- constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 401556,
constraints: ["ebx is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.21-c91d043eaeb023885cdd80a3c0872d9fde9867bb.rb b/lib/one_gadget/builds/libc-2.21-c91d043eaeb023885cdd80a3c0872d9fde9867bb.rb
index 9a939c5..76228a1 100644
--- a/lib/one_gadget/builds/libc-2.21-c91d043eaeb023885cdd80a3c0872d9fde9867bb.rb
+++ b/lib/one_gadget/builds/libc-2.21-c91d043eaeb023885cdd80a3c0872d9fde9867bb.rb
@@ -20,22 +20,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 240438,
- constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x28, environ)")
OneGadget::Gadget.add(build_id, 240440,
- constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 240444,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 240451,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 240486,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 240487,
- constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 400228,
constraints: ["ebx is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.21-cb732feec2d8bae5ebb5d072a86cd31aca65f89b.rb b/lib/one_gadget/builds/libc-2.21-cb732feec2d8bae5ebb5d072a86cd31aca65f89b.rb
index ab56813..8215471 100644
--- a/lib/one_gadget/builds/libc-2.21-cb732feec2d8bae5ebb5d072a86cd31aca65f89b.rb
+++ b/lib/one_gadget/builds/libc-2.21-cb732feec2d8bae5ebb5d072a86cd31aca65f89b.rb
@@ -20,22 +20,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 240702,
- constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x28, environ)")
OneGadget::Gadget.add(build_id, 240704,
- constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 240708,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 240715,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 240750,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 240751,
- constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 402036,
constraints: ["ebx is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.21-cf580407d98ed9bec9c92c1ae2241eca8604e4d5.rb b/lib/one_gadget/builds/libc-2.21-cf580407d98ed9bec9c92c1ae2241eca8604e4d5.rb
index df08def..e34db9a 100644
--- a/lib/one_gadget/builds/libc-2.21-cf580407d98ed9bec9c92c1ae2241eca8604e4d5.rb
+++ b/lib/one_gadget/builds/libc-2.21-cf580407d98ed9bec9c92c1ae2241eca8604e4d5.rb
@@ -19,25 +19,28 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 260127,
+ constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 260134,
- constraints: ["rax == NULL"],
+ constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 260218,
- constraints: ["[rsp+0x30] == NULL"],
+ constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 757472,
- constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, r12)")
OneGadget::Gadget.add(build_id, 757692,
- constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL || [rbp-0x40] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", [rbp-0x40], r12)")
OneGadget::Gadget.add(build_id, 879581,
- constraints: ["[rsp+0x70] == NULL"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x70, environ)")
OneGadget::Gadget.add(build_id, 879593,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rax])")
OneGadget::Gadget.add(build_id, 894865,
- constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", r9, rdx)")
diff --git a/lib/one_gadget/builds/libc-2.21-d0cbed817be7f8947339e1796d1964567e9dfe96.rb b/lib/one_gadget/builds/libc-2.21-d0cbed817be7f8947339e1796d1964567e9dfe96.rb
index e4ee757..417d37f 100644
--- a/lib/one_gadget/builds/libc-2.21-d0cbed817be7f8947339e1796d1964567e9dfe96.rb
+++ b/lib/one_gadget/builds/libc-2.21-d0cbed817be7f8947339e1796d1964567e9dfe96.rb
@@ -20,22 +20,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 240550,
- constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x28, environ)")
OneGadget::Gadget.add(build_id, 240552,
- constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 240556,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 240563,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 240598,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 240599,
- constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 401492,
constraints: ["ebx is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.21-d1c4dd44416a5a2781b37f7d9111961c8dc58583.rb b/lib/one_gadget/builds/libc-2.21-d1c4dd44416a5a2781b37f7d9111961c8dc58583.rb
index c5ff2f3..042bd90 100644
--- a/lib/one_gadget/builds/libc-2.21-d1c4dd44416a5a2781b37f7d9111961c8dc58583.rb
+++ b/lib/one_gadget/builds/libc-2.21-d1c4dd44416a5a2781b37f7d9111961c8dc58583.rb
@@ -20,22 +20,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 234101,
- constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 234103,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 234107,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 234114,
- constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x38, environ)")
OneGadget::Gadget.add(build_id, 234149,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 234150,
- constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 393647,
constraints: ["ebx is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.21-dc53884306f13d86e310d893433556d93ef7facc.rb b/lib/one_gadget/builds/libc-2.21-dc53884306f13d86e310d893433556d93ef7facc.rb
index 8ad85f2..1397edf 100644
--- a/lib/one_gadget/builds/libc-2.21-dc53884306f13d86e310d893433556d93ef7facc.rb
+++ b/lib/one_gadget/builds/libc-2.21-dc53884306f13d86e310d893433556d93ef7facc.rb
@@ -19,28 +19,31 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 279039,
+ constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 279046,
- constraints: ["rax == NULL"],
+ constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 279130,
- constraints: ["[rsp+0x30] == NULL"],
+ constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 834544,
- constraints: ["[rcx] == NULL || rcx == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[rcx] == NULL || rcx == NULL || rcx is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", rcx, r12)")
OneGadget::Gadget.add(build_id, 834768,
- constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL || [rbp-0x40] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", [rbp-0x40], r12)")
OneGadget::Gadget.add(build_id, 985728,
- constraints: ["[rsp+0x50] == NULL"],
+ constraints: ["[rsp+0x50] == NULL || {[rsp+0x50], [rsp+0x58], [rsp+0x60], [rsp+0x68], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x50, environ)")
OneGadget::Gadget.add(build_id, 985740,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rax])")
OneGadget::Gadget.add(build_id, 989517,
- constraints: ["[rsp+0x70] == NULL"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x70, environ)")
OneGadget::Gadget.add(build_id, 1010576,
- constraints: ["[r8] == NULL || r8 == NULL", "[[rbp-0xf8]] == NULL || [rbp-0xf8] == NULL"],
+ constraints: ["[r8] == NULL || r8 == NULL || r8 is a valid argv", "[[rbp-0xf8]] == NULL || [rbp-0xf8] == NULL || [rbp-0xf8] is a valid envp"],
effect: "execve(\"/bin/sh\", r8, [rbp-0xf8])")
diff --git a/lib/one_gadget/builds/libc-2.21-dc70ee31ce02e89d989cb38dc885438e19dc5919.rb b/lib/one_gadget/builds/libc-2.21-dc70ee31ce02e89d989cb38dc885438e19dc5919.rb
index c021fb5..a45cbfa 100644
--- a/lib/one_gadget/builds/libc-2.21-dc70ee31ce02e89d989cb38dc885438e19dc5919.rb
+++ b/lib/one_gadget/builds/libc-2.21-dc70ee31ce02e89d989cb38dc885438e19dc5919.rb
@@ -19,28 +19,31 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 279055,
+ constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 279062,
- constraints: ["rax == NULL"],
+ constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 279146,
- constraints: ["[rsp+0x30] == NULL"],
+ constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 834192,
- constraints: ["[rcx] == NULL || rcx == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[rcx] == NULL || rcx == NULL || rcx is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", rcx, r12)")
OneGadget::Gadget.add(build_id, 834416,
- constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL || [rbp-0x40] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", [rbp-0x40], r12)")
OneGadget::Gadget.add(build_id, 985376,
- constraints: ["[rsp+0x50] == NULL"],
+ constraints: ["[rsp+0x50] == NULL || {[rsp+0x50], [rsp+0x58], [rsp+0x60], [rsp+0x68], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x50, environ)")
OneGadget::Gadget.add(build_id, 985388,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rax])")
OneGadget::Gadget.add(build_id, 989165,
- constraints: ["[rsp+0x70] == NULL"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x70, environ)")
OneGadget::Gadget.add(build_id, 1010272,
- constraints: ["[r8] == NULL || r8 == NULL", "[[rbp-0xf8]] == NULL || [rbp-0xf8] == NULL"],
+ constraints: ["[r8] == NULL || r8 == NULL || r8 is a valid argv", "[[rbp-0xf8]] == NULL || [rbp-0xf8] == NULL || [rbp-0xf8] is a valid envp"],
effect: "execve(\"/bin/sh\", r8, [rbp-0xf8])")
diff --git a/lib/one_gadget/builds/libc-2.21-e174b9dc46c7d38d1f153f2a4f9c059484042cdc.rb b/lib/one_gadget/builds/libc-2.21-e174b9dc46c7d38d1f153f2a4f9c059484042cdc.rb
index 5afa65e..ee358b8 100644
--- a/lib/one_gadget/builds/libc-2.21-e174b9dc46c7d38d1f153f2a4f9c059484042cdc.rb
+++ b/lib/one_gadget/builds/libc-2.21-e174b9dc46c7d38d1f153f2a4f9c059484042cdc.rb
@@ -20,22 +20,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 241710,
- constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x28, environ)")
OneGadget::Gadget.add(build_id, 241712,
- constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 241716,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 241723,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 241758,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 241759,
- constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 403588,
constraints: ["ebx is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.21-e3a06c9d90272ed9dd49863667de02579971fefd.rb b/lib/one_gadget/builds/libc-2.21-e3a06c9d90272ed9dd49863667de02579971fefd.rb
index d39ceab..00069c1 100644
--- a/lib/one_gadget/builds/libc-2.21-e3a06c9d90272ed9dd49863667de02579971fefd.rb
+++ b/lib/one_gadget/builds/libc-2.21-e3a06c9d90272ed9dd49863667de02579971fefd.rb
@@ -19,25 +19,28 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 260111,
+ constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 260118,
- constraints: ["rax == NULL"],
+ constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 260202,
- constraints: ["[rsp+0x30] == NULL"],
+ constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 757488,
- constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, r12)")
OneGadget::Gadget.add(build_id, 757708,
- constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL || [rbp-0x40] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", [rbp-0x40], r12)")
OneGadget::Gadget.add(build_id, 879597,
- constraints: ["[rsp+0x70] == NULL"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x70, environ)")
OneGadget::Gadget.add(build_id, 879609,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rax])")
OneGadget::Gadget.add(build_id, 894881,
- constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", r9, rdx)")
diff --git a/lib/one_gadget/builds/libc-2.21-e6f442dc2d29e0e16cd34dc787d3c95fafeb90cc.rb b/lib/one_gadget/builds/libc-2.21-e6f442dc2d29e0e16cd34dc787d3c95fafeb90cc.rb
index 9dcc1a2..9a3bf77 100644
--- a/lib/one_gadget/builds/libc-2.21-e6f442dc2d29e0e16cd34dc787d3c95fafeb90cc.rb
+++ b/lib/one_gadget/builds/libc-2.21-e6f442dc2d29e0e16cd34dc787d3c95fafeb90cc.rb
@@ -20,22 +20,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 234101,
- constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 234103,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 234107,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 234114,
- constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x38, environ)")
OneGadget::Gadget.add(build_id, 234149,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 234150,
- constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 393647,
constraints: ["ebx is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.21-e91a3a679d219196e597358caa46469961c471fd.rb b/lib/one_gadget/builds/libc-2.21-e91a3a679d219196e597358caa46469961c471fd.rb
index 9c87426..e231485 100644
--- a/lib/one_gadget/builds/libc-2.21-e91a3a679d219196e597358caa46469961c471fd.rb
+++ b/lib/one_gadget/builds/libc-2.21-e91a3a679d219196e597358caa46469961c471fd.rb
@@ -19,19 +19,19 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 436354,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 436373,
- constraints: ["ebx is the GOT address of libc", "[esp+0x24] == NULL", "[[eax]] == NULL || [eax] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x24] == NULL || {[esp+0x24], [esp+0x28], [esp+0x2c], [esp+0x30], ...} is a valid argv", "[[eax]] == NULL || [eax] == NULL || [eax] is a valid envp"],
effect: "execve(\"/bin/sh\", esp+0x24, [eax])")
OneGadget::Gadget.add(build_id, 436375,
- constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", esp+0x28, [esp])")
OneGadget::Gadget.add(build_id, 436379,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 436380,
- constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 596320,
constraints: ["ebx is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.21-f08b44317fec610d418f62d5d24fafaec0510353.rb b/lib/one_gadget/builds/libc-2.21-f08b44317fec610d418f62d5d24fafaec0510353.rb
index 2800108..0b9ee73 100644
--- a/lib/one_gadget/builds/libc-2.21-f08b44317fec610d418f62d5d24fafaec0510353.rb
+++ b/lib/one_gadget/builds/libc-2.21-f08b44317fec610d418f62d5d24fafaec0510353.rb
@@ -19,25 +19,28 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 259791,
+ constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 259798,
- constraints: ["rax == NULL"],
+ constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 259882,
- constraints: ["[rsp+0x30] == NULL"],
+ constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 758240,
- constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, r12)")
OneGadget::Gadget.add(build_id, 758460,
- constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL || [rbp-0x40] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", [rbp-0x40], r12)")
OneGadget::Gadget.add(build_id, 880349,
- constraints: ["[rsp+0x70] == NULL"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x70, environ)")
OneGadget::Gadget.add(build_id, 880361,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rax])")
OneGadget::Gadget.add(build_id, 895633,
- constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", r9, rdx)")
diff --git a/lib/one_gadget/builds/libc-2.21-f0c24219cbba0605e39e02123398437c5dbbb104.rb b/lib/one_gadget/builds/libc-2.21-f0c24219cbba0605e39e02123398437c5dbbb104.rb
index 5ddf952..ab4060b 100644
--- a/lib/one_gadget/builds/libc-2.21-f0c24219cbba0605e39e02123398437c5dbbb104.rb
+++ b/lib/one_gadget/builds/libc-2.21-f0c24219cbba0605e39e02123398437c5dbbb104.rb
@@ -21,22 +21,31 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 246761,
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x34, environ)")
+OneGadget::Gadget.add(build_id, 246768,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
+ effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 246777,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 246813,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp+0x8])")
OneGadget::Gadget.add(build_id, 246817,
- constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])")
+OneGadget::Gadget.add(build_id, 406271,
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"],
+ effect: "execl(\"/bin/sh\", \"sh\", eax)")
OneGadget::Gadget.add(build_id, 406275,
- constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"],
effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])")
OneGadget::Gadget.add(build_id, 406281,
- constraints: ["ebx is the GOT address of libc", "eax == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"],
effect: "execl(\"/bin/sh\", eax)")
OneGadget::Gadget.add(build_id, 406285,
- constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"],
effect: "execl(\"/bin/sh\", [esp+0x4])")
diff --git a/lib/one_gadget/builds/libc-2.21-f233903e448d3ae08e72a23b0e742ecfc8b6ccc1.rb b/lib/one_gadget/builds/libc-2.21-f233903e448d3ae08e72a23b0e742ecfc8b6ccc1.rb
index 739fd69..7cfc409 100644
--- a/lib/one_gadget/builds/libc-2.21-f233903e448d3ae08e72a23b0e742ecfc8b6ccc1.rb
+++ b/lib/one_gadget/builds/libc-2.21-f233903e448d3ae08e72a23b0e742ecfc8b6ccc1.rb
@@ -20,22 +20,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 240750,
- constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x28, environ)")
OneGadget::Gadget.add(build_id, 240752,
- constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 240756,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 240763,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 240798,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 240799,
- constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 402084,
constraints: ["ebx is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.21-f5043f1299e2b98ddf8a1ba08f731f260492601a.rb b/lib/one_gadget/builds/libc-2.21-f5043f1299e2b98ddf8a1ba08f731f260492601a.rb
index f5c9570..2f089f7 100644
--- a/lib/one_gadget/builds/libc-2.21-f5043f1299e2b98ddf8a1ba08f731f260492601a.rb
+++ b/lib/one_gadget/builds/libc-2.21-f5043f1299e2b98ddf8a1ba08f731f260492601a.rb
@@ -20,22 +20,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 234245,
- constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 234247,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 234251,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 234258,
- constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x38, environ)")
OneGadget::Gadget.add(build_id, 234293,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 234294,
- constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 393791,
constraints: ["ebx is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.21-f9e9b2f3225a520c823f0d81aea92a3dacfd621f.rb b/lib/one_gadget/builds/libc-2.21-f9e9b2f3225a520c823f0d81aea92a3dacfd621f.rb
index dc03540..7df50d7 100644
--- a/lib/one_gadget/builds/libc-2.21-f9e9b2f3225a520c823f0d81aea92a3dacfd621f.rb
+++ b/lib/one_gadget/builds/libc-2.21-f9e9b2f3225a520c823f0d81aea92a3dacfd621f.rb
@@ -20,22 +20,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 234181,
- constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 234183,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 234187,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 234194,
- constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x38, environ)")
OneGadget::Gadget.add(build_id, 234229,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 234230,
- constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 393727,
constraints: ["ebx is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.21-fe668be19c2dadb3cef5e6eafb6796acabf0b8f1.rb b/lib/one_gadget/builds/libc-2.21-fe668be19c2dadb3cef5e6eafb6796acabf0b8f1.rb
index 6bdb592..56604b3 100644
--- a/lib/one_gadget/builds/libc-2.21-fe668be19c2dadb3cef5e6eafb6796acabf0b8f1.rb
+++ b/lib/one_gadget/builds/libc-2.21-fe668be19c2dadb3cef5e6eafb6796acabf0b8f1.rb
@@ -19,28 +19,31 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 279055,
+ constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 279062,
- constraints: ["rax == NULL"],
+ constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 279146,
- constraints: ["[rsp+0x30] == NULL"],
+ constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 833808,
- constraints: ["[rcx] == NULL || rcx == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[rcx] == NULL || rcx == NULL || rcx is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", rcx, r12)")
OneGadget::Gadget.add(build_id, 834032,
- constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL || [rbp-0x40] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", [rbp-0x40], r12)")
OneGadget::Gadget.add(build_id, 984992,
- constraints: ["[rsp+0x50] == NULL"],
+ constraints: ["[rsp+0x50] == NULL || {[rsp+0x50], [rsp+0x58], [rsp+0x60], [rsp+0x68], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x50, environ)")
OneGadget::Gadget.add(build_id, 985004,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rax])")
OneGadget::Gadget.add(build_id, 988781,
- constraints: ["[rsp+0x70] == NULL"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x70, environ)")
OneGadget::Gadget.add(build_id, 1009840,
- constraints: ["[r8] == NULL || r8 == NULL", "[[rbp-0xf8]] == NULL || [rbp-0xf8] == NULL"],
+ constraints: ["[r8] == NULL || r8 == NULL || r8 is a valid argv", "[[rbp-0xf8]] == NULL || [rbp-0xf8] == NULL || [rbp-0xf8] is a valid envp"],
effect: "execve(\"/bin/sh\", r8, [rbp-0xf8])")
diff --git a/lib/one_gadget/builds/libc-2.21.90-d8785e62882096798b9a47645c401e2db0c3da87.rb b/lib/one_gadget/builds/libc-2.21.90-d8785e62882096798b9a47645c401e2db0c3da87.rb
index c76dfc2..7952452 100644
--- a/lib/one_gadget/builds/libc-2.21.90-d8785e62882096798b9a47645c401e2db0c3da87.rb
+++ b/lib/one_gadget/builds/libc-2.21.90-d8785e62882096798b9a47645c401e2db0c3da87.rb
@@ -22,22 +22,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 255032,
- constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x28, environ)")
OneGadget::Gadget.add(build_id, 255034,
- constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 255038,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 255045,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 255080,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 255081,
- constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 417876,
constraints: ["ebx is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.21.90-ec2edee6fe6141b914f74b6d3541e986c1995420.rb b/lib/one_gadget/builds/libc-2.21.90-ec2edee6fe6141b914f74b6d3541e986c1995420.rb
index c10af0e..4c402ff 100644
--- a/lib/one_gadget/builds/libc-2.21.90-ec2edee6fe6141b914f74b6d3541e986c1995420.rb
+++ b/lib/one_gadget/builds/libc-2.21.90-ec2edee6fe6141b914f74b6d3541e986c1995420.rb
@@ -22,22 +22,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 256271,
- constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x28, environ)")
OneGadget::Gadget.add(build_id, 256273,
- constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 256277,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 256284,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 256319,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 256320,
- constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 420820,
constraints: ["ebx is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.22-056b23405739592e947a92cb210791fbfe9d9938.rb b/lib/one_gadget/builds/libc-2.22-056b23405739592e947a92cb210791fbfe9d9938.rb
index 210b05c..7cbef9b 100644
--- a/lib/one_gadget/builds/libc-2.22-056b23405739592e947a92cb210791fbfe9d9938.rb
+++ b/lib/one_gadget/builds/libc-2.22-056b23405739592e947a92cb210791fbfe9d9938.rb
@@ -20,22 +20,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 241007,
- constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x28, environ)")
OneGadget::Gadget.add(build_id, 241009,
- constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 241013,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 241020,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 241055,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 241056,
- constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 401703,
constraints: ["ebx is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.22-057feedce849edba19d94bf3920903b4c297e249.rb b/lib/one_gadget/builds/libc-2.22-057feedce849edba19d94bf3920903b4c297e249.rb
index 338de1a..10b922f 100644
--- a/lib/one_gadget/builds/libc-2.22-057feedce849edba19d94bf3920903b4c297e249.rb
+++ b/lib/one_gadget/builds/libc-2.22-057feedce849edba19d94bf3920903b4c297e249.rb
@@ -20,22 +20,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 240280,
- constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x28, environ)")
OneGadget::Gadget.add(build_id, 240282,
- constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 240286,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 240293,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 240328,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 240329,
- constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 399347,
constraints: ["ebx is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.22-06a01f4986991b8605b775bd21c3829c071c7e01.rb b/lib/one_gadget/builds/libc-2.22-06a01f4986991b8605b775bd21c3829c071c7e01.rb
index d7d5717..fdaf74e 100644
--- a/lib/one_gadget/builds/libc-2.22-06a01f4986991b8605b775bd21c3829c071c7e01.rb
+++ b/lib/one_gadget/builds/libc-2.22-06a01f4986991b8605b775bd21c3829c071c7e01.rb
@@ -20,22 +20,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 233093,
- constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 233095,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 233099,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 233106,
- constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x38, environ)")
OneGadget::Gadget.add(build_id, 233141,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 233142,
- constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 393487,
constraints: ["ebx is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.22-07627a0a76d4347858dc9b2533aac197920feb67.rb b/lib/one_gadget/builds/libc-2.22-07627a0a76d4347858dc9b2533aac197920feb67.rb
index 411f1a2..b3fdee0 100644
--- a/lib/one_gadget/builds/libc-2.22-07627a0a76d4347858dc9b2533aac197920feb67.rb
+++ b/lib/one_gadget/builds/libc-2.22-07627a0a76d4347858dc9b2533aac197920feb67.rb
@@ -19,19 +19,19 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 437040,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 437059,
- constraints: ["ebx is the GOT address of libc", "[esp+0x24] == NULL", "[[eax]] == NULL || [eax] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x24] == NULL || {[esp+0x24], [esp+0x28], [esp+0x2c], [esp+0x30], ...} is a valid argv", "[[eax]] == NULL || [eax] == NULL || [eax] is a valid envp"],
effect: "execve(\"/bin/sh\", esp+0x24, [eax])")
OneGadget::Gadget.add(build_id, 437061,
- constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", esp+0x28, [esp])")
OneGadget::Gadget.add(build_id, 437065,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 437066,
- constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 596336,
constraints: ["ebx is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.22-079d0ce21fe81c5c95f687db4b944d28c121a849.rb b/lib/one_gadget/builds/libc-2.22-079d0ce21fe81c5c95f687db4b944d28c121a849.rb
index d7af4fe..3829302 100644
--- a/lib/one_gadget/builds/libc-2.22-079d0ce21fe81c5c95f687db4b944d28c121a849.rb
+++ b/lib/one_gadget/builds/libc-2.22-079d0ce21fe81c5c95f687db4b944d28c121a849.rb
@@ -20,22 +20,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 240991,
- constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x28, environ)")
OneGadget::Gadget.add(build_id, 240993,
- constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 240997,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 241004,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 241039,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 241040,
- constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 401687,
constraints: ["ebx is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.22-0f1e39397cbf59f35018306725336d275b33fad6.rb b/lib/one_gadget/builds/libc-2.22-0f1e39397cbf59f35018306725336d275b33fad6.rb
index 0b5813f..a057277 100644
--- a/lib/one_gadget/builds/libc-2.22-0f1e39397cbf59f35018306725336d275b33fad6.rb
+++ b/lib/one_gadget/builds/libc-2.22-0f1e39397cbf59f35018306725336d275b33fad6.rb
@@ -20,22 +20,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 233093,
- constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 233095,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 233099,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 233106,
- constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x38, environ)")
OneGadget::Gadget.add(build_id, 233141,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 233142,
- constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 393487,
constraints: ["ebx is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.22-111a78efce1a05c176c84381f9a8687564c124dd.rb b/lib/one_gadget/builds/libc-2.22-111a78efce1a05c176c84381f9a8687564c124dd.rb
index 3c58424..abe95c6 100644
--- a/lib/one_gadget/builds/libc-2.22-111a78efce1a05c176c84381f9a8687564c124dd.rb
+++ b/lib/one_gadget/builds/libc-2.22-111a78efce1a05c176c84381f9a8687564c124dd.rb
@@ -19,25 +19,28 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 259407,
+ constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 259414,
- constraints: ["rax == NULL"],
+ constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 259498,
- constraints: ["[rsp+0x30] == NULL"],
+ constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 759543,
- constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, r12)")
OneGadget::Gadget.add(build_id, 759752,
- constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL || [rbp-0x40] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", [rbp-0x40], r12)")
OneGadget::Gadget.add(build_id, 881159,
- constraints: ["[rsp+0x70] == NULL"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x70, environ)")
OneGadget::Gadget.add(build_id, 881171,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rax])")
OneGadget::Gadget.add(build_id, 895921,
- constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", r9, rdx)")
diff --git a/lib/one_gadget/builds/libc-2.22-11c38e8940f7cd6be485bf6903fdb169d71617dd.rb b/lib/one_gadget/builds/libc-2.22-11c38e8940f7cd6be485bf6903fdb169d71617dd.rb
index 1b6b237..bf31055 100644
--- a/lib/one_gadget/builds/libc-2.22-11c38e8940f7cd6be485bf6903fdb169d71617dd.rb
+++ b/lib/one_gadget/builds/libc-2.22-11c38e8940f7cd6be485bf6903fdb169d71617dd.rb
@@ -19,25 +19,28 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 259407,
+ constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 259414,
- constraints: ["rax == NULL"],
+ constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 259498,
- constraints: ["[rsp+0x30] == NULL"],
+ constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 759543,
- constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, r12)")
OneGadget::Gadget.add(build_id, 759752,
- constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL || [rbp-0x40] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", [rbp-0x40], r12)")
OneGadget::Gadget.add(build_id, 881159,
- constraints: ["[rsp+0x70] == NULL"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x70, environ)")
OneGadget::Gadget.add(build_id, 881171,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rax])")
OneGadget::Gadget.add(build_id, 895921,
- constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", r9, rdx)")
diff --git a/lib/one_gadget/builds/libc-2.22-121137de182d11744ae6be8683de568a64edca7f.rb b/lib/one_gadget/builds/libc-2.22-121137de182d11744ae6be8683de568a64edca7f.rb
index 8cd481c..319ed56 100644
--- a/lib/one_gadget/builds/libc-2.22-121137de182d11744ae6be8683de568a64edca7f.rb
+++ b/lib/one_gadget/builds/libc-2.22-121137de182d11744ae6be8683de568a64edca7f.rb
@@ -20,22 +20,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 233061,
- constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 233063,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 233067,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 233074,
- constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x38, environ)")
OneGadget::Gadget.add(build_id, 233109,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 233110,
- constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 393503,
constraints: ["ebx is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.22-124cbcd567a508befc4d08238d209749a6f81ef6.rb b/lib/one_gadget/builds/libc-2.22-124cbcd567a508befc4d08238d209749a6f81ef6.rb
index 62fc9e8..d8a0a4b 100644
--- a/lib/one_gadget/builds/libc-2.22-124cbcd567a508befc4d08238d209749a6f81ef6.rb
+++ b/lib/one_gadget/builds/libc-2.22-124cbcd567a508befc4d08238d209749a6f81ef6.rb
@@ -19,25 +19,28 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 259439,
+ constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 259446,
- constraints: ["rax == NULL"],
+ constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 259530,
- constraints: ["[rsp+0x30] == NULL"],
+ constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 759079,
- constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, r12)")
OneGadget::Gadget.add(build_id, 759288,
- constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL || [rbp-0x40] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", [rbp-0x40], r12)")
OneGadget::Gadget.add(build_id, 881191,
- constraints: ["[rsp+0x70] == NULL"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x70, environ)")
OneGadget::Gadget.add(build_id, 881203,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rax])")
OneGadget::Gadget.add(build_id, 896001,
- constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", r9, rdx)")
diff --git a/lib/one_gadget/builds/libc-2.22-13fbe87df7583cb37d64da775d5298d139d6c645.rb b/lib/one_gadget/builds/libc-2.22-13fbe87df7583cb37d64da775d5298d139d6c645.rb
index 85d350b..2a66ce3 100644
--- a/lib/one_gadget/builds/libc-2.22-13fbe87df7583cb37d64da775d5298d139d6c645.rb
+++ b/lib/one_gadget/builds/libc-2.22-13fbe87df7583cb37d64da775d5298d139d6c645.rb
@@ -19,25 +19,28 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 259439,
+ constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 259446,
- constraints: ["rax == NULL"],
+ constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 259530,
- constraints: ["[rsp+0x30] == NULL"],
+ constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 759175,
- constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, r12)")
OneGadget::Gadget.add(build_id, 759384,
- constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL || [rbp-0x40] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", [rbp-0x40], r12)")
OneGadget::Gadget.add(build_id, 881287,
- constraints: ["[rsp+0x70] == NULL"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x70, environ)")
OneGadget::Gadget.add(build_id, 881299,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rax])")
OneGadget::Gadget.add(build_id, 896049,
- constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", r9, rdx)")
diff --git a/lib/one_gadget/builds/libc-2.22-142110382cc91407cee827f639c811fa41aad081.rb b/lib/one_gadget/builds/libc-2.22-142110382cc91407cee827f639c811fa41aad081.rb
index 4856cee..2a1ab45 100644
--- a/lib/one_gadget/builds/libc-2.22-142110382cc91407cee827f639c811fa41aad081.rb
+++ b/lib/one_gadget/builds/libc-2.22-142110382cc91407cee827f639c811fa41aad081.rb
@@ -20,22 +20,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 233093,
- constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 233095,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 233099,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 233106,
- constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x38, environ)")
OneGadget::Gadget.add(build_id, 233141,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 233142,
- constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 393487,
constraints: ["ebx is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.22-157a6d46c53ff9cd3176239d342644bd34cc9e6a.rb b/lib/one_gadget/builds/libc-2.22-157a6d46c53ff9cd3176239d342644bd34cc9e6a.rb
index e8174c8..6492e1e 100644
--- a/lib/one_gadget/builds/libc-2.22-157a6d46c53ff9cd3176239d342644bd34cc9e6a.rb
+++ b/lib/one_gadget/builds/libc-2.22-157a6d46c53ff9cd3176239d342644bd34cc9e6a.rb
@@ -19,25 +19,28 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 254130,
+ constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", r12, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 254137,
- constraints: ["rax == NULL"],
+ constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", r12, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 254221,
- constraints: ["[rsp+0x30] == NULL"],
+ constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 706983,
- constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, r12)")
OneGadget::Gadget.add(build_id, 707192,
- constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL || [rbp-0x40] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", [rbp-0x40], r12)")
OneGadget::Gadget.add(build_id, 835315,
- constraints: ["[rsp+0x70] == NULL"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x70, environ)")
OneGadget::Gadget.add(build_id, 835327,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rax])")
OneGadget::Gadget.add(build_id, 849793,
- constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", r9, rdx)")
diff --git a/lib/one_gadget/builds/libc-2.22-172387e0713d81467e907f48691fd8a3a9d9b745.rb b/lib/one_gadget/builds/libc-2.22-172387e0713d81467e907f48691fd8a3a9d9b745.rb
index ea95a5e..d79cce8 100644
--- a/lib/one_gadget/builds/libc-2.22-172387e0713d81467e907f48691fd8a3a9d9b745.rb
+++ b/lib/one_gadget/builds/libc-2.22-172387e0713d81467e907f48691fd8a3a9d9b745.rb
@@ -20,22 +20,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 233093,
- constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 233095,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 233099,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 233106,
- constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x38, environ)")
OneGadget::Gadget.add(build_id, 233141,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 233142,
- constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 393487,
constraints: ["ebx is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.22-1853ca84fd72235c89ca6c71dc2fd586035fb508.rb b/lib/one_gadget/builds/libc-2.22-1853ca84fd72235c89ca6c71dc2fd586035fb508.rb
index b3ce493..1e7a0cb 100644
--- a/lib/one_gadget/builds/libc-2.22-1853ca84fd72235c89ca6c71dc2fd586035fb508.rb
+++ b/lib/one_gadget/builds/libc-2.22-1853ca84fd72235c89ca6c71dc2fd586035fb508.rb
@@ -20,22 +20,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 240104,
- constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x28, environ)")
OneGadget::Gadget.add(build_id, 240106,
- constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 240110,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 240117,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 240152,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 240153,
- constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 400195,
constraints: ["ebx is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.22-18c9fd18d79dce6408c752dc974b0b895286f861.rb b/lib/one_gadget/builds/libc-2.22-18c9fd18d79dce6408c752dc974b0b895286f861.rb
index f978607..cee74af 100644
--- a/lib/one_gadget/builds/libc-2.22-18c9fd18d79dce6408c752dc974b0b895286f861.rb
+++ b/lib/one_gadget/builds/libc-2.22-18c9fd18d79dce6408c752dc974b0b895286f861.rb
@@ -19,25 +19,28 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 259855,
+ constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 259862,
- constraints: ["rax == NULL"],
+ constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 259946,
- constraints: ["[rsp+0x30] == NULL"],
+ constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 759479,
- constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, r12)")
OneGadget::Gadget.add(build_id, 759688,
- constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL || [rbp-0x40] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", [rbp-0x40], r12)")
OneGadget::Gadget.add(build_id, 882007,
- constraints: ["[rsp+0x70] == NULL"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x70, environ)")
OneGadget::Gadget.add(build_id, 882019,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rax])")
OneGadget::Gadget.add(build_id, 896945,
- constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", r9, rdx)")
diff --git a/lib/one_gadget/builds/libc-2.22-190d9018168d767820b7fc6fac5cb62d1a40d819.rb b/lib/one_gadget/builds/libc-2.22-190d9018168d767820b7fc6fac5cb62d1a40d819.rb
index a05353b..903a8cb 100644
--- a/lib/one_gadget/builds/libc-2.22-190d9018168d767820b7fc6fac5cb62d1a40d819.rb
+++ b/lib/one_gadget/builds/libc-2.22-190d9018168d767820b7fc6fac5cb62d1a40d819.rb
@@ -20,22 +20,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 240088,
- constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x28, environ)")
OneGadget::Gadget.add(build_id, 240090,
- constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 240094,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 240101,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 240136,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 240137,
- constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 400131,
constraints: ["ebx is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.22-1c3905611074ae1c586d90e5312e49817dfb1454.rb b/lib/one_gadget/builds/libc-2.22-1c3905611074ae1c586d90e5312e49817dfb1454.rb
index 7c46d6f..2e023c5 100644
--- a/lib/one_gadget/builds/libc-2.22-1c3905611074ae1c586d90e5312e49817dfb1454.rb
+++ b/lib/one_gadget/builds/libc-2.22-1c3905611074ae1c586d90e5312e49817dfb1454.rb
@@ -19,25 +19,28 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 259407,
+ constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 259414,
- constraints: ["rax == NULL"],
+ constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 259498,
- constraints: ["[rsp+0x30] == NULL"],
+ constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 759543,
- constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, r12)")
OneGadget::Gadget.add(build_id, 759752,
- constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL || [rbp-0x40] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", [rbp-0x40], r12)")
OneGadget::Gadget.add(build_id, 881159,
- constraints: ["[rsp+0x70] == NULL"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x70, environ)")
OneGadget::Gadget.add(build_id, 881171,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rax])")
OneGadget::Gadget.add(build_id, 895921,
- constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", r9, rdx)")
diff --git a/lib/one_gadget/builds/libc-2.22-1ef0e3b0b75b086f54c2fb8ad958db46c199de28.rb b/lib/one_gadget/builds/libc-2.22-1ef0e3b0b75b086f54c2fb8ad958db46c199de28.rb
index 3016b67..584f194 100644
--- a/lib/one_gadget/builds/libc-2.22-1ef0e3b0b75b086f54c2fb8ad958db46c199de28.rb
+++ b/lib/one_gadget/builds/libc-2.22-1ef0e3b0b75b086f54c2fb8ad958db46c199de28.rb
@@ -20,22 +20,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 240735,
- constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x28, environ)")
OneGadget::Gadget.add(build_id, 240737,
- constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 240741,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 240748,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 240783,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 240784,
- constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 401431,
constraints: ["ebx is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.22-20d1cd3333f60c045ee0d71cd32ac74a6b721b85.rb b/lib/one_gadget/builds/libc-2.22-20d1cd3333f60c045ee0d71cd32ac74a6b721b85.rb
index bd32c62..17e2356 100644
--- a/lib/one_gadget/builds/libc-2.22-20d1cd3333f60c045ee0d71cd32ac74a6b721b85.rb
+++ b/lib/one_gadget/builds/libc-2.22-20d1cd3333f60c045ee0d71cd32ac74a6b721b85.rb
@@ -20,22 +20,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 240454,
- constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x28, environ)")
OneGadget::Gadget.add(build_id, 240456,
- constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 240460,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 240467,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 240502,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 240503,
- constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 396729,
constraints: ["ebx is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.22-22585efc70794668f1b7f01f4392daef49f476e0.rb b/lib/one_gadget/builds/libc-2.22-22585efc70794668f1b7f01f4392daef49f476e0.rb
index 0006692..a39527b 100644
--- a/lib/one_gadget/builds/libc-2.22-22585efc70794668f1b7f01f4392daef49f476e0.rb
+++ b/lib/one_gadget/builds/libc-2.22-22585efc70794668f1b7f01f4392daef49f476e0.rb
@@ -20,22 +20,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 233061,
- constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 233063,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 233067,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 233074,
- constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x38, environ)")
OneGadget::Gadget.add(build_id, 233109,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 233110,
- constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 393455,
constraints: ["ebx is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.22-263aaed35e720148fbc396f8311138d46d099d7e.rb b/lib/one_gadget/builds/libc-2.22-263aaed35e720148fbc396f8311138d46d099d7e.rb
index 755a1d4..408f73d 100644
--- a/lib/one_gadget/builds/libc-2.22-263aaed35e720148fbc396f8311138d46d099d7e.rb
+++ b/lib/one_gadget/builds/libc-2.22-263aaed35e720148fbc396f8311138d46d099d7e.rb
@@ -20,22 +20,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 233093,
- constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 233095,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 233099,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 233106,
- constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x38, environ)")
OneGadget::Gadget.add(build_id, 233141,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 233142,
- constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 393487,
constraints: ["ebx is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.22-26ce2dab7bee96ee1c9d290100ffae593a644ddf.rb b/lib/one_gadget/builds/libc-2.22-26ce2dab7bee96ee1c9d290100ffae593a644ddf.rb
index 74d02d1..47fe745 100644
--- a/lib/one_gadget/builds/libc-2.22-26ce2dab7bee96ee1c9d290100ffae593a644ddf.rb
+++ b/lib/one_gadget/builds/libc-2.22-26ce2dab7bee96ee1c9d290100ffae593a644ddf.rb
@@ -19,19 +19,19 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 437040,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 437059,
- constraints: ["ebx is the GOT address of libc", "[esp+0x24] == NULL", "[[eax]] == NULL || [eax] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x24] == NULL || {[esp+0x24], [esp+0x28], [esp+0x2c], [esp+0x30], ...} is a valid argv", "[[eax]] == NULL || [eax] == NULL || [eax] is a valid envp"],
effect: "execve(\"/bin/sh\", esp+0x24, [eax])")
OneGadget::Gadget.add(build_id, 437061,
- constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", esp+0x28, [esp])")
OneGadget::Gadget.add(build_id, 437065,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 437066,
- constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 596336,
constraints: ["ebx is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.22-2881424e7394f45d7b7e4b9d7bee0ac3336fb53c.rb b/lib/one_gadget/builds/libc-2.22-2881424e7394f45d7b7e4b9d7bee0ac3336fb53c.rb
index ddc3bb3..11f04d3 100644
--- a/lib/one_gadget/builds/libc-2.22-2881424e7394f45d7b7e4b9d7bee0ac3336fb53c.rb
+++ b/lib/one_gadget/builds/libc-2.22-2881424e7394f45d7b7e4b9d7bee0ac3336fb53c.rb
@@ -19,19 +19,19 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 436064,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 436083,
- constraints: ["ebx is the GOT address of libc", "[esp+0x24] == NULL", "[[eax]] == NULL || [eax] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x24] == NULL || {[esp+0x24], [esp+0x28], [esp+0x2c], [esp+0x30], ...} is a valid argv", "[[eax]] == NULL || [eax] == NULL || [eax] is a valid envp"],
effect: "execve(\"/bin/sh\", esp+0x24, [eax])")
OneGadget::Gadget.add(build_id, 436085,
- constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", esp+0x28, [esp])")
OneGadget::Gadget.add(build_id, 436089,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 436090,
- constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 596016,
constraints: ["ebx is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.22-291a696d50e945b55f27ad1b7055adb4d94d611e.rb b/lib/one_gadget/builds/libc-2.22-291a696d50e945b55f27ad1b7055adb4d94d611e.rb
index 49d1be2..b046206 100644
--- a/lib/one_gadget/builds/libc-2.22-291a696d50e945b55f27ad1b7055adb4d94d611e.rb
+++ b/lib/one_gadget/builds/libc-2.22-291a696d50e945b55f27ad1b7055adb4d94d611e.rb
@@ -20,22 +20,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 240088,
- constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x28, environ)")
OneGadget::Gadget.add(build_id, 240090,
- constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 240094,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 240101,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 240136,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 240137,
- constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 400131,
constraints: ["ebx is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.22-2da1c94523e9778bedccac2922cdb5582b3bab99.rb b/lib/one_gadget/builds/libc-2.22-2da1c94523e9778bedccac2922cdb5582b3bab99.rb
index b62f8b0..621a25a 100644
--- a/lib/one_gadget/builds/libc-2.22-2da1c94523e9778bedccac2922cdb5582b3bab99.rb
+++ b/lib/one_gadget/builds/libc-2.22-2da1c94523e9778bedccac2922cdb5582b3bab99.rb
@@ -20,22 +20,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 240312,
- constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x28, environ)")
OneGadget::Gadget.add(build_id, 240314,
- constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 240318,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 240325,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 240360,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 240361,
- constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 399379,
constraints: ["ebx is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.22-34701c7aa9501f113595ba20117d03fbab4a7edf.rb b/lib/one_gadget/builds/libc-2.22-34701c7aa9501f113595ba20117d03fbab4a7edf.rb
index 2e8ae24..3f2b03f 100644
--- a/lib/one_gadget/builds/libc-2.22-34701c7aa9501f113595ba20117d03fbab4a7edf.rb
+++ b/lib/one_gadget/builds/libc-2.22-34701c7aa9501f113595ba20117d03fbab4a7edf.rb
@@ -19,25 +19,28 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 259855,
+ constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 259862,
- constraints: ["rax == NULL"],
+ constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 259946,
- constraints: ["[rsp+0x30] == NULL"],
+ constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 759479,
- constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, r12)")
OneGadget::Gadget.add(build_id, 759688,
- constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL || [rbp-0x40] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", [rbp-0x40], r12)")
OneGadget::Gadget.add(build_id, 882007,
- constraints: ["[rsp+0x70] == NULL"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x70, environ)")
OneGadget::Gadget.add(build_id, 882019,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rax])")
OneGadget::Gadget.add(build_id, 896945,
- constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", r9, rdx)")
diff --git a/lib/one_gadget/builds/libc-2.22-34a1e432068988d1d05ded9a1ff3a5a4d9ba957d.rb b/lib/one_gadget/builds/libc-2.22-34a1e432068988d1d05ded9a1ff3a5a4d9ba957d.rb
index 14b425d..1b9bc3d 100644
--- a/lib/one_gadget/builds/libc-2.22-34a1e432068988d1d05ded9a1ff3a5a4d9ba957d.rb
+++ b/lib/one_gadget/builds/libc-2.22-34a1e432068988d1d05ded9a1ff3a5a4d9ba957d.rb
@@ -20,22 +20,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 233061,
- constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 233063,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 233067,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 233074,
- constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x38, environ)")
OneGadget::Gadget.add(build_id, 233109,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 233110,
- constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 393455,
constraints: ["ebx is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.22-35dad9bbfda68f466fdb0784359dfa8be8f2e636.rb b/lib/one_gadget/builds/libc-2.22-35dad9bbfda68f466fdb0784359dfa8be8f2e636.rb
index 0e0dc36..552bcba 100644
--- a/lib/one_gadget/builds/libc-2.22-35dad9bbfda68f466fdb0784359dfa8be8f2e636.rb
+++ b/lib/one_gadget/builds/libc-2.22-35dad9bbfda68f466fdb0784359dfa8be8f2e636.rb
@@ -20,22 +20,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 232725,
- constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 232727,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 232731,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 232738,
- constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x38, environ)")
OneGadget::Gadget.add(build_id, 232773,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 232774,
- constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 393487,
constraints: ["ebx is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.22-372f377ce426f864bf68f2a32cd703d595664885.rb b/lib/one_gadget/builds/libc-2.22-372f377ce426f864bf68f2a32cd703d595664885.rb
index abff32d..b210b0e 100644
--- a/lib/one_gadget/builds/libc-2.22-372f377ce426f864bf68f2a32cd703d595664885.rb
+++ b/lib/one_gadget/builds/libc-2.22-372f377ce426f864bf68f2a32cd703d595664885.rb
@@ -20,22 +20,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 233093,
- constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 233095,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 233099,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 233106,
- constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x38, environ)")
OneGadget::Gadget.add(build_id, 233141,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 233142,
- constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 393535,
constraints: ["ebx is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.22-37acef3594b4fbe5bdb37cfab88155ea223bac9d.rb b/lib/one_gadget/builds/libc-2.22-37acef3594b4fbe5bdb37cfab88155ea223bac9d.rb
index 0a90188..498b6b1 100644
--- a/lib/one_gadget/builds/libc-2.22-37acef3594b4fbe5bdb37cfab88155ea223bac9d.rb
+++ b/lib/one_gadget/builds/libc-2.22-37acef3594b4fbe5bdb37cfab88155ea223bac9d.rb
@@ -20,22 +20,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 233061,
- constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 233063,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 233067,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 233074,
- constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x38, environ)")
OneGadget::Gadget.add(build_id, 233109,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 233110,
- constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 393455,
constraints: ["ebx is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.22-3d8a83ac6553abcf5e18c10a39e5020352cf1fb2.rb b/lib/one_gadget/builds/libc-2.22-3d8a83ac6553abcf5e18c10a39e5020352cf1fb2.rb
index b10e975..4316f1a 100644
--- a/lib/one_gadget/builds/libc-2.22-3d8a83ac6553abcf5e18c10a39e5020352cf1fb2.rb
+++ b/lib/one_gadget/builds/libc-2.22-3d8a83ac6553abcf5e18c10a39e5020352cf1fb2.rb
@@ -20,22 +20,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 240104,
- constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x28, environ)")
OneGadget::Gadget.add(build_id, 240106,
- constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 240110,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 240117,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 240152,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 240153,
- constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 400195,
constraints: ["ebx is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.22-3e86d1920edbc9fb506c499301164f3920a3e141.rb b/lib/one_gadget/builds/libc-2.22-3e86d1920edbc9fb506c499301164f3920a3e141.rb
index 6790043..c14b291 100644
--- a/lib/one_gadget/builds/libc-2.22-3e86d1920edbc9fb506c499301164f3920a3e141.rb
+++ b/lib/one_gadget/builds/libc-2.22-3e86d1920edbc9fb506c499301164f3920a3e141.rb
@@ -20,22 +20,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 240470,
- constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x28, environ)")
OneGadget::Gadget.add(build_id, 240472,
- constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 240476,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 240483,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 240518,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 240519,
- constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 396745,
constraints: ["ebx is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.22-461f342f6e88de1977eb60aecd9554335b3602be.rb b/lib/one_gadget/builds/libc-2.22-461f342f6e88de1977eb60aecd9554335b3602be.rb
index 9a07e76..51cd553 100644
--- a/lib/one_gadget/builds/libc-2.22-461f342f6e88de1977eb60aecd9554335b3602be.rb
+++ b/lib/one_gadget/builds/libc-2.22-461f342f6e88de1977eb60aecd9554335b3602be.rb
@@ -19,25 +19,28 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 254130,
+ constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", r12, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 254137,
- constraints: ["rax == NULL"],
+ constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", r12, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 254221,
- constraints: ["[rsp+0x30] == NULL"],
+ constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 706983,
- constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, r12)")
OneGadget::Gadget.add(build_id, 707192,
- constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL || [rbp-0x40] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", [rbp-0x40], r12)")
OneGadget::Gadget.add(build_id, 835315,
- constraints: ["[rsp+0x70] == NULL"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x70, environ)")
OneGadget::Gadget.add(build_id, 835327,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rax])")
OneGadget::Gadget.add(build_id, 849793,
- constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", r9, rdx)")
diff --git a/lib/one_gadget/builds/libc-2.22-49c585626bc777823124cce965150be221723855.rb b/lib/one_gadget/builds/libc-2.22-49c585626bc777823124cce965150be221723855.rb
index 3e29e36..5cafa1f 100644
--- a/lib/one_gadget/builds/libc-2.22-49c585626bc777823124cce965150be221723855.rb
+++ b/lib/one_gadget/builds/libc-2.22-49c585626bc777823124cce965150be221723855.rb
@@ -20,22 +20,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 240088,
- constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x28, environ)")
OneGadget::Gadget.add(build_id, 240090,
- constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 240094,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 240101,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 240136,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 240137,
- constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 400131,
constraints: ["ebx is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.22-4bccfeb62282482e2bb5fe47523cc26cc9891d9d.rb b/lib/one_gadget/builds/libc-2.22-4bccfeb62282482e2bb5fe47523cc26cc9891d9d.rb
index 71f5b53..5e2827e 100644
--- a/lib/one_gadget/builds/libc-2.22-4bccfeb62282482e2bb5fe47523cc26cc9891d9d.rb
+++ b/lib/one_gadget/builds/libc-2.22-4bccfeb62282482e2bb5fe47523cc26cc9891d9d.rb
@@ -20,22 +20,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 240120,
- constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x28, environ)")
OneGadget::Gadget.add(build_id, 240122,
- constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 240126,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 240133,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 240168,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 240169,
- constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 400211,
constraints: ["ebx is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.22-4e7b4e6104632c48765f27c7e53ce073c73b03c2.rb b/lib/one_gadget/builds/libc-2.22-4e7b4e6104632c48765f27c7e53ce073c73b03c2.rb
index e959eca..cae897d 100644
--- a/lib/one_gadget/builds/libc-2.22-4e7b4e6104632c48765f27c7e53ce073c73b03c2.rb
+++ b/lib/one_gadget/builds/libc-2.22-4e7b4e6104632c48765f27c7e53ce073c73b03c2.rb
@@ -20,22 +20,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 233061,
- constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 233063,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 233067,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 233074,
- constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x38, environ)")
OneGadget::Gadget.add(build_id, 233109,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 233110,
- constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 393503,
constraints: ["ebx is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.22-515163d8d5ee351c62d0ef6438b1cb492b882128.rb b/lib/one_gadget/builds/libc-2.22-515163d8d5ee351c62d0ef6438b1cb492b882128.rb
index b8bed64..da7475f 100644
--- a/lib/one_gadget/builds/libc-2.22-515163d8d5ee351c62d0ef6438b1cb492b882128.rb
+++ b/lib/one_gadget/builds/libc-2.22-515163d8d5ee351c62d0ef6438b1cb492b882128.rb
@@ -20,22 +20,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 232597,
- constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 232599,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 232603,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 232610,
- constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x38, environ)")
OneGadget::Gadget.add(build_id, 232645,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 232646,
- constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 393151,
constraints: ["ebx is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.22-53e3e8ce017c356969e16f4bb329fc45e948a045.rb b/lib/one_gadget/builds/libc-2.22-53e3e8ce017c356969e16f4bb329fc45e948a045.rb
index 3f48de6..539fbd7 100644
--- a/lib/one_gadget/builds/libc-2.22-53e3e8ce017c356969e16f4bb329fc45e948a045.rb
+++ b/lib/one_gadget/builds/libc-2.22-53e3e8ce017c356969e16f4bb329fc45e948a045.rb
@@ -19,25 +19,28 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 259407,
+ constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 259414,
- constraints: ["rax == NULL"],
+ constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 259498,
- constraints: ["[rsp+0x30] == NULL"],
+ constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 759543,
- constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, r12)")
OneGadget::Gadget.add(build_id, 759752,
- constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL || [rbp-0x40] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", [rbp-0x40], r12)")
OneGadget::Gadget.add(build_id, 881159,
- constraints: ["[rsp+0x70] == NULL"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x70, environ)")
OneGadget::Gadget.add(build_id, 881171,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rax])")
OneGadget::Gadget.add(build_id, 895921,
- constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", r9, rdx)")
diff --git a/lib/one_gadget/builds/libc-2.22-5f40eb5a5f32b9824ba0cb2547ffb2b6964f6414.rb b/lib/one_gadget/builds/libc-2.22-5f40eb5a5f32b9824ba0cb2547ffb2b6964f6414.rb
index 683729c..b7aefb9 100644
--- a/lib/one_gadget/builds/libc-2.22-5f40eb5a5f32b9824ba0cb2547ffb2b6964f6414.rb
+++ b/lib/one_gadget/builds/libc-2.22-5f40eb5a5f32b9824ba0cb2547ffb2b6964f6414.rb
@@ -19,25 +19,28 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 254130,
+ constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", r12, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 254137,
- constraints: ["rax == NULL"],
+ constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", r12, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 254221,
- constraints: ["[rsp+0x30] == NULL"],
+ constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 706983,
- constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, r12)")
OneGadget::Gadget.add(build_id, 707192,
- constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL || [rbp-0x40] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", [rbp-0x40], r12)")
OneGadget::Gadget.add(build_id, 835315,
- constraints: ["[rsp+0x70] == NULL"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x70, environ)")
OneGadget::Gadget.add(build_id, 835327,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rax])")
OneGadget::Gadget.add(build_id, 849793,
- constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", r9, rdx)")
diff --git a/lib/one_gadget/builds/libc-2.22-6281300a16a309db14773233ab085dadc65f0081.rb b/lib/one_gadget/builds/libc-2.22-6281300a16a309db14773233ab085dadc65f0081.rb
index d251a7f..0f3253c 100644
--- a/lib/one_gadget/builds/libc-2.22-6281300a16a309db14773233ab085dadc65f0081.rb
+++ b/lib/one_gadget/builds/libc-2.22-6281300a16a309db14773233ab085dadc65f0081.rb
@@ -20,22 +20,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 240120,
- constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x28, environ)")
OneGadget::Gadget.add(build_id, 240122,
- constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 240126,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 240133,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 240168,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 240169,
- constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 400211,
constraints: ["ebx is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.22-6293d42412b9a87b7233bcb5f5cbf4496c8c90dd.rb b/lib/one_gadget/builds/libc-2.22-6293d42412b9a87b7233bcb5f5cbf4496c8c90dd.rb
index 12a448e..bafd048 100644
--- a/lib/one_gadget/builds/libc-2.22-6293d42412b9a87b7233bcb5f5cbf4496c8c90dd.rb
+++ b/lib/one_gadget/builds/libc-2.22-6293d42412b9a87b7233bcb5f5cbf4496c8c90dd.rb
@@ -20,22 +20,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 240991,
- constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x28, environ)")
OneGadget::Gadget.add(build_id, 240993,
- constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 240997,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 241004,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 241039,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 241040,
- constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 401687,
constraints: ["ebx is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.22-661a81563d20e7823c63828ff38348ec1b80adcc.rb b/lib/one_gadget/builds/libc-2.22-661a81563d20e7823c63828ff38348ec1b80adcc.rb
index ce6aa44..748be09 100644
--- a/lib/one_gadget/builds/libc-2.22-661a81563d20e7823c63828ff38348ec1b80adcc.rb
+++ b/lib/one_gadget/builds/libc-2.22-661a81563d20e7823c63828ff38348ec1b80adcc.rb
@@ -20,22 +20,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 233061,
- constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 233063,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 233067,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 233074,
- constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x38, environ)")
OneGadget::Gadget.add(build_id, 233109,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 233110,
- constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 393455,
constraints: ["ebx is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.22-6670937bc44571ec34ab812a7a7d2ce839a382ad.rb b/lib/one_gadget/builds/libc-2.22-6670937bc44571ec34ab812a7a7d2ce839a382ad.rb
index 8cfaeca..5999912 100644
--- a/lib/one_gadget/builds/libc-2.22-6670937bc44571ec34ab812a7a7d2ce839a382ad.rb
+++ b/lib/one_gadget/builds/libc-2.22-6670937bc44571ec34ab812a7a7d2ce839a382ad.rb
@@ -20,22 +20,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 233061,
- constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 233063,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 233067,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 233074,
- constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x38, environ)")
OneGadget::Gadget.add(build_id, 233109,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 233110,
- constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 393455,
constraints: ["ebx is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.22-669abe13c2975dbdc59eb4cf3a6e9bd28ecd376c.rb b/lib/one_gadget/builds/libc-2.22-669abe13c2975dbdc59eb4cf3a6e9bd28ecd376c.rb
index e4345da..09a6ee5 100644
--- a/lib/one_gadget/builds/libc-2.22-669abe13c2975dbdc59eb4cf3a6e9bd28ecd376c.rb
+++ b/lib/one_gadget/builds/libc-2.22-669abe13c2975dbdc59eb4cf3a6e9bd28ecd376c.rb
@@ -20,22 +20,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 240120,
- constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x28, environ)")
OneGadget::Gadget.add(build_id, 240122,
- constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 240126,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 240133,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 240168,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 240169,
- constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 400163,
constraints: ["ebx is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.22-66b3470fd1603fc11a54f8f1c69b81d85f2f0074.rb b/lib/one_gadget/builds/libc-2.22-66b3470fd1603fc11a54f8f1c69b81d85f2f0074.rb
index a72b628..0310ec5 100644
--- a/lib/one_gadget/builds/libc-2.22-66b3470fd1603fc11a54f8f1c69b81d85f2f0074.rb
+++ b/lib/one_gadget/builds/libc-2.22-66b3470fd1603fc11a54f8f1c69b81d85f2f0074.rb
@@ -19,25 +19,28 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 259439,
+ constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 259446,
- constraints: ["rax == NULL"],
+ constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 259530,
- constraints: ["[rsp+0x30] == NULL"],
+ constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 759175,
- constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, r12)")
OneGadget::Gadget.add(build_id, 759384,
- constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL || [rbp-0x40] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", [rbp-0x40], r12)")
OneGadget::Gadget.add(build_id, 881287,
- constraints: ["[rsp+0x70] == NULL"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x70, environ)")
OneGadget::Gadget.add(build_id, 881299,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rax])")
OneGadget::Gadget.add(build_id, 896049,
- constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", r9, rdx)")
diff --git a/lib/one_gadget/builds/libc-2.22-67222017b4ae03b81a41387cb81b0814654e2dd6.rb b/lib/one_gadget/builds/libc-2.22-67222017b4ae03b81a41387cb81b0814654e2dd6.rb
index ed3b280..e73f873 100644
--- a/lib/one_gadget/builds/libc-2.22-67222017b4ae03b81a41387cb81b0814654e2dd6.rb
+++ b/lib/one_gadget/builds/libc-2.22-67222017b4ae03b81a41387cb81b0814654e2dd6.rb
@@ -19,25 +19,28 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 260063,
+ constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 260070,
- constraints: ["rax == NULL"],
+ constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 260154,
- constraints: ["[rsp+0x30] == NULL"],
+ constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 759015,
- constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, r12)")
OneGadget::Gadget.add(build_id, 759224,
- constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL || [rbp-0x40] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", [rbp-0x40], r12)")
OneGadget::Gadget.add(build_id, 881367,
- constraints: ["[rsp+0x70] == NULL"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x70, environ)")
OneGadget::Gadget.add(build_id, 881379,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rax])")
OneGadget::Gadget.add(build_id, 896305,
- constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", r9, rdx)")
diff --git a/lib/one_gadget/builds/libc-2.22-6758f608b9326b54464784a72149d9991ce839d1.rb b/lib/one_gadget/builds/libc-2.22-6758f608b9326b54464784a72149d9991ce839d1.rb
index 0cec829..aa8efd3 100644
--- a/lib/one_gadget/builds/libc-2.22-6758f608b9326b54464784a72149d9991ce839d1.rb
+++ b/lib/one_gadget/builds/libc-2.22-6758f608b9326b54464784a72149d9991ce839d1.rb
@@ -19,25 +19,28 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 254162,
+ constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", r12, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 254169,
- constraints: ["rax == NULL"],
+ constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", r12, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 254253,
- constraints: ["[rsp+0x30] == NULL"],
+ constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 706647,
- constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, r12)")
OneGadget::Gadget.add(build_id, 706856,
- constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL || [rbp-0x40] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", [rbp-0x40], r12)")
OneGadget::Gadget.add(build_id, 835395,
- constraints: ["[rsp+0x70] == NULL"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x70, environ)")
OneGadget::Gadget.add(build_id, 835407,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rax])")
OneGadget::Gadget.add(build_id, 849873,
- constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", r9, rdx)")
diff --git a/lib/one_gadget/builds/libc-2.22-68afe0b2e7d234d495d38ec6bf35257a42f229de.rb b/lib/one_gadget/builds/libc-2.22-68afe0b2e7d234d495d38ec6bf35257a42f229de.rb
index e080425..0e659d5 100644
--- a/lib/one_gadget/builds/libc-2.22-68afe0b2e7d234d495d38ec6bf35257a42f229de.rb
+++ b/lib/one_gadget/builds/libc-2.22-68afe0b2e7d234d495d38ec6bf35257a42f229de.rb
@@ -20,22 +20,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 240104,
- constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x28, environ)")
OneGadget::Gadget.add(build_id, 240106,
- constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 240110,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 240117,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 240152,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 240153,
- constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 400147,
constraints: ["ebx is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.22-695c07ac1193aad1d8ee9871ee425e5653408a4d.rb b/lib/one_gadget/builds/libc-2.22-695c07ac1193aad1d8ee9871ee425e5653408a4d.rb
index 02031ff..c64a4f4 100644
--- a/lib/one_gadget/builds/libc-2.22-695c07ac1193aad1d8ee9871ee425e5653408a4d.rb
+++ b/lib/one_gadget/builds/libc-2.22-695c07ac1193aad1d8ee9871ee425e5653408a4d.rb
@@ -19,25 +19,28 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 259439,
+ constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 259446,
- constraints: ["rax == NULL"],
+ constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 259530,
- constraints: ["[rsp+0x30] == NULL"],
+ constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 759079,
- constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, r12)")
OneGadget::Gadget.add(build_id, 759288,
- constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL || [rbp-0x40] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", [rbp-0x40], r12)")
OneGadget::Gadget.add(build_id, 881191,
- constraints: ["[rsp+0x70] == NULL"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x70, environ)")
OneGadget::Gadget.add(build_id, 881203,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rax])")
OneGadget::Gadget.add(build_id, 896001,
- constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", r9, rdx)")
diff --git a/lib/one_gadget/builds/libc-2.22-6c9019c65a7a835172e1e88ca2f88d1f14fb23e1.rb b/lib/one_gadget/builds/libc-2.22-6c9019c65a7a835172e1e88ca2f88d1f14fb23e1.rb
index 2ddf0c3..eebcc3e 100644
--- a/lib/one_gadget/builds/libc-2.22-6c9019c65a7a835172e1e88ca2f88d1f14fb23e1.rb
+++ b/lib/one_gadget/builds/libc-2.22-6c9019c65a7a835172e1e88ca2f88d1f14fb23e1.rb
@@ -20,22 +20,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 240120,
- constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x28, environ)")
OneGadget::Gadget.add(build_id, 240122,
- constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 240126,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 240133,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 240168,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 240169,
- constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 400163,
constraints: ["ebx is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.22-765dbc5efb8e378d36cd0742b6e5a65bd9046168.rb b/lib/one_gadget/builds/libc-2.22-765dbc5efb8e378d36cd0742b6e5a65bd9046168.rb
index 710ec25..8db3ea2 100644
--- a/lib/one_gadget/builds/libc-2.22-765dbc5efb8e378d36cd0742b6e5a65bd9046168.rb
+++ b/lib/one_gadget/builds/libc-2.22-765dbc5efb8e378d36cd0742b6e5a65bd9046168.rb
@@ -19,25 +19,28 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 259503,
+ constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 259510,
- constraints: ["rax == NULL"],
+ constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 259594,
- constraints: ["[rsp+0x30] == NULL"],
+ constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 759031,
- constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, r12)")
OneGadget::Gadget.add(build_id, 759240,
- constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL || [rbp-0x40] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", [rbp-0x40], r12)")
OneGadget::Gadget.add(build_id, 881367,
- constraints: ["[rsp+0x70] == NULL"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x70, environ)")
OneGadget::Gadget.add(build_id, 881379,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rax])")
OneGadget::Gadget.add(build_id, 896305,
- constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", r9, rdx)")
diff --git a/lib/one_gadget/builds/libc-2.22-775336aa55e307ff5c730b375f8220b85ede2e34.rb b/lib/one_gadget/builds/libc-2.22-775336aa55e307ff5c730b375f8220b85ede2e34.rb
index 2799f74..ad97654 100644
--- a/lib/one_gadget/builds/libc-2.22-775336aa55e307ff5c730b375f8220b85ede2e34.rb
+++ b/lib/one_gadget/builds/libc-2.22-775336aa55e307ff5c730b375f8220b85ede2e34.rb
@@ -20,22 +20,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 240088,
- constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x28, environ)")
OneGadget::Gadget.add(build_id, 240090,
- constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 240094,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 240101,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 240136,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 240137,
- constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 400131,
constraints: ["ebx is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.22-7d3f57aba43d34ae3cfab2df04a3050efbd1dfed.rb b/lib/one_gadget/builds/libc-2.22-7d3f57aba43d34ae3cfab2df04a3050efbd1dfed.rb
index 686d083..646e4f4 100644
--- a/lib/one_gadget/builds/libc-2.22-7d3f57aba43d34ae3cfab2df04a3050efbd1dfed.rb
+++ b/lib/one_gadget/builds/libc-2.22-7d3f57aba43d34ae3cfab2df04a3050efbd1dfed.rb
@@ -19,25 +19,28 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 259439,
+ constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 259446,
- constraints: ["rax == NULL"],
+ constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 259530,
- constraints: ["[rsp+0x30] == NULL"],
+ constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 759079,
- constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, r12)")
OneGadget::Gadget.add(build_id, 759288,
- constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL || [rbp-0x40] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", [rbp-0x40], r12)")
OneGadget::Gadget.add(build_id, 881191,
- constraints: ["[rsp+0x70] == NULL"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x70, environ)")
OneGadget::Gadget.add(build_id, 881203,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rax])")
OneGadget::Gadget.add(build_id, 896001,
- constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", r9, rdx)")
diff --git a/lib/one_gadget/builds/libc-2.22-84681ac612616253b2eb8e99e1b68836b7d68cac.rb b/lib/one_gadget/builds/libc-2.22-84681ac612616253b2eb8e99e1b68836b7d68cac.rb
index e8a462b..5d8733b 100644
--- a/lib/one_gadget/builds/libc-2.22-84681ac612616253b2eb8e99e1b68836b7d68cac.rb
+++ b/lib/one_gadget/builds/libc-2.22-84681ac612616253b2eb8e99e1b68836b7d68cac.rb
@@ -20,22 +20,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 233061,
- constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 233063,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 233067,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 233074,
- constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x38, environ)")
OneGadget::Gadget.add(build_id, 233109,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 233110,
- constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 393455,
constraints: ["ebx is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.22-87066f8392926c00ab4a5969f52aade616c1e314.rb b/lib/one_gadget/builds/libc-2.22-87066f8392926c00ab4a5969f52aade616c1e314.rb
index 37e517d..d6cc495 100644
--- a/lib/one_gadget/builds/libc-2.22-87066f8392926c00ab4a5969f52aade616c1e314.rb
+++ b/lib/one_gadget/builds/libc-2.22-87066f8392926c00ab4a5969f52aade616c1e314.rb
@@ -20,22 +20,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 240088,
- constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x28, environ)")
OneGadget::Gadget.add(build_id, 240090,
- constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 240094,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 240101,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 240136,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 240137,
- constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 400131,
constraints: ["ebx is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.22-871cd1cac63b0dcd8f2cdd231291f9f89fe7c099.rb b/lib/one_gadget/builds/libc-2.22-871cd1cac63b0dcd8f2cdd231291f9f89fe7c099.rb
index 537270b..31efb7e 100644
--- a/lib/one_gadget/builds/libc-2.22-871cd1cac63b0dcd8f2cdd231291f9f89fe7c099.rb
+++ b/lib/one_gadget/builds/libc-2.22-871cd1cac63b0dcd8f2cdd231291f9f89fe7c099.rb
@@ -20,22 +20,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 240024,
- constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x28, environ)")
OneGadget::Gadget.add(build_id, 240026,
- constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 240030,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 240037,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 240072,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 240073,
- constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 399107,
constraints: ["ebx is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.22-87e1ed146ef347cf326650e230524a6c8d4ed43d.rb b/lib/one_gadget/builds/libc-2.22-87e1ed146ef347cf326650e230524a6c8d4ed43d.rb
index a6f2712..f1689f1 100644
--- a/lib/one_gadget/builds/libc-2.22-87e1ed146ef347cf326650e230524a6c8d4ed43d.rb
+++ b/lib/one_gadget/builds/libc-2.22-87e1ed146ef347cf326650e230524a6c8d4ed43d.rb
@@ -19,25 +19,28 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 260303,
+ constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 260310,
- constraints: ["rax == NULL"],
+ constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 260394,
- constraints: ["[rsp+0x30] == NULL"],
+ constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 760752,
- constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, r12)")
OneGadget::Gadget.add(build_id, 760972,
- constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL || [rbp-0x40] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", [rbp-0x40], r12)")
OneGadget::Gadget.add(build_id, 882925,
- constraints: ["[rsp+0x70] == NULL"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x70, environ)")
OneGadget::Gadget.add(build_id, 882937,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rax])")
OneGadget::Gadget.add(build_id, 898257,
- constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", r9, rdx)")
diff --git a/lib/one_gadget/builds/libc-2.22-8c48d3a9f8dea201de2948aa7f78c6a42ffa47cf.rb b/lib/one_gadget/builds/libc-2.22-8c48d3a9f8dea201de2948aa7f78c6a42ffa47cf.rb
index 682a5da..f1b9684 100644
--- a/lib/one_gadget/builds/libc-2.22-8c48d3a9f8dea201de2948aa7f78c6a42ffa47cf.rb
+++ b/lib/one_gadget/builds/libc-2.22-8c48d3a9f8dea201de2948aa7f78c6a42ffa47cf.rb
@@ -19,25 +19,28 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 259471,
+ constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 259478,
- constraints: ["rax == NULL"],
+ constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 259562,
- constraints: ["[rsp+0x30] == NULL"],
+ constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 759607,
- constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, r12)")
OneGadget::Gadget.add(build_id, 759816,
- constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL || [rbp-0x40] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", [rbp-0x40], r12)")
OneGadget::Gadget.add(build_id, 881223,
- constraints: ["[rsp+0x70] == NULL"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x70, environ)")
OneGadget::Gadget.add(build_id, 881235,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rax])")
OneGadget::Gadget.add(build_id, 895985,
- constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", r9, rdx)")
diff --git a/lib/one_gadget/builds/libc-2.22-916b3d65c4f43150dea643a905c1a2a68efc3fb6.rb b/lib/one_gadget/builds/libc-2.22-916b3d65c4f43150dea643a905c1a2a68efc3fb6.rb
index 73c836e..3d4fe14 100644
--- a/lib/one_gadget/builds/libc-2.22-916b3d65c4f43150dea643a905c1a2a68efc3fb6.rb
+++ b/lib/one_gadget/builds/libc-2.22-916b3d65c4f43150dea643a905c1a2a68efc3fb6.rb
@@ -20,22 +20,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 240104,
- constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x28, environ)")
OneGadget::Gadget.add(build_id, 240106,
- constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 240110,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 240117,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 240152,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 240153,
- constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 400147,
constraints: ["ebx is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.22-91dee95c3183246a5332357b814a08ba9c05d999.rb b/lib/one_gadget/builds/libc-2.22-91dee95c3183246a5332357b814a08ba9c05d999.rb
index 9b4a108..035a8ba 100644
--- a/lib/one_gadget/builds/libc-2.22-91dee95c3183246a5332357b814a08ba9c05d999.rb
+++ b/lib/one_gadget/builds/libc-2.22-91dee95c3183246a5332357b814a08ba9c05d999.rb
@@ -20,22 +20,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 233093,
- constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 233095,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 233099,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 233106,
- constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x38, environ)")
OneGadget::Gadget.add(build_id, 233141,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 233142,
- constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 393535,
constraints: ["ebx is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.22-91fcf48a9dd99f320b205a2feef18c2edfdbaeba.rb b/lib/one_gadget/builds/libc-2.22-91fcf48a9dd99f320b205a2feef18c2edfdbaeba.rb
index 605400c..8bc90d7 100644
--- a/lib/one_gadget/builds/libc-2.22-91fcf48a9dd99f320b205a2feef18c2edfdbaeba.rb
+++ b/lib/one_gadget/builds/libc-2.22-91fcf48a9dd99f320b205a2feef18c2edfdbaeba.rb
@@ -19,19 +19,19 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 436064,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 436083,
- constraints: ["ebx is the GOT address of libc", "[esp+0x24] == NULL", "[[eax]] == NULL || [eax] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x24] == NULL || {[esp+0x24], [esp+0x28], [esp+0x2c], [esp+0x30], ...} is a valid argv", "[[eax]] == NULL || [eax] == NULL || [eax] is a valid envp"],
effect: "execve(\"/bin/sh\", esp+0x24, [eax])")
OneGadget::Gadget.add(build_id, 436085,
- constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", esp+0x28, [esp])")
OneGadget::Gadget.add(build_id, 436089,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 436090,
- constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 596016,
constraints: ["ebx is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.22-92f57ef98cf5dc8e4d6b5df5cd1b9260b7e9975a.rb b/lib/one_gadget/builds/libc-2.22-92f57ef98cf5dc8e4d6b5df5cd1b9260b7e9975a.rb
index bad37c8..b6a621c 100644
--- a/lib/one_gadget/builds/libc-2.22-92f57ef98cf5dc8e4d6b5df5cd1b9260b7e9975a.rb
+++ b/lib/one_gadget/builds/libc-2.22-92f57ef98cf5dc8e4d6b5df5cd1b9260b7e9975a.rb
@@ -19,25 +19,28 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 254162,
+ constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", r12, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 254169,
- constraints: ["rax == NULL"],
+ constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", r12, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 254253,
- constraints: ["[rsp+0x30] == NULL"],
+ constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 706647,
- constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, r12)")
OneGadget::Gadget.add(build_id, 706856,
- constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL || [rbp-0x40] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", [rbp-0x40], r12)")
OneGadget::Gadget.add(build_id, 835395,
- constraints: ["[rsp+0x70] == NULL"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x70, environ)")
OneGadget::Gadget.add(build_id, 835407,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rax])")
OneGadget::Gadget.add(build_id, 849873,
- constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", r9, rdx)")
diff --git a/lib/one_gadget/builds/libc-2.22-94075f4ca5cff8f90934c9e1706db8022e7d4ba1.rb b/lib/one_gadget/builds/libc-2.22-94075f4ca5cff8f90934c9e1706db8022e7d4ba1.rb
index 4c7ba57..f157e7f 100644
--- a/lib/one_gadget/builds/libc-2.22-94075f4ca5cff8f90934c9e1706db8022e7d4ba1.rb
+++ b/lib/one_gadget/builds/libc-2.22-94075f4ca5cff8f90934c9e1706db8022e7d4ba1.rb
@@ -19,25 +19,28 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 259407,
+ constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 259414,
- constraints: ["rax == NULL"],
+ constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 259498,
- constraints: ["[rsp+0x30] == NULL"],
+ constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 759543,
- constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, r12)")
OneGadget::Gadget.add(build_id, 759752,
- constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL || [rbp-0x40] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", [rbp-0x40], r12)")
OneGadget::Gadget.add(build_id, 881159,
- constraints: ["[rsp+0x70] == NULL"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x70, environ)")
OneGadget::Gadget.add(build_id, 881171,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rax])")
OneGadget::Gadget.add(build_id, 895921,
- constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", r9, rdx)")
diff --git a/lib/one_gadget/builds/libc-2.22-94140487ddd020e65cb6c3f9ae09275ca91dc47c.rb b/lib/one_gadget/builds/libc-2.22-94140487ddd020e65cb6c3f9ae09275ca91dc47c.rb
index 403b067..a2643f6 100644
--- a/lib/one_gadget/builds/libc-2.22-94140487ddd020e65cb6c3f9ae09275ca91dc47c.rb
+++ b/lib/one_gadget/builds/libc-2.22-94140487ddd020e65cb6c3f9ae09275ca91dc47c.rb
@@ -19,25 +19,28 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 254130,
+ constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", r12, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 254137,
- constraints: ["rax == NULL"],
+ constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", r12, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 254221,
- constraints: ["[rsp+0x30] == NULL"],
+ constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 706983,
- constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, r12)")
OneGadget::Gadget.add(build_id, 707192,
- constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL || [rbp-0x40] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", [rbp-0x40], r12)")
OneGadget::Gadget.add(build_id, 835315,
- constraints: ["[rsp+0x70] == NULL"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x70, environ)")
OneGadget::Gadget.add(build_id, 835327,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rax])")
OneGadget::Gadget.add(build_id, 849793,
- constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", r9, rdx)")
diff --git a/lib/one_gadget/builds/libc-2.22-94b271ac2dedc103ec8d042bb40a418a042dceb9.rb b/lib/one_gadget/builds/libc-2.22-94b271ac2dedc103ec8d042bb40a418a042dceb9.rb
index be8c06e..99b1183 100644
--- a/lib/one_gadget/builds/libc-2.22-94b271ac2dedc103ec8d042bb40a418a042dceb9.rb
+++ b/lib/one_gadget/builds/libc-2.22-94b271ac2dedc103ec8d042bb40a418a042dceb9.rb
@@ -19,19 +19,19 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 436064,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 436083,
- constraints: ["ebx is the GOT address of libc", "[esp+0x24] == NULL", "[[eax]] == NULL || [eax] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x24] == NULL || {[esp+0x24], [esp+0x28], [esp+0x2c], [esp+0x30], ...} is a valid argv", "[[eax]] == NULL || [eax] == NULL || [eax] is a valid envp"],
effect: "execve(\"/bin/sh\", esp+0x24, [eax])")
OneGadget::Gadget.add(build_id, 436085,
- constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", esp+0x28, [esp])")
OneGadget::Gadget.add(build_id, 436089,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 436090,
- constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 596016,
constraints: ["ebx is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.22-9686e55d792fbbcc0ae8589a69c8b15d2444ac65.rb b/lib/one_gadget/builds/libc-2.22-9686e55d792fbbcc0ae8589a69c8b15d2444ac65.rb
index 8941f5d..3cd9b32 100644
--- a/lib/one_gadget/builds/libc-2.22-9686e55d792fbbcc0ae8589a69c8b15d2444ac65.rb
+++ b/lib/one_gadget/builds/libc-2.22-9686e55d792fbbcc0ae8589a69c8b15d2444ac65.rb
@@ -20,22 +20,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 233093,
- constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 233095,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 233099,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 233106,
- constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x38, environ)")
OneGadget::Gadget.add(build_id, 233141,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 233142,
- constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 393535,
constraints: ["ebx is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.22-a352f9564e9d19391f222c67e5c64e09f949df4e.rb b/lib/one_gadget/builds/libc-2.22-a352f9564e9d19391f222c67e5c64e09f949df4e.rb
index ddd0eb1..77d954a 100644
--- a/lib/one_gadget/builds/libc-2.22-a352f9564e9d19391f222c67e5c64e09f949df4e.rb
+++ b/lib/one_gadget/builds/libc-2.22-a352f9564e9d19391f222c67e5c64e09f949df4e.rb
@@ -19,19 +19,19 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 436864,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 436883,
- constraints: ["ebx is the GOT address of libc", "[esp+0x24] == NULL", "[[eax]] == NULL || [eax] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x24] == NULL || {[esp+0x24], [esp+0x28], [esp+0x2c], [esp+0x30], ...} is a valid argv", "[[eax]] == NULL || [eax] == NULL || [eax] is a valid envp"],
effect: "execve(\"/bin/sh\", esp+0x24, [eax])")
OneGadget::Gadget.add(build_id, 436885,
- constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", esp+0x28, [esp])")
OneGadget::Gadget.add(build_id, 436889,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 436890,
- constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 596160,
constraints: ["ebx is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.22-a506f6e38353adbb19bd22872b2fa8831c32c63d.rb b/lib/one_gadget/builds/libc-2.22-a506f6e38353adbb19bd22872b2fa8831c32c63d.rb
index af34317..ef034e8 100644
--- a/lib/one_gadget/builds/libc-2.22-a506f6e38353adbb19bd22872b2fa8831c32c63d.rb
+++ b/lib/one_gadget/builds/libc-2.22-a506f6e38353adbb19bd22872b2fa8831c32c63d.rb
@@ -20,22 +20,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 240104,
- constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x28, environ)")
OneGadget::Gadget.add(build_id, 240106,
- constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 240110,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 240117,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 240152,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 240153,
- constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 400147,
constraints: ["ebx is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.22-a5a6daa9eb710b5fc311bdd17696bb25e98d9dab.rb b/lib/one_gadget/builds/libc-2.22-a5a6daa9eb710b5fc311bdd17696bb25e98d9dab.rb
index e8772b3..784ea9c 100644
--- a/lib/one_gadget/builds/libc-2.22-a5a6daa9eb710b5fc311bdd17696bb25e98d9dab.rb
+++ b/lib/one_gadget/builds/libc-2.22-a5a6daa9eb710b5fc311bdd17696bb25e98d9dab.rb
@@ -19,25 +19,28 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 259439,
+ constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 259446,
- constraints: ["rax == NULL"],
+ constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 259530,
- constraints: ["[rsp+0x30] == NULL"],
+ constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 759079,
- constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, r12)")
OneGadget::Gadget.add(build_id, 759288,
- constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL || [rbp-0x40] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", [rbp-0x40], r12)")
OneGadget::Gadget.add(build_id, 881191,
- constraints: ["[rsp+0x70] == NULL"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x70, environ)")
OneGadget::Gadget.add(build_id, 881203,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rax])")
OneGadget::Gadget.add(build_id, 896001,
- constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", r9, rdx)")
diff --git a/lib/one_gadget/builds/libc-2.22-a61e9f882f22a77b803a1fa28912b2636913ea56.rb b/lib/one_gadget/builds/libc-2.22-a61e9f882f22a77b803a1fa28912b2636913ea56.rb
index 48fd070..bd2a717 100644
--- a/lib/one_gadget/builds/libc-2.22-a61e9f882f22a77b803a1fa28912b2636913ea56.rb
+++ b/lib/one_gadget/builds/libc-2.22-a61e9f882f22a77b803a1fa28912b2636913ea56.rb
@@ -20,22 +20,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 240120,
- constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x28, environ)")
OneGadget::Gadget.add(build_id, 240122,
- constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 240126,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 240133,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 240168,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 240169,
- constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 400163,
constraints: ["ebx is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.22-ac771fb8769897775bb6df04fe982d7a79684c8a.rb b/lib/one_gadget/builds/libc-2.22-ac771fb8769897775bb6df04fe982d7a79684c8a.rb
index 18db352..fff80ae 100644
--- a/lib/one_gadget/builds/libc-2.22-ac771fb8769897775bb6df04fe982d7a79684c8a.rb
+++ b/lib/one_gadget/builds/libc-2.22-ac771fb8769897775bb6df04fe982d7a79684c8a.rb
@@ -20,22 +20,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 232725,
- constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 232727,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 232731,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 232738,
- constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x38, environ)")
OneGadget::Gadget.add(build_id, 232773,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 232774,
- constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 393487,
constraints: ["ebx is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.22-b213a4604fc2c8fd113ae890a97c3c2ad4022ceb.rb b/lib/one_gadget/builds/libc-2.22-b213a4604fc2c8fd113ae890a97c3c2ad4022ceb.rb
index f23bf8c..c9e22b0 100644
--- a/lib/one_gadget/builds/libc-2.22-b213a4604fc2c8fd113ae890a97c3c2ad4022ceb.rb
+++ b/lib/one_gadget/builds/libc-2.22-b213a4604fc2c8fd113ae890a97c3c2ad4022ceb.rb
@@ -20,22 +20,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 233061,
- constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 233063,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 233067,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 233074,
- constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x38, environ)")
OneGadget::Gadget.add(build_id, 233109,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 233110,
- constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 393455,
constraints: ["ebx is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.22-b916e3c1d80069d0209f6376b33e42b75ec49eda.rb b/lib/one_gadget/builds/libc-2.22-b916e3c1d80069d0209f6376b33e42b75ec49eda.rb
index 2541e32..8170bf7 100644
--- a/lib/one_gadget/builds/libc-2.22-b916e3c1d80069d0209f6376b33e42b75ec49eda.rb
+++ b/lib/one_gadget/builds/libc-2.22-b916e3c1d80069d0209f6376b33e42b75ec49eda.rb
@@ -20,22 +20,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 241007,
- constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x28, environ)")
OneGadget::Gadget.add(build_id, 241009,
- constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 241013,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 241020,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 241055,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 241056,
- constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 401703,
constraints: ["ebx is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.22-b941d9b157b159697c7cbfa154c410b23be1a7af.rb b/lib/one_gadget/builds/libc-2.22-b941d9b157b159697c7cbfa154c410b23be1a7af.rb
index d240595..9f2c983 100644
--- a/lib/one_gadget/builds/libc-2.22-b941d9b157b159697c7cbfa154c410b23be1a7af.rb
+++ b/lib/one_gadget/builds/libc-2.22-b941d9b157b159697c7cbfa154c410b23be1a7af.rb
@@ -19,19 +19,19 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 436064,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 436083,
- constraints: ["ebx is the GOT address of libc", "[esp+0x24] == NULL", "[[eax]] == NULL || [eax] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x24] == NULL || {[esp+0x24], [esp+0x28], [esp+0x2c], [esp+0x30], ...} is a valid argv", "[[eax]] == NULL || [eax] == NULL || [eax] is a valid envp"],
effect: "execve(\"/bin/sh\", esp+0x24, [eax])")
OneGadget::Gadget.add(build_id, 436085,
- constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", esp+0x28, [esp])")
OneGadget::Gadget.add(build_id, 436089,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 436090,
- constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 595920,
constraints: ["ebx is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.22-bdbc01430dbd0c80011dea9852f3ae257bcf3138.rb b/lib/one_gadget/builds/libc-2.22-bdbc01430dbd0c80011dea9852f3ae257bcf3138.rb
index 588abc3..9f1a6a0 100644
--- a/lib/one_gadget/builds/libc-2.22-bdbc01430dbd0c80011dea9852f3ae257bcf3138.rb
+++ b/lib/one_gadget/builds/libc-2.22-bdbc01430dbd0c80011dea9852f3ae257bcf3138.rb
@@ -19,25 +19,28 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 254162,
+ constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", r12, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 254169,
- constraints: ["rax == NULL"],
+ constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", r12, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 254253,
- constraints: ["[rsp+0x30] == NULL"],
+ constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 706647,
- constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, r12)")
OneGadget::Gadget.add(build_id, 706856,
- constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL || [rbp-0x40] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", [rbp-0x40], r12)")
OneGadget::Gadget.add(build_id, 835395,
- constraints: ["[rsp+0x70] == NULL"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x70, environ)")
OneGadget::Gadget.add(build_id, 835407,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rax])")
OneGadget::Gadget.add(build_id, 849873,
- constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", r9, rdx)")
diff --git a/lib/one_gadget/builds/libc-2.22-bfdfa3833107e0041ab896c1dbfd0a4f1c4fec77.rb b/lib/one_gadget/builds/libc-2.22-bfdfa3833107e0041ab896c1dbfd0a4f1c4fec77.rb
index ae339c3..b855fba 100644
--- a/lib/one_gadget/builds/libc-2.22-bfdfa3833107e0041ab896c1dbfd0a4f1c4fec77.rb
+++ b/lib/one_gadget/builds/libc-2.22-bfdfa3833107e0041ab896c1dbfd0a4f1c4fec77.rb
@@ -20,22 +20,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 240120,
- constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x28, environ)")
OneGadget::Gadget.add(build_id, 240122,
- constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 240126,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 240133,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 240168,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 240169,
- constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 400163,
constraints: ["ebx is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.22-c2931cdba68412c1b871f960b4005f70847b29c3.rb b/lib/one_gadget/builds/libc-2.22-c2931cdba68412c1b871f960b4005f70847b29c3.rb
index 2072046..9c0f5f2 100644
--- a/lib/one_gadget/builds/libc-2.22-c2931cdba68412c1b871f960b4005f70847b29c3.rb
+++ b/lib/one_gadget/builds/libc-2.22-c2931cdba68412c1b871f960b4005f70847b29c3.rb
@@ -20,22 +20,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 240120,
- constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x28, environ)")
OneGadget::Gadget.add(build_id, 240122,
- constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 240126,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 240133,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 240168,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 240169,
- constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 400163,
constraints: ["ebx is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.22-c65d9bac0e2687bd08337088466a686c40479e5d.rb b/lib/one_gadget/builds/libc-2.22-c65d9bac0e2687bd08337088466a686c40479e5d.rb
index f30b09f..b78ed65 100644
--- a/lib/one_gadget/builds/libc-2.22-c65d9bac0e2687bd08337088466a686c40479e5d.rb
+++ b/lib/one_gadget/builds/libc-2.22-c65d9bac0e2687bd08337088466a686c40479e5d.rb
@@ -20,22 +20,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 232997,
- constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 232999,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 233003,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 233010,
- constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x38, environ)")
OneGadget::Gadget.add(build_id, 233045,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 233046,
- constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 392527,
constraints: ["ebx is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.22-c6799f7a3df15cf4c4b5c273686e7cb3283e0337.rb b/lib/one_gadget/builds/libc-2.22-c6799f7a3df15cf4c4b5c273686e7cb3283e0337.rb
index 44632c3..5ce1f7b 100644
--- a/lib/one_gadget/builds/libc-2.22-c6799f7a3df15cf4c4b5c273686e7cb3283e0337.rb
+++ b/lib/one_gadget/builds/libc-2.22-c6799f7a3df15cf4c4b5c273686e7cb3283e0337.rb
@@ -20,22 +20,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 240104,
- constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x28, environ)")
OneGadget::Gadget.add(build_id, 240106,
- constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 240110,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 240117,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 240152,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 240153,
- constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 400147,
constraints: ["ebx is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.22-cb354ede0283a824c81183b1ffb6add90255edb6.rb b/lib/one_gadget/builds/libc-2.22-cb354ede0283a824c81183b1ffb6add90255edb6.rb
index d0a4184..3e55a37 100644
--- a/lib/one_gadget/builds/libc-2.22-cb354ede0283a824c81183b1ffb6add90255edb6.rb
+++ b/lib/one_gadget/builds/libc-2.22-cb354ede0283a824c81183b1ffb6add90255edb6.rb
@@ -20,22 +20,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 240104,
- constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x28, environ)")
OneGadget::Gadget.add(build_id, 240106,
- constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 240110,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 240117,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 240152,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 240153,
- constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 400147,
constraints: ["ebx is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.22-cee6e82b12f7c94f715fc96dcd4544a44997dbb5.rb b/lib/one_gadget/builds/libc-2.22-cee6e82b12f7c94f715fc96dcd4544a44997dbb5.rb
index dd39cbb..1ac6eed 100644
--- a/lib/one_gadget/builds/libc-2.22-cee6e82b12f7c94f715fc96dcd4544a44997dbb5.rb
+++ b/lib/one_gadget/builds/libc-2.22-cee6e82b12f7c94f715fc96dcd4544a44997dbb5.rb
@@ -20,22 +20,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 232725,
- constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 232727,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 232731,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 232738,
- constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x38, environ)")
OneGadget::Gadget.add(build_id, 232773,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 232774,
- constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 393407,
constraints: ["ebx is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.22-d0516d4ba12ccc659906a5f122f8637279970bf4.rb b/lib/one_gadget/builds/libc-2.22-d0516d4ba12ccc659906a5f122f8637279970bf4.rb
index 8a1f68d..e482389 100644
--- a/lib/one_gadget/builds/libc-2.22-d0516d4ba12ccc659906a5f122f8637279970bf4.rb
+++ b/lib/one_gadget/builds/libc-2.22-d0516d4ba12ccc659906a5f122f8637279970bf4.rb
@@ -20,22 +20,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 240088,
- constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x28, environ)")
OneGadget::Gadget.add(build_id, 240090,
- constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 240094,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 240101,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 240136,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 240137,
- constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 400131,
constraints: ["ebx is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.22-d088eee45f6cbd649b53ae99b68a91823d86c6d6.rb b/lib/one_gadget/builds/libc-2.22-d088eee45f6cbd649b53ae99b68a91823d86c6d6.rb
index f291358..ef9def6 100644
--- a/lib/one_gadget/builds/libc-2.22-d088eee45f6cbd649b53ae99b68a91823d86c6d6.rb
+++ b/lib/one_gadget/builds/libc-2.22-d088eee45f6cbd649b53ae99b68a91823d86c6d6.rb
@@ -20,22 +20,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 233061,
- constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 233063,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 233067,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 233074,
- constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x38, environ)")
OneGadget::Gadget.add(build_id, 233109,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 233110,
- constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 393455,
constraints: ["ebx is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.22-dcc06a908986f225fded745f7f884bf50fd5b434.rb b/lib/one_gadget/builds/libc-2.22-dcc06a908986f225fded745f7f884bf50fd5b434.rb
index 830ab54..f66c123 100644
--- a/lib/one_gadget/builds/libc-2.22-dcc06a908986f225fded745f7f884bf50fd5b434.rb
+++ b/lib/one_gadget/builds/libc-2.22-dcc06a908986f225fded745f7f884bf50fd5b434.rb
@@ -19,19 +19,19 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 436064,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 436083,
- constraints: ["ebx is the GOT address of libc", "[esp+0x24] == NULL", "[[eax]] == NULL || [eax] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x24] == NULL || {[esp+0x24], [esp+0x28], [esp+0x2c], [esp+0x30], ...} is a valid argv", "[[eax]] == NULL || [eax] == NULL || [eax] is a valid envp"],
effect: "execve(\"/bin/sh\", esp+0x24, [eax])")
OneGadget::Gadget.add(build_id, 436085,
- constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", esp+0x28, [esp])")
OneGadget::Gadget.add(build_id, 436089,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 436090,
- constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 595920,
constraints: ["ebx is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.22-dd900e0adc14d176fe33f2b6e5d8dbe2bacb48d0.rb b/lib/one_gadget/builds/libc-2.22-dd900e0adc14d176fe33f2b6e5d8dbe2bacb48d0.rb
index a8165d5..6e0b081 100644
--- a/lib/one_gadget/builds/libc-2.22-dd900e0adc14d176fe33f2b6e5d8dbe2bacb48d0.rb
+++ b/lib/one_gadget/builds/libc-2.22-dd900e0adc14d176fe33f2b6e5d8dbe2bacb48d0.rb
@@ -19,25 +19,28 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 259439,
+ constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 259446,
- constraints: ["rax == NULL"],
+ constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 259530,
- constraints: ["[rsp+0x30] == NULL"],
+ constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 759175,
- constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, r12)")
OneGadget::Gadget.add(build_id, 759384,
- constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL || [rbp-0x40] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", [rbp-0x40], r12)")
OneGadget::Gadget.add(build_id, 881287,
- constraints: ["[rsp+0x70] == NULL"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x70, environ)")
OneGadget::Gadget.add(build_id, 881299,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rax])")
OneGadget::Gadget.add(build_id, 896049,
- constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", r9, rdx)")
diff --git a/lib/one_gadget/builds/libc-2.22-e1d7f9459324fd489e82a931f9bbe3b10cfc4436.rb b/lib/one_gadget/builds/libc-2.22-e1d7f9459324fd489e82a931f9bbe3b10cfc4436.rb
index 952dc97..ee975cb 100644
--- a/lib/one_gadget/builds/libc-2.22-e1d7f9459324fd489e82a931f9bbe3b10cfc4436.rb
+++ b/lib/one_gadget/builds/libc-2.22-e1d7f9459324fd489e82a931f9bbe3b10cfc4436.rb
@@ -19,19 +19,19 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 436960,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 436979,
- constraints: ["ebx is the GOT address of libc", "[esp+0x24] == NULL", "[[eax]] == NULL || [eax] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x24] == NULL || {[esp+0x24], [esp+0x28], [esp+0x2c], [esp+0x30], ...} is a valid argv", "[[eax]] == NULL || [eax] == NULL || [eax] is a valid envp"],
effect: "execve(\"/bin/sh\", esp+0x24, [eax])")
OneGadget::Gadget.add(build_id, 436981,
- constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", esp+0x28, [esp])")
OneGadget::Gadget.add(build_id, 436985,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 436986,
- constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 596256,
constraints: ["ebx is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.22-e259f9732c7269eccd67dc7f8bbceded2a909972.rb b/lib/one_gadget/builds/libc-2.22-e259f9732c7269eccd67dc7f8bbceded2a909972.rb
index 014d9a2..08c20ff 100644
--- a/lib/one_gadget/builds/libc-2.22-e259f9732c7269eccd67dc7f8bbceded2a909972.rb
+++ b/lib/one_gadget/builds/libc-2.22-e259f9732c7269eccd67dc7f8bbceded2a909972.rb
@@ -20,22 +20,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 240104,
- constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x28, environ)")
OneGadget::Gadget.add(build_id, 240106,
- constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 240110,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 240117,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 240152,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 240153,
- constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 400147,
constraints: ["ebx is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.22-e7e6d42611b69819d39439c2ee93305f6305ed90.rb b/lib/one_gadget/builds/libc-2.22-e7e6d42611b69819d39439c2ee93305f6305ed90.rb
index 91a5412..f38dfdf 100644
--- a/lib/one_gadget/builds/libc-2.22-e7e6d42611b69819d39439c2ee93305f6305ed90.rb
+++ b/lib/one_gadget/builds/libc-2.22-e7e6d42611b69819d39439c2ee93305f6305ed90.rb
@@ -19,25 +19,28 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 259327,
+ constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 259334,
- constraints: ["rax == NULL"],
+ constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 259418,
- constraints: ["[rsp+0x30] == NULL"],
+ constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 758855,
- constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, r12)")
OneGadget::Gadget.add(build_id, 759064,
- constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL || [rbp-0x40] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", [rbp-0x40], r12)")
OneGadget::Gadget.add(build_id, 881191,
- constraints: ["[rsp+0x70] == NULL"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x70, environ)")
OneGadget::Gadget.add(build_id, 881203,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rax])")
OneGadget::Gadget.add(build_id, 896129,
- constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", r9, rdx)")
diff --git a/lib/one_gadget/builds/libc-2.22-eb0fe6bc985d025bfeeb207924823e7c2c7a77e6.rb b/lib/one_gadget/builds/libc-2.22-eb0fe6bc985d025bfeeb207924823e7c2c7a77e6.rb
index e49e298..20a8e34 100644
--- a/lib/one_gadget/builds/libc-2.22-eb0fe6bc985d025bfeeb207924823e7c2c7a77e6.rb
+++ b/lib/one_gadget/builds/libc-2.22-eb0fe6bc985d025bfeeb207924823e7c2c7a77e6.rb
@@ -19,25 +19,28 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 254162,
+ constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", r12, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 254169,
- constraints: ["rax == NULL"],
+ constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", r12, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 254253,
- constraints: ["[rsp+0x30] == NULL"],
+ constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 706647,
- constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, r12)")
OneGadget::Gadget.add(build_id, 706856,
- constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL || [rbp-0x40] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", [rbp-0x40], r12)")
OneGadget::Gadget.add(build_id, 835395,
- constraints: ["[rsp+0x70] == NULL"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x70, environ)")
OneGadget::Gadget.add(build_id, 835407,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rax])")
OneGadget::Gadget.add(build_id, 849873,
- constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", r9, rdx)")
diff --git a/lib/one_gadget/builds/libc-2.22-eb2c0cc31e0d158b487d1010b30fa7ed358fcbd7.rb b/lib/one_gadget/builds/libc-2.22-eb2c0cc31e0d158b487d1010b30fa7ed358fcbd7.rb
index 3e9e12c..05ead7b 100644
--- a/lib/one_gadget/builds/libc-2.22-eb2c0cc31e0d158b487d1010b30fa7ed358fcbd7.rb
+++ b/lib/one_gadget/builds/libc-2.22-eb2c0cc31e0d158b487d1010b30fa7ed358fcbd7.rb
@@ -19,19 +19,19 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 436064,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 436083,
- constraints: ["ebx is the GOT address of libc", "[esp+0x24] == NULL", "[[eax]] == NULL || [eax] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x24] == NULL || {[esp+0x24], [esp+0x28], [esp+0x2c], [esp+0x30], ...} is a valid argv", "[[eax]] == NULL || [eax] == NULL || [eax] is a valid envp"],
effect: "execve(\"/bin/sh\", esp+0x24, [eax])")
OneGadget::Gadget.add(build_id, 436085,
- constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", esp+0x28, [esp])")
OneGadget::Gadget.add(build_id, 436089,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 436090,
- constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 596016,
constraints: ["ebx is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.22-ee60bf5cd327f0aa534fd8c37a8733e942707a0a.rb b/lib/one_gadget/builds/libc-2.22-ee60bf5cd327f0aa534fd8c37a8733e942707a0a.rb
index 75e996d..6157e65 100644
--- a/lib/one_gadget/builds/libc-2.22-ee60bf5cd327f0aa534fd8c37a8733e942707a0a.rb
+++ b/lib/one_gadget/builds/libc-2.22-ee60bf5cd327f0aa534fd8c37a8733e942707a0a.rb
@@ -20,22 +20,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 233061,
- constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 233063,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 233067,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 233074,
- constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x38, environ)")
OneGadget::Gadget.add(build_id, 233109,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 233110,
- constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 393455,
constraints: ["ebx is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.22-efd6084786349d5763237b1caeb3d5d9f61dce75.rb b/lib/one_gadget/builds/libc-2.22-efd6084786349d5763237b1caeb3d5d9f61dce75.rb
index 87a9b7c..3a3b639 100644
--- a/lib/one_gadget/builds/libc-2.22-efd6084786349d5763237b1caeb3d5d9f61dce75.rb
+++ b/lib/one_gadget/builds/libc-2.22-efd6084786349d5763237b1caeb3d5d9f61dce75.rb
@@ -19,25 +19,28 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 259439,
+ constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 259446,
- constraints: ["rax == NULL"],
+ constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 259530,
- constraints: ["[rsp+0x30] == NULL"],
+ constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 759159,
- constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, r12)")
OneGadget::Gadget.add(build_id, 759368,
- constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL || [rbp-0x40] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", [rbp-0x40], r12)")
OneGadget::Gadget.add(build_id, 881303,
- constraints: ["[rsp+0x70] == NULL"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x70, environ)")
OneGadget::Gadget.add(build_id, 881315,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rax])")
OneGadget::Gadget.add(build_id, 896065,
- constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", r9, rdx)")
diff --git a/lib/one_gadget/builds/libc-2.22-f21f4b63fbd354522a1c37a982da46973b6a95ef.rb b/lib/one_gadget/builds/libc-2.22-f21f4b63fbd354522a1c37a982da46973b6a95ef.rb
index e529633..6594dd4 100644
--- a/lib/one_gadget/builds/libc-2.22-f21f4b63fbd354522a1c37a982da46973b6a95ef.rb
+++ b/lib/one_gadget/builds/libc-2.22-f21f4b63fbd354522a1c37a982da46973b6a95ef.rb
@@ -20,22 +20,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 240120,
- constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x28, environ)")
OneGadget::Gadget.add(build_id, 240122,
- constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 240126,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 240133,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 240168,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 240169,
- constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 400163,
constraints: ["ebx is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.22-f43f58b45b8c7fe20d3c3c9f812f50a7755615d3.rb b/lib/one_gadget/builds/libc-2.22-f43f58b45b8c7fe20d3c3c9f812f50a7755615d3.rb
index e5398f7..ebc9f77 100644
--- a/lib/one_gadget/builds/libc-2.22-f43f58b45b8c7fe20d3c3c9f812f50a7755615d3.rb
+++ b/lib/one_gadget/builds/libc-2.22-f43f58b45b8c7fe20d3c3c9f812f50a7755615d3.rb
@@ -19,25 +19,28 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 259407,
+ constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 259414,
- constraints: ["rax == NULL"],
+ constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 259498,
- constraints: ["[rsp+0x30] == NULL"],
+ constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 759543,
- constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, r12)")
OneGadget::Gadget.add(build_id, 759752,
- constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL || [rbp-0x40] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", [rbp-0x40], r12)")
OneGadget::Gadget.add(build_id, 881159,
- constraints: ["[rsp+0x70] == NULL"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x70, environ)")
OneGadget::Gadget.add(build_id, 881171,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rax])")
OneGadget::Gadget.add(build_id, 895921,
- constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", r9, rdx)")
diff --git a/lib/one_gadget/builds/libc-2.22-fa6cf8c4105217d0cf2609ab83ec3c9d4d3c5d41.rb b/lib/one_gadget/builds/libc-2.22-fa6cf8c4105217d0cf2609ab83ec3c9d4d3c5d41.rb
index b8291c4..3ab8511 100644
--- a/lib/one_gadget/builds/libc-2.22-fa6cf8c4105217d0cf2609ab83ec3c9d4d3c5d41.rb
+++ b/lib/one_gadget/builds/libc-2.22-fa6cf8c4105217d0cf2609ab83ec3c9d4d3c5d41.rb
@@ -20,22 +20,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 233061,
- constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 233063,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 233067,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 233074,
- constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x38, environ)")
OneGadget::Gadget.add(build_id, 233109,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 233110,
- constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 393455,
constraints: ["ebx is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.22-faef9af5a88432766d76d7da2cf961c75b6e0e0b.rb b/lib/one_gadget/builds/libc-2.22-faef9af5a88432766d76d7da2cf961c75b6e0e0b.rb
index feebbe7..d8cd8cc 100644
--- a/lib/one_gadget/builds/libc-2.22-faef9af5a88432766d76d7da2cf961c75b6e0e0b.rb
+++ b/lib/one_gadget/builds/libc-2.22-faef9af5a88432766d76d7da2cf961c75b6e0e0b.rb
@@ -20,22 +20,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 240719,
- constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x28, environ)")
OneGadget::Gadget.add(build_id, 240721,
- constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 240725,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 240732,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 240767,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 240768,
- constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 401415,
constraints: ["ebx is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.22-ff7fbdaaef014460825b4ef5848e86834aa3880c.rb b/lib/one_gadget/builds/libc-2.22-ff7fbdaaef014460825b4ef5848e86834aa3880c.rb
index bcc17c2..ab29078 100644
--- a/lib/one_gadget/builds/libc-2.22-ff7fbdaaef014460825b4ef5848e86834aa3880c.rb
+++ b/lib/one_gadget/builds/libc-2.22-ff7fbdaaef014460825b4ef5848e86834aa3880c.rb
@@ -19,19 +19,19 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 436064,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 436083,
- constraints: ["ebx is the GOT address of libc", "[esp+0x24] == NULL", "[[eax]] == NULL || [eax] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x24] == NULL || {[esp+0x24], [esp+0x28], [esp+0x2c], [esp+0x30], ...} is a valid argv", "[[eax]] == NULL || [eax] == NULL || [eax] is a valid envp"],
effect: "execve(\"/bin/sh\", esp+0x24, [eax])")
OneGadget::Gadget.add(build_id, 436085,
- constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", esp+0x28, [esp])")
OneGadget::Gadget.add(build_id, 436089,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 436090,
- constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 595920,
constraints: ["ebx is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.23-012683a92d161c37d51d89711c4870ba30904c3d.rb b/lib/one_gadget/builds/libc-2.23-012683a92d161c37d51d89711c4870ba30904c3d.rb
index f75e976..82219c1 100644
--- a/lib/one_gadget/builds/libc-2.23-012683a92d161c37d51d89711c4870ba30904c3d.rb
+++ b/lib/one_gadget/builds/libc-2.23-012683a92d161c37d51d89711c4870ba30904c3d.rb
@@ -20,22 +20,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 233301,
- constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 233303,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 233307,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 233314,
- constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x38, environ)")
OneGadget::Gadget.add(build_id, 233349,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 233350,
- constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 383199,
constraints: ["ebx is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.23-088165fba081e659b7ea6463eab7bcac70363656.rb b/lib/one_gadget/builds/libc-2.23-088165fba081e659b7ea6463eab7bcac70363656.rb
index 3c8fa9f..eedd928 100644
--- a/lib/one_gadget/builds/libc-2.23-088165fba081e659b7ea6463eab7bcac70363656.rb
+++ b/lib/one_gadget/builds/libc-2.23-088165fba081e659b7ea6463eab7bcac70363656.rb
@@ -20,22 +20,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 240412,
- constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x28, environ)")
OneGadget::Gadget.add(build_id, 240414,
- constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 240418,
- constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 240425,
- constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 240460,
- constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 240461,
- constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 383157,
constraints: ["esi is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.23-0ae3de55854513a2a7d4979337176c0717efce8a.rb b/lib/one_gadget/builds/libc-2.23-0ae3de55854513a2a7d4979337176c0717efce8a.rb
index d546a4e..06bb1a2 100644
--- a/lib/one_gadget/builds/libc-2.23-0ae3de55854513a2a7d4979337176c0717efce8a.rb
+++ b/lib/one_gadget/builds/libc-2.23-0ae3de55854513a2a7d4979337176c0717efce8a.rb
@@ -19,25 +19,28 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 258975,
+ constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 258982,
- constraints: ["rax == NULL"],
+ constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 259066,
- constraints: ["[rsp+0x30] == NULL"],
+ constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 752727,
- constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, r12)")
OneGadget::Gadget.add(build_id, 752936,
- constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL || [rbp-0x40] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", [rbp-0x40], r12)")
OneGadget::Gadget.add(build_id, 874055,
- constraints: ["[rsp+0x70] == NULL"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x70, environ)")
OneGadget::Gadget.add(build_id, 874067,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rax])")
OneGadget::Gadget.add(build_id, 888817,
- constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", r9, rdx)")
diff --git a/lib/one_gadget/builds/libc-2.23-0c23056feb23daf0cb1d2f90e153b5f892df83c6.rb b/lib/one_gadget/builds/libc-2.23-0c23056feb23daf0cb1d2f90e153b5f892df83c6.rb
index 1396407..6566e2c 100644
--- a/lib/one_gadget/builds/libc-2.23-0c23056feb23daf0cb1d2f90e153b5f892df83c6.rb
+++ b/lib/one_gadget/builds/libc-2.23-0c23056feb23daf0cb1d2f90e153b5f892df83c6.rb
@@ -20,22 +20,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 239388,
- constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x28, environ)")
OneGadget::Gadget.add(build_id, 239390,
- constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 239394,
- constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 239401,
- constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 239436,
- constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 239437,
- constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 388917,
constraints: ["esi is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.23-11ae3441756e6c2ebf5c962434bf9f07b3ea3deb.rb b/lib/one_gadget/builds/libc-2.23-11ae3441756e6c2ebf5c962434bf9f07b3ea3deb.rb
index 83dafd6..202ee7b 100644
--- a/lib/one_gadget/builds/libc-2.23-11ae3441756e6c2ebf5c962434bf9f07b3ea3deb.rb
+++ b/lib/one_gadget/builds/libc-2.23-11ae3441756e6c2ebf5c962434bf9f07b3ea3deb.rb
@@ -20,22 +20,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 233301,
- constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 233303,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 233307,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 233314,
- constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x38, environ)")
OneGadget::Gadget.add(build_id, 233349,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 233350,
- constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 383167,
constraints: ["ebx is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.23-131c254aed46e6a24cb08f3abe802ea0ef50e5f9.rb b/lib/one_gadget/builds/libc-2.23-131c254aed46e6a24cb08f3abe802ea0ef50e5f9.rb
index 4f8b1a0..2b016f0 100644
--- a/lib/one_gadget/builds/libc-2.23-131c254aed46e6a24cb08f3abe802ea0ef50e5f9.rb
+++ b/lib/one_gadget/builds/libc-2.23-131c254aed46e6a24cb08f3abe802ea0ef50e5f9.rb
@@ -19,25 +19,28 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 259231,
+ constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 259238,
- constraints: ["rax == NULL"],
+ constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 259322,
- constraints: ["[rsp+0x30] == NULL"],
+ constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 753543,
- constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, r12)")
OneGadget::Gadget.add(build_id, 753752,
- constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL || [rbp-0x40] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", [rbp-0x40], r12)")
OneGadget::Gadget.add(build_id, 875399,
- constraints: ["[rsp+0x70] == NULL"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x70, environ)")
OneGadget::Gadget.add(build_id, 875411,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rax])")
OneGadget::Gadget.add(build_id, 890161,
- constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", r9, rdx)")
diff --git a/lib/one_gadget/builds/libc-2.23-1800a4bdb0c42a7bb7a570ed90724fa04de8a4fe.rb b/lib/one_gadget/builds/libc-2.23-1800a4bdb0c42a7bb7a570ed90724fa04de8a4fe.rb
index 1c415b7..dfb4494 100644
--- a/lib/one_gadget/builds/libc-2.23-1800a4bdb0c42a7bb7a570ed90724fa04de8a4fe.rb
+++ b/lib/one_gadget/builds/libc-2.23-1800a4bdb0c42a7bb7a570ed90724fa04de8a4fe.rb
@@ -20,22 +20,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 239644,
- constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x28, environ)")
OneGadget::Gadget.add(build_id, 239646,
- constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 239650,
- constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 239657,
- constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 239692,
- constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 239693,
- constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 389221,
constraints: ["esi is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.23-18f761287ed46e213bec29c2e440e73fd72373be.rb b/lib/one_gadget/builds/libc-2.23-18f761287ed46e213bec29c2e440e73fd72373be.rb
index 8925d7e..b9655e0 100644
--- a/lib/one_gadget/builds/libc-2.23-18f761287ed46e213bec29c2e440e73fd72373be.rb
+++ b/lib/one_gadget/builds/libc-2.23-18f761287ed46e213bec29c2e440e73fd72373be.rb
@@ -20,22 +20,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 240748,
- constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x28, environ)")
OneGadget::Gadget.add(build_id, 240750,
- constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 240754,
- constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 240761,
- constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 240796,
- constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 240797,
- constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 392149,
constraints: ["esi is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.23-1b1d19add6d861e16e04e4b8e9864a7bc16c1327.rb b/lib/one_gadget/builds/libc-2.23-1b1d19add6d861e16e04e4b8e9864a7bc16c1327.rb
index d985412..6da233a 100644
--- a/lib/one_gadget/builds/libc-2.23-1b1d19add6d861e16e04e4b8e9864a7bc16c1327.rb
+++ b/lib/one_gadget/builds/libc-2.23-1b1d19add6d861e16e04e4b8e9864a7bc16c1327.rb
@@ -20,22 +20,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 233317,
- constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 233319,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 233323,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 233330,
- constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x38, environ)")
OneGadget::Gadget.add(build_id, 233365,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 233366,
- constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 383183,
constraints: ["ebx is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.23-1e80992437b5e1cb76bf56605ee8991e76e85f69.rb b/lib/one_gadget/builds/libc-2.23-1e80992437b5e1cb76bf56605ee8991e76e85f69.rb
index c52c8fb..e5a5cdc 100644
--- a/lib/one_gadget/builds/libc-2.23-1e80992437b5e1cb76bf56605ee8991e76e85f69.rb
+++ b/lib/one_gadget/builds/libc-2.23-1e80992437b5e1cb76bf56605ee8991e76e85f69.rb
@@ -19,19 +19,19 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 437664,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 437683,
- constraints: ["ebx is the GOT address of libc", "[esp+0x24] == NULL", "[[eax]] == NULL || [eax] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x24] == NULL || {[esp+0x24], [esp+0x28], [esp+0x2c], [esp+0x30], ...} is a valid argv", "[[eax]] == NULL || [eax] == NULL || [eax] is a valid envp"],
effect: "execve(\"/bin/sh\", esp+0x24, [eax])")
OneGadget::Gadget.add(build_id, 437685,
- constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", esp+0x28, [esp])")
OneGadget::Gadget.add(build_id, 437689,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 437690,
- constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 584400,
constraints: ["ebx is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.23-1f1cf1c7ff279aa37add352423fd850e06be1098.rb b/lib/one_gadget/builds/libc-2.23-1f1cf1c7ff279aa37add352423fd850e06be1098.rb
index e5cf623..67d6d9b 100644
--- a/lib/one_gadget/builds/libc-2.23-1f1cf1c7ff279aa37add352423fd850e06be1098.rb
+++ b/lib/one_gadget/builds/libc-2.23-1f1cf1c7ff279aa37add352423fd850e06be1098.rb
@@ -20,22 +20,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 239452,
- constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x28, environ)")
OneGadget::Gadget.add(build_id, 239454,
- constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 239458,
- constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 239465,
- constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 239500,
- constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 239501,
- constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 388789,
constraints: ["esi is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.23-233dde1d38ecdc54bef352f1b5ee4e007ec9df26.rb b/lib/one_gadget/builds/libc-2.23-233dde1d38ecdc54bef352f1b5ee4e007ec9df26.rb
index 6ac16f6..6700709 100644
--- a/lib/one_gadget/builds/libc-2.23-233dde1d38ecdc54bef352f1b5ee4e007ec9df26.rb
+++ b/lib/one_gadget/builds/libc-2.23-233dde1d38ecdc54bef352f1b5ee4e007ec9df26.rb
@@ -20,22 +20,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 240716,
- constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x28, environ)")
OneGadget::Gadget.add(build_id, 240718,
- constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 240722,
- constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 240729,
- constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 240764,
- constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 240765,
- constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 390469,
constraints: ["esi is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.23-2891dc7656eed3d8d4f255c41ca6a28caf532079.rb b/lib/one_gadget/builds/libc-2.23-2891dc7656eed3d8d4f255c41ca6a28caf532079.rb
index ab5ba56..b52cf6a 100644
--- a/lib/one_gadget/builds/libc-2.23-2891dc7656eed3d8d4f255c41ca6a28caf532079.rb
+++ b/lib/one_gadget/builds/libc-2.23-2891dc7656eed3d8d4f255c41ca6a28caf532079.rb
@@ -20,22 +20,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 239388,
- constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x28, environ)")
OneGadget::Gadget.add(build_id, 239390,
- constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 239394,
- constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 239401,
- constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 239436,
- constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 239437,
- constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 388917,
constraints: ["esi is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.23-29e38445a740bba5a77b86691e3c51a7e48dc79b.rb b/lib/one_gadget/builds/libc-2.23-29e38445a740bba5a77b86691e3c51a7e48dc79b.rb
index 435388f..614edee 100644
--- a/lib/one_gadget/builds/libc-2.23-29e38445a740bba5a77b86691e3c51a7e48dc79b.rb
+++ b/lib/one_gadget/builds/libc-2.23-29e38445a740bba5a77b86691e3c51a7e48dc79b.rb
@@ -20,22 +20,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 239628,
- constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x28, environ)")
OneGadget::Gadget.add(build_id, 239630,
- constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 239634,
- constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 239641,
- constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 239676,
- constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 239677,
- constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 389221,
constraints: ["esi is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.23-2aedae2bb27ac85cf14c36da79747dd88bb2b633.rb b/lib/one_gadget/builds/libc-2.23-2aedae2bb27ac85cf14c36da79747dd88bb2b633.rb
index e187c8d..058473f 100644
--- a/lib/one_gadget/builds/libc-2.23-2aedae2bb27ac85cf14c36da79747dd88bb2b633.rb
+++ b/lib/one_gadget/builds/libc-2.23-2aedae2bb27ac85cf14c36da79747dd88bb2b633.rb
@@ -20,22 +20,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 239452,
- constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x28, environ)")
OneGadget::Gadget.add(build_id, 239454,
- constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 239458,
- constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 239465,
- constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 239500,
- constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 239501,
- constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 388789,
constraints: ["esi is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.23-2c4ed1bebc9ede033fbbb422f84da9a93cacd88e.rb b/lib/one_gadget/builds/libc-2.23-2c4ed1bebc9ede033fbbb422f84da9a93cacd88e.rb
index 93738f8..b56cbd2 100644
--- a/lib/one_gadget/builds/libc-2.23-2c4ed1bebc9ede033fbbb422f84da9a93cacd88e.rb
+++ b/lib/one_gadget/builds/libc-2.23-2c4ed1bebc9ede033fbbb422f84da9a93cacd88e.rb
@@ -20,22 +20,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 233365,
- constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 233367,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 233371,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 233378,
- constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x38, environ)")
OneGadget::Gadget.add(build_id, 233413,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 233414,
- constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 383087,
constraints: ["ebx is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.23-30773be8cf5bfed9d910c8473dd44eaab2e705ab.rb b/lib/one_gadget/builds/libc-2.23-30773be8cf5bfed9d910c8473dd44eaab2e705ab.rb
index 40a6d24..a7b25bf 100644
--- a/lib/one_gadget/builds/libc-2.23-30773be8cf5bfed9d910c8473dd44eaab2e705ab.rb
+++ b/lib/one_gadget/builds/libc-2.23-30773be8cf5bfed9d910c8473dd44eaab2e705ab.rb
@@ -19,28 +19,31 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 283167,
+ constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 283174,
- constraints: ["rax == NULL"],
+ constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 283258,
- constraints: ["[rsp+0x30] == NULL"],
+ constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 840051,
- constraints: ["[rcx] == NULL || rcx == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[rcx] == NULL || rcx == NULL || rcx is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", rcx, r12)")
OneGadget::Gadget.add(build_id, 840264,
- constraints: ["[rax] == NULL || rax == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[rax] == NULL || rax == NULL || rax is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", rax, r12)")
OneGadget::Gadget.add(build_id, 983972,
- constraints: ["[rsp+0x50] == NULL"],
+ constraints: ["[rsp+0x50] == NULL || {[rsp+0x50], [rsp+0x58], [rsp+0x60], [rsp+0x68], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x50, environ)")
OneGadget::Gadget.add(build_id, 983984,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rax])")
OneGadget::Gadget.add(build_id, 987719,
- constraints: ["[rsp+0x70] == NULL"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x70, environ)")
OneGadget::Gadget.add(build_id, 1009648,
- constraints: ["[rcx] == NULL || rcx == NULL", "[[rbp-0xf8]] == NULL || [rbp-0xf8] == NULL"],
+ constraints: ["[rcx] == NULL || rcx == NULL || rcx is a valid argv", "[[rbp-0xf8]] == NULL || [rbp-0xf8] == NULL || [rbp-0xf8] is a valid envp"],
effect: "execve(\"/bin/sh\", rcx, [rbp-0xf8])")
diff --git a/lib/one_gadget/builds/libc-2.23-336976f90c600be7c95a68be6c2f0652cc22347c.rb b/lib/one_gadget/builds/libc-2.23-336976f90c600be7c95a68be6c2f0652cc22347c.rb
index 753537b..1fffac3 100644
--- a/lib/one_gadget/builds/libc-2.23-336976f90c600be7c95a68be6c2f0652cc22347c.rb
+++ b/lib/one_gadget/builds/libc-2.23-336976f90c600be7c95a68be6c2f0652cc22347c.rb
@@ -20,22 +20,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 240188,
- constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x28, environ)")
OneGadget::Gadget.add(build_id, 240190,
- constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 240194,
- constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 240201,
- constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 240236,
- constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 240237,
- constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 390101,
constraints: ["esi is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.23-3612e20f3e2705dcf8fd81ac494a0e20b9e16764.rb b/lib/one_gadget/builds/libc-2.23-3612e20f3e2705dcf8fd81ac494a0e20b9e16764.rb
index 431848e..bf64688 100644
--- a/lib/one_gadget/builds/libc-2.23-3612e20f3e2705dcf8fd81ac494a0e20b9e16764.rb
+++ b/lib/one_gadget/builds/libc-2.23-3612e20f3e2705dcf8fd81ac494a0e20b9e16764.rb
@@ -20,22 +20,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 240188,
- constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x28, environ)")
OneGadget::Gadget.add(build_id, 240190,
- constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 240194,
- constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 240201,
- constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 240236,
- constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 240237,
- constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 390101,
constraints: ["esi is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.23-369de0e1d833caa693af17f17c83ba937f0a4dad.rb b/lib/one_gadget/builds/libc-2.23-369de0e1d833caa693af17f17c83ba937f0a4dad.rb
index 42e67f5..7191e32 100644
--- a/lib/one_gadget/builds/libc-2.23-369de0e1d833caa693af17f17c83ba937f0a4dad.rb
+++ b/lib/one_gadget/builds/libc-2.23-369de0e1d833caa693af17f17c83ba937f0a4dad.rb
@@ -19,28 +19,31 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 283135,
+ constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 283142,
- constraints: ["rax == NULL"],
+ constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 283226,
- constraints: ["[rsp+0x30] == NULL"],
+ constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 837235,
- constraints: ["[rcx] == NULL || rcx == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[rcx] == NULL || rcx == NULL || rcx is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", rcx, r12)")
OneGadget::Gadget.add(build_id, 837448,
- constraints: ["[rax] == NULL || rax == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[rax] == NULL || rax == NULL || rax is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", rax, r12)")
OneGadget::Gadget.add(build_id, 981492,
- constraints: ["[rsp+0x50] == NULL"],
+ constraints: ["[rsp+0x50] == NULL || {[rsp+0x50], [rsp+0x58], [rsp+0x60], [rsp+0x68], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x50, environ)")
OneGadget::Gadget.add(build_id, 981504,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rax])")
OneGadget::Gadget.add(build_id, 985239,
- constraints: ["[rsp+0x70] == NULL"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x70, environ)")
OneGadget::Gadget.add(build_id, 1007168,
- constraints: ["[rcx] == NULL || rcx == NULL", "[[rbp-0xf8]] == NULL || [rbp-0xf8] == NULL"],
+ constraints: ["[rcx] == NULL || rcx == NULL || rcx is a valid argv", "[[rbp-0xf8]] == NULL || [rbp-0xf8] == NULL || [rbp-0xf8] is a valid envp"],
effect: "execve(\"/bin/sh\", rcx, [rbp-0xf8])")
diff --git a/lib/one_gadget/builds/libc-2.23-39fa51127c50ad10c32a19e0a1a587a05b8d450b.rb b/lib/one_gadget/builds/libc-2.23-39fa51127c50ad10c32a19e0a1a587a05b8d450b.rb
index 07a5cce..b5cc09e 100644
--- a/lib/one_gadget/builds/libc-2.23-39fa51127c50ad10c32a19e0a1a587a05b8d450b.rb
+++ b/lib/one_gadget/builds/libc-2.23-39fa51127c50ad10c32a19e0a1a587a05b8d450b.rb
@@ -20,22 +20,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 233301,
- constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 233303,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 233307,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 233314,
- constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x38, environ)")
OneGadget::Gadget.add(build_id, 233349,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 233350,
- constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 383167,
constraints: ["ebx is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.23-408d0e9e7720923def88a5aea9988cbaa0142b64.rb b/lib/one_gadget/builds/libc-2.23-408d0e9e7720923def88a5aea9988cbaa0142b64.rb
index 21a1de2..0c14280 100644
--- a/lib/one_gadget/builds/libc-2.23-408d0e9e7720923def88a5aea9988cbaa0142b64.rb
+++ b/lib/one_gadget/builds/libc-2.23-408d0e9e7720923def88a5aea9988cbaa0142b64.rb
@@ -19,25 +19,28 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 259007,
+ constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 259014,
- constraints: ["rax == NULL"],
+ constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 259098,
- constraints: ["[rsp+0x30] == NULL"],
+ constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 752759,
- constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, r12)")
OneGadget::Gadget.add(build_id, 752968,
- constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL || [rbp-0x40] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", [rbp-0x40], r12)")
OneGadget::Gadget.add(build_id, 874087,
- constraints: ["[rsp+0x70] == NULL"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x70, environ)")
OneGadget::Gadget.add(build_id, 874099,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rax])")
OneGadget::Gadget.add(build_id, 888849,
- constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", r9, rdx)")
diff --git a/lib/one_gadget/builds/libc-2.23-414c35398dffe74ac9ed945e176d8fd99446d9de.rb b/lib/one_gadget/builds/libc-2.23-414c35398dffe74ac9ed945e176d8fd99446d9de.rb
index e117953..940a855 100644
--- a/lib/one_gadget/builds/libc-2.23-414c35398dffe74ac9ed945e176d8fd99446d9de.rb
+++ b/lib/one_gadget/builds/libc-2.23-414c35398dffe74ac9ed945e176d8fd99446d9de.rb
@@ -19,25 +19,28 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 259135,
+ constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 259142,
- constraints: ["rax == NULL"],
+ constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 259226,
- constraints: ["[rsp+0x30] == NULL"],
+ constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 754615,
- constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, r12)")
OneGadget::Gadget.add(build_id, 754824,
- constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL || [rbp-0x40] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", [rbp-0x40], r12)")
OneGadget::Gadget.add(build_id, 876631,
- constraints: ["[rsp+0x70] == NULL"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x70, environ)")
OneGadget::Gadget.add(build_id, 876643,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rax])")
OneGadget::Gadget.add(build_id, 891553,
- constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", r9, rdx)")
diff --git a/lib/one_gadget/builds/libc-2.23-49bd3f83d9b34b9f043e68624271c5ef90820021.rb b/lib/one_gadget/builds/libc-2.23-49bd3f83d9b34b9f043e68624271c5ef90820021.rb
index cdc17a1..e98f70f 100644
--- a/lib/one_gadget/builds/libc-2.23-49bd3f83d9b34b9f043e68624271c5ef90820021.rb
+++ b/lib/one_gadget/builds/libc-2.23-49bd3f83d9b34b9f043e68624271c5ef90820021.rb
@@ -20,22 +20,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 239388,
- constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x28, environ)")
OneGadget::Gadget.add(build_id, 239390,
- constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 239394,
- constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 239401,
- constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 239436,
- constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 239437,
- constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 388917,
constraints: ["esi is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.23-4df2711ee6c911fe238cf10f43b08099201e57ec.rb b/lib/one_gadget/builds/libc-2.23-4df2711ee6c911fe238cf10f43b08099201e57ec.rb
index 488f0f6..c808ccd 100644
--- a/lib/one_gadget/builds/libc-2.23-4df2711ee6c911fe238cf10f43b08099201e57ec.rb
+++ b/lib/one_gadget/builds/libc-2.23-4df2711ee6c911fe238cf10f43b08099201e57ec.rb
@@ -19,19 +19,22 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 258863,
+ constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 258870,
- constraints: ["rax == NULL"],
+ constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 258954,
- constraints: ["[rsp+0x30] == NULL"],
+ constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 755157,
- constraints: ["[[rbp-0x38]] == NULL || [rbp-0x38] == NULL", "[rbx] == NULL || rbx == NULL"],
+ constraints: ["[[rbp-0x38]] == NULL || [rbp-0x38] == NULL || [rbp-0x38] is a valid argv", "[rbx] == NULL || rbx == NULL || rbx is a valid envp"],
effect: "execve(\"/bin/sh\", [rbp-0x38], rbx)")
OneGadget::Gadget.add(build_id, 876757,
- constraints: ["[rsp+0x70] == NULL"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x70, environ)")
OneGadget::Gadget.add(build_id, 876769,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rax])")
diff --git a/lib/one_gadget/builds/libc-2.23-54128118082b61b311247f8fa6672b8df938748a.rb b/lib/one_gadget/builds/libc-2.23-54128118082b61b311247f8fa6672b8df938748a.rb
index ecb0dd1..c45f9bc 100644
--- a/lib/one_gadget/builds/libc-2.23-54128118082b61b311247f8fa6672b8df938748a.rb
+++ b/lib/one_gadget/builds/libc-2.23-54128118082b61b311247f8fa6672b8df938748a.rb
@@ -19,25 +19,28 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 283119,
+ constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 283126,
- constraints: ["rax == NULL"],
+ constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 283210,
- constraints: ["[rsp+0x30] == NULL"],
+ constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 839212,
- constraints: ["[rax] == NULL || rax == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[rax] == NULL || rax == NULL || rax is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", rax, r12)")
OneGadget::Gadget.add(build_id, 983364,
- constraints: ["[rsp+0x50] == NULL"],
+ constraints: ["[rsp+0x50] == NULL || {[rsp+0x50], [rsp+0x58], [rsp+0x60], [rsp+0x68], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x50, environ)")
OneGadget::Gadget.add(build_id, 983376,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rax])")
OneGadget::Gadget.add(build_id, 987127,
- constraints: ["[rsp+0x70] == NULL"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x70, environ)")
OneGadget::Gadget.add(build_id, 1008992,
- constraints: ["[rcx] == NULL || rcx == NULL", "[[rbp-0xf8]] == NULL || [rbp-0xf8] == NULL"],
+ constraints: ["[rcx] == NULL || rcx == NULL || rcx is a valid argv", "[[rbp-0xf8]] == NULL || [rbp-0xf8] == NULL || [rbp-0xf8] is a valid envp"],
effect: "execve(\"/bin/sh\", rcx, [rbp-0xf8])")
diff --git a/lib/one_gadget/builds/libc-2.23-5d45b750d14b7b6ea11c2b57c73746b61592437b.rb b/lib/one_gadget/builds/libc-2.23-5d45b750d14b7b6ea11c2b57c73746b61592437b.rb
index 783d76c..0c7d6ea 100644
--- a/lib/one_gadget/builds/libc-2.23-5d45b750d14b7b6ea11c2b57c73746b61592437b.rb
+++ b/lib/one_gadget/builds/libc-2.23-5d45b750d14b7b6ea11c2b57c73746b61592437b.rb
@@ -19,25 +19,28 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 254530,
+ constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", r12, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 254537,
- constraints: ["rax == NULL"],
+ constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", r12, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 254621,
- constraints: ["[rsp+0x30] == NULL"],
+ constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 695431,
- constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, r12)")
OneGadget::Gadget.add(build_id, 695640,
- constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL || [rbp-0x40] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", [rbp-0x40], r12)")
OneGadget::Gadget.add(build_id, 823779,
- constraints: ["[rsp+0x70] == NULL"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x70, environ)")
OneGadget::Gadget.add(build_id, 823791,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rax])")
OneGadget::Gadget.add(build_id, 838257,
- constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", r9, rdx)")
diff --git a/lib/one_gadget/builds/libc-2.23-5d511bfe32efcb567933d13ab9dc87f0a02d3651.rb b/lib/one_gadget/builds/libc-2.23-5d511bfe32efcb567933d13ab9dc87f0a02d3651.rb
index 40ffd08..9f0bb9d 100644
--- a/lib/one_gadget/builds/libc-2.23-5d511bfe32efcb567933d13ab9dc87f0a02d3651.rb
+++ b/lib/one_gadget/builds/libc-2.23-5d511bfe32efcb567933d13ab9dc87f0a02d3651.rb
@@ -19,19 +19,19 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 437664,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 437683,
- constraints: ["ebx is the GOT address of libc", "[esp+0x24] == NULL", "[[eax]] == NULL || [eax] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x24] == NULL || {[esp+0x24], [esp+0x28], [esp+0x2c], [esp+0x30], ...} is a valid argv", "[[eax]] == NULL || [eax] == NULL || [eax] is a valid envp"],
effect: "execve(\"/bin/sh\", esp+0x24, [eax])")
OneGadget::Gadget.add(build_id, 437685,
- constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", esp+0x28, [esp])")
OneGadget::Gadget.add(build_id, 437689,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 437690,
- constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 584400,
constraints: ["ebx is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.23-60ea46dff84c256650d44c1a32ca609168bee1a6.rb b/lib/one_gadget/builds/libc-2.23-60ea46dff84c256650d44c1a32ca609168bee1a6.rb
index 1746d56..13b0f48 100644
--- a/lib/one_gadget/builds/libc-2.23-60ea46dff84c256650d44c1a32ca609168bee1a6.rb
+++ b/lib/one_gadget/builds/libc-2.23-60ea46dff84c256650d44c1a32ca609168bee1a6.rb
@@ -20,22 +20,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 239340,
- constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x28, environ)")
OneGadget::Gadget.add(build_id, 239342,
- constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 239346,
- constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 239353,
- constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 239388,
- constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 239389,
- constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 380565,
constraints: ["esi is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.23-635101aec7213fdc442419bf65a92047a862ff32.rb b/lib/one_gadget/builds/libc-2.23-635101aec7213fdc442419bf65a92047a862ff32.rb
index 2cb7651..533c958 100644
--- a/lib/one_gadget/builds/libc-2.23-635101aec7213fdc442419bf65a92047a862ff32.rb
+++ b/lib/one_gadget/builds/libc-2.23-635101aec7213fdc442419bf65a92047a862ff32.rb
@@ -20,22 +20,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 239644,
- constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x28, environ)")
OneGadget::Gadget.add(build_id, 239646,
- constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 239650,
- constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 239657,
- constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 239692,
- constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 239693,
- constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 389237,
constraints: ["esi is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.23-6462f7cc95a34bd03f42ad150211db68fcf27d44.rb b/lib/one_gadget/builds/libc-2.23-6462f7cc95a34bd03f42ad150211db68fcf27d44.rb
index eaaad95..dbffe6d 100644
--- a/lib/one_gadget/builds/libc-2.23-6462f7cc95a34bd03f42ad150211db68fcf27d44.rb
+++ b/lib/one_gadget/builds/libc-2.23-6462f7cc95a34bd03f42ad150211db68fcf27d44.rb
@@ -20,22 +20,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 240716,
- constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x28, environ)")
OneGadget::Gadget.add(build_id, 240718,
- constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 240722,
- constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 240729,
- constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 240764,
- constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 240765,
- constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 390485,
constraints: ["esi is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.23-697f7d05a70ecde852a2eed480bea6a6779b4a27.rb b/lib/one_gadget/builds/libc-2.23-697f7d05a70ecde852a2eed480bea6a6779b4a27.rb
index 862835d..6b9cb2b 100644
--- a/lib/one_gadget/builds/libc-2.23-697f7d05a70ecde852a2eed480bea6a6779b4a27.rb
+++ b/lib/one_gadget/builds/libc-2.23-697f7d05a70ecde852a2eed480bea6a6779b4a27.rb
@@ -19,25 +19,28 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 258975,
+ constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 258982,
- constraints: ["rax == NULL"],
+ constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 259066,
- constraints: ["[rsp+0x30] == NULL"],
+ constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 752727,
- constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, r12)")
OneGadget::Gadget.add(build_id, 752936,
- constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL || [rbp-0x40] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", [rbp-0x40], r12)")
OneGadget::Gadget.add(build_id, 874055,
- constraints: ["[rsp+0x70] == NULL"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x70, environ)")
OneGadget::Gadget.add(build_id, 874067,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rax])")
OneGadget::Gadget.add(build_id, 888817,
- constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", r9, rdx)")
diff --git a/lib/one_gadget/builds/libc-2.23-7598dcdd3567efa7befebc6d97977e83d758c649.rb b/lib/one_gadget/builds/libc-2.23-7598dcdd3567efa7befebc6d97977e83d758c649.rb
index 3131efe..2e4d000 100644
--- a/lib/one_gadget/builds/libc-2.23-7598dcdd3567efa7befebc6d97977e83d758c649.rb
+++ b/lib/one_gadget/builds/libc-2.23-7598dcdd3567efa7befebc6d97977e83d758c649.rb
@@ -20,22 +20,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 233349,
- constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 233351,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 233355,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 233362,
- constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x38, environ)")
OneGadget::Gadget.add(build_id, 233397,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 233398,
- constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 383071,
constraints: ["ebx is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.23-78e2b4f1945abc8f1db6d82acf6d1ef593d01e06.rb b/lib/one_gadget/builds/libc-2.23-78e2b4f1945abc8f1db6d82acf6d1ef593d01e06.rb
index f479049..b93322d 100644
--- a/lib/one_gadget/builds/libc-2.23-78e2b4f1945abc8f1db6d82acf6d1ef593d01e06.rb
+++ b/lib/one_gadget/builds/libc-2.23-78e2b4f1945abc8f1db6d82acf6d1ef593d01e06.rb
@@ -20,22 +20,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 239388,
- constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x28, environ)")
OneGadget::Gadget.add(build_id, 239390,
- constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 239394,
- constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 239401,
- constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 239436,
- constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 239437,
- constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 388917,
constraints: ["esi is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.23-89cc3bb9361ad139a1967462175759416c9dc82b.rb b/lib/one_gadget/builds/libc-2.23-89cc3bb9361ad139a1967462175759416c9dc82b.rb
index 70dfcae..9d3f2ae 100644
--- a/lib/one_gadget/builds/libc-2.23-89cc3bb9361ad139a1967462175759416c9dc82b.rb
+++ b/lib/one_gadget/builds/libc-2.23-89cc3bb9361ad139a1967462175759416c9dc82b.rb
@@ -20,22 +20,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 239612,
- constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x28, environ)")
OneGadget::Gadget.add(build_id, 239614,
- constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 239618,
- constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 239625,
- constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 239660,
- constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 239661,
- constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 389189,
constraints: ["esi is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.23-8b51f0e99fae7170859f393ba0118cc955c337b9.rb b/lib/one_gadget/builds/libc-2.23-8b51f0e99fae7170859f393ba0118cc955c337b9.rb
index ce6d340..b1a6e19 100644
--- a/lib/one_gadget/builds/libc-2.23-8b51f0e99fae7170859f393ba0118cc955c337b9.rb
+++ b/lib/one_gadget/builds/libc-2.23-8b51f0e99fae7170859f393ba0118cc955c337b9.rb
@@ -20,22 +20,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 239388,
- constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x28, environ)")
OneGadget::Gadget.add(build_id, 239390,
- constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 239394,
- constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 239401,
- constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 239436,
- constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 239437,
- constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 388917,
constraints: ["esi is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.23-8c436e0b35bb19702fba4b5effb3f94edecc3c46.rb b/lib/one_gadget/builds/libc-2.23-8c436e0b35bb19702fba4b5effb3f94edecc3c46.rb
index df69a31..cdbb5f2 100644
--- a/lib/one_gadget/builds/libc-2.23-8c436e0b35bb19702fba4b5effb3f94edecc3c46.rb
+++ b/lib/one_gadget/builds/libc-2.23-8c436e0b35bb19702fba4b5effb3f94edecc3c46.rb
@@ -19,22 +19,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 486813,
- constraints: ["ebx is the GOT address of libc", "[esp+0x24] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x24] == NULL || {[esp+0x24], [esp+0x28], [esp+0x2c], [esp+0x30], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x24, environ)")
OneGadget::Gadget.add(build_id, 486815,
- constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x28, environ)")
OneGadget::Gadget.add(build_id, 486819,
- constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 486826,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 486861,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 486862,
- constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 637251,
constraints: ["ebx is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.23-8ccf267bc9d0f4706559d85cbeb704782dae9ede.rb b/lib/one_gadget/builds/libc-2.23-8ccf267bc9d0f4706559d85cbeb704782dae9ede.rb
index c7e997c..5523c01 100644
--- a/lib/one_gadget/builds/libc-2.23-8ccf267bc9d0f4706559d85cbeb704782dae9ede.rb
+++ b/lib/one_gadget/builds/libc-2.23-8ccf267bc9d0f4706559d85cbeb704782dae9ede.rb
@@ -20,22 +20,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 239484,
- constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x28, environ)")
OneGadget::Gadget.add(build_id, 239486,
- constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 239490,
- constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 239497,
- constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 239532,
- constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 239533,
- constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 389808,
constraints: ["esi is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.23-946025a5cad7b5f2dfbaebc6ebd1fcc004349b48.rb b/lib/one_gadget/builds/libc-2.23-946025a5cad7b5f2dfbaebc6ebd1fcc004349b48.rb
index 9adb057..4ff7dd5 100644
--- a/lib/one_gadget/builds/libc-2.23-946025a5cad7b5f2dfbaebc6ebd1fcc004349b48.rb
+++ b/lib/one_gadget/builds/libc-2.23-946025a5cad7b5f2dfbaebc6ebd1fcc004349b48.rb
@@ -19,19 +19,22 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 258863,
+ constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 258870,
- constraints: ["rax == NULL"],
+ constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 258954,
- constraints: ["[rsp+0x30] == NULL"],
+ constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 754597,
- constraints: ["[[rbp-0x38]] == NULL || [rbp-0x38] == NULL", "[rbx] == NULL || rbx == NULL"],
+ constraints: ["[[rbp-0x38]] == NULL || [rbp-0x38] == NULL || [rbp-0x38] is a valid argv", "[rbx] == NULL || rbx == NULL || rbx is a valid envp"],
effect: "execve(\"/bin/sh\", [rbp-0x38], rbx)")
OneGadget::Gadget.add(build_id, 875749,
- constraints: ["[rsp+0x70] == NULL"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x70, environ)")
OneGadget::Gadget.add(build_id, 875761,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rax])")
diff --git a/lib/one_gadget/builds/libc-2.23-9600225be309ec27d01385dd52df9196e86ed3c0.rb b/lib/one_gadget/builds/libc-2.23-9600225be309ec27d01385dd52df9196e86ed3c0.rb
index 54d8444..7ef9f55 100644
--- a/lib/one_gadget/builds/libc-2.23-9600225be309ec27d01385dd52df9196e86ed3c0.rb
+++ b/lib/one_gadget/builds/libc-2.23-9600225be309ec27d01385dd52df9196e86ed3c0.rb
@@ -20,22 +20,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 239388,
- constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x28, environ)")
OneGadget::Gadget.add(build_id, 239390,
- constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 239394,
- constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 239401,
- constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 239436,
- constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 239437,
- constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 388917,
constraints: ["esi is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.23-961068caa1dcd5005b27c7c6abe32e94102eae3f.rb b/lib/one_gadget/builds/libc-2.23-961068caa1dcd5005b27c7c6abe32e94102eae3f.rb
index ccd788d..ae09968 100644
--- a/lib/one_gadget/builds/libc-2.23-961068caa1dcd5005b27c7c6abe32e94102eae3f.rb
+++ b/lib/one_gadget/builds/libc-2.23-961068caa1dcd5005b27c7c6abe32e94102eae3f.rb
@@ -19,25 +19,28 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 258975,
+ constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 258982,
- constraints: ["rax == NULL"],
+ constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 259066,
- constraints: ["[rsp+0x30] == NULL"],
+ constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 752727,
- constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, r12)")
OneGadget::Gadget.add(build_id, 752936,
- constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL || [rbp-0x40] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", [rbp-0x40], r12)")
OneGadget::Gadget.add(build_id, 874055,
- constraints: ["[rsp+0x70] == NULL"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x70, environ)")
OneGadget::Gadget.add(build_id, 874067,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rax])")
OneGadget::Gadget.add(build_id, 888817,
- constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", r9, rdx)")
diff --git a/lib/one_gadget/builds/libc-2.23-96f8c796364693379a2a0c753133fecbd1c52434.rb b/lib/one_gadget/builds/libc-2.23-96f8c796364693379a2a0c753133fecbd1c52434.rb
index 5afc47a..58deae3 100644
--- a/lib/one_gadget/builds/libc-2.23-96f8c796364693379a2a0c753133fecbd1c52434.rb
+++ b/lib/one_gadget/builds/libc-2.23-96f8c796364693379a2a0c753133fecbd1c52434.rb
@@ -20,22 +20,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 240124,
- constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x28, environ)")
OneGadget::Gadget.add(build_id, 240126,
- constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 240130,
- constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 240137,
- constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 240172,
- constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 240173,
- constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 390517,
constraints: ["esi is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.23-99de357f509368d89f95b0e92b0d5227e8b8addc.rb b/lib/one_gadget/builds/libc-2.23-99de357f509368d89f95b0e92b0d5227e8b8addc.rb
index 021afae..4edb570 100644
--- a/lib/one_gadget/builds/libc-2.23-99de357f509368d89f95b0e92b0d5227e8b8addc.rb
+++ b/lib/one_gadget/builds/libc-2.23-99de357f509368d89f95b0e92b0d5227e8b8addc.rb
@@ -20,22 +20,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 240188,
- constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x28, environ)")
OneGadget::Gadget.add(build_id, 240190,
- constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 240194,
- constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 240201,
- constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 240236,
- constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 240237,
- constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 390069,
constraints: ["esi is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.23-9e85392b0c4e3e2c8fdc063dfda4c3d0e0156e54.rb b/lib/one_gadget/builds/libc-2.23-9e85392b0c4e3e2c8fdc063dfda4c3d0e0156e54.rb
index c6d15f6..7a5f72f 100644
--- a/lib/one_gadget/builds/libc-2.23-9e85392b0c4e3e2c8fdc063dfda4c3d0e0156e54.rb
+++ b/lib/one_gadget/builds/libc-2.23-9e85392b0c4e3e2c8fdc063dfda4c3d0e0156e54.rb
@@ -20,22 +20,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 233317,
- constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 233319,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 233323,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 233330,
- constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x38, environ)")
OneGadget::Gadget.add(build_id, 233365,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 233366,
- constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 383183,
constraints: ["ebx is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.23-a6fe771348e04d552fa1e6dcaf610699719bdd0e.rb b/lib/one_gadget/builds/libc-2.23-a6fe771348e04d552fa1e6dcaf610699719bdd0e.rb
index fce27b2..963395a 100644
--- a/lib/one_gadget/builds/libc-2.23-a6fe771348e04d552fa1e6dcaf610699719bdd0e.rb
+++ b/lib/one_gadget/builds/libc-2.23-a6fe771348e04d552fa1e6dcaf610699719bdd0e.rb
@@ -20,22 +20,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 239452,
- constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x28, environ)")
OneGadget::Gadget.add(build_id, 239454,
- constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 239458,
- constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 239465,
- constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 239500,
- constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 239501,
- constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 388789,
constraints: ["esi is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.23-a71b122dbcd9503767b6f176d7745749fb4aaf89.rb b/lib/one_gadget/builds/libc-2.23-a71b122dbcd9503767b6f176d7745749fb4aaf89.rb
index b4ffe15..609a006 100644
--- a/lib/one_gadget/builds/libc-2.23-a71b122dbcd9503767b6f176d7745749fb4aaf89.rb
+++ b/lib/one_gadget/builds/libc-2.23-a71b122dbcd9503767b6f176d7745749fb4aaf89.rb
@@ -20,22 +20,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 233301,
- constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 233303,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 233307,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 233314,
- constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x38, environ)")
OneGadget::Gadget.add(build_id, 233349,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 233350,
- constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 383167,
constraints: ["ebx is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.23-b078f2c07ab3751dbcbc3fbd2a11a8a162c35576.rb b/lib/one_gadget/builds/libc-2.23-b078f2c07ab3751dbcbc3fbd2a11a8a162c35576.rb
index cc7e5e2..4901674 100644
--- a/lib/one_gadget/builds/libc-2.23-b078f2c07ab3751dbcbc3fbd2a11a8a162c35576.rb
+++ b/lib/one_gadget/builds/libc-2.23-b078f2c07ab3751dbcbc3fbd2a11a8a162c35576.rb
@@ -19,19 +19,19 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 437088,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 437107,
- constraints: ["ebx is the GOT address of libc", "[esp+0x24] == NULL", "[[eax]] == NULL || [eax] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x24] == NULL || {[esp+0x24], [esp+0x28], [esp+0x2c], [esp+0x30], ...} is a valid argv", "[[eax]] == NULL || [eax] == NULL || [eax] is a valid envp"],
effect: "execve(\"/bin/sh\", esp+0x24, [eax])")
OneGadget::Gadget.add(build_id, 437109,
- constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", esp+0x28, [esp])")
OneGadget::Gadget.add(build_id, 437113,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 437114,
- constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 584400,
constraints: ["ebx is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.23-b2994712adbb4db7b768554149443ddee829cb91.rb b/lib/one_gadget/builds/libc-2.23-b2994712adbb4db7b768554149443ddee829cb91.rb
index 7d52885..080e825 100644
--- a/lib/one_gadget/builds/libc-2.23-b2994712adbb4db7b768554149443ddee829cb91.rb
+++ b/lib/one_gadget/builds/libc-2.23-b2994712adbb4db7b768554149443ddee829cb91.rb
@@ -20,22 +20,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 240716,
- constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x28, environ)")
OneGadget::Gadget.add(build_id, 240718,
- constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 240722,
- constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 240729,
- constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 240764,
- constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 240765,
- constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 390437,
constraints: ["esi is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.23-b5381a457906d279073822a5ceb24c4bfef94ddb.rb b/lib/one_gadget/builds/libc-2.23-b5381a457906d279073822a5ceb24c4bfef94ddb.rb
index a4a7394..08f9eab 100644
--- a/lib/one_gadget/builds/libc-2.23-b5381a457906d279073822a5ceb24c4bfef94ddb.rb
+++ b/lib/one_gadget/builds/libc-2.23-b5381a457906d279073822a5ceb24c4bfef94ddb.rb
@@ -19,28 +19,31 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 283151,
+ constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 283158,
- constraints: ["rax == NULL"],
+ constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 283242,
- constraints: ["[rsp+0x30] == NULL"],
+ constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 839923,
- constraints: ["[rcx] == NULL || rcx == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[rcx] == NULL || rcx == NULL || rcx is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", rcx, r12)")
OneGadget::Gadget.add(build_id, 840136,
- constraints: ["[rax] == NULL || rax == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[rax] == NULL || rax == NULL || rax is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", rax, r12)")
OneGadget::Gadget.add(build_id, 983716,
- constraints: ["[rsp+0x50] == NULL"],
+ constraints: ["[rsp+0x50] == NULL || {[rsp+0x50], [rsp+0x58], [rsp+0x60], [rsp+0x68], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x50, environ)")
OneGadget::Gadget.add(build_id, 983728,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rax])")
OneGadget::Gadget.add(build_id, 987463,
- constraints: ["[rsp+0x70] == NULL"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x70, environ)")
OneGadget::Gadget.add(build_id, 1009392,
- constraints: ["[rcx] == NULL || rcx == NULL", "[[rbp-0xf8]] == NULL || [rbp-0xf8] == NULL"],
+ constraints: ["[rcx] == NULL || rcx == NULL || rcx is a valid argv", "[[rbp-0xf8]] == NULL || [rbp-0xf8] == NULL || [rbp-0xf8] is a valid envp"],
effect: "execve(\"/bin/sh\", rcx, [rbp-0xf8])")
diff --git a/lib/one_gadget/builds/libc-2.23-b8aaf9d529588ee96e6e399ab8a15cbd58ab8b54.rb b/lib/one_gadget/builds/libc-2.23-b8aaf9d529588ee96e6e399ab8a15cbd58ab8b54.rb
index 7e57d25..7392f17 100644
--- a/lib/one_gadget/builds/libc-2.23-b8aaf9d529588ee96e6e399ab8a15cbd58ab8b54.rb
+++ b/lib/one_gadget/builds/libc-2.23-b8aaf9d529588ee96e6e399ab8a15cbd58ab8b54.rb
@@ -20,22 +20,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 239388,
- constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x28, environ)")
OneGadget::Gadget.add(build_id, 239390,
- constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 239394,
- constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 239401,
- constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 239436,
- constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 239437,
- constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 389109,
constraints: ["esi is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.23-b978afd6ca2cf3f8768d6055581ece3c3e7d7b27.rb b/lib/one_gadget/builds/libc-2.23-b978afd6ca2cf3f8768d6055581ece3c3e7d7b27.rb
index d5748b8..b4765b5 100644
--- a/lib/one_gadget/builds/libc-2.23-b978afd6ca2cf3f8768d6055581ece3c3e7d7b27.rb
+++ b/lib/one_gadget/builds/libc-2.23-b978afd6ca2cf3f8768d6055581ece3c3e7d7b27.rb
@@ -19,25 +19,28 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 258975,
+ constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 258982,
- constraints: ["rax == NULL"],
+ constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 259066,
- constraints: ["[rsp+0x30] == NULL"],
+ constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 752727,
- constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, r12)")
OneGadget::Gadget.add(build_id, 752936,
- constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL || [rbp-0x40] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", [rbp-0x40], r12)")
OneGadget::Gadget.add(build_id, 874055,
- constraints: ["[rsp+0x70] == NULL"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x70, environ)")
OneGadget::Gadget.add(build_id, 874067,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rax])")
OneGadget::Gadget.add(build_id, 888817,
- constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", r9, rdx)")
diff --git a/lib/one_gadget/builds/libc-2.23-bde4e8b0230b1b474cd8a1ca6e9f81bb2b438914.rb b/lib/one_gadget/builds/libc-2.23-bde4e8b0230b1b474cd8a1ca6e9f81bb2b438914.rb
index 993f996..c2b1da7 100644
--- a/lib/one_gadget/builds/libc-2.23-bde4e8b0230b1b474cd8a1ca6e9f81bb2b438914.rb
+++ b/lib/one_gadget/builds/libc-2.23-bde4e8b0230b1b474cd8a1ca6e9f81bb2b438914.rb
@@ -20,22 +20,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 240748,
- constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x28, environ)")
OneGadget::Gadget.add(build_id, 240750,
- constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 240754,
- constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 240761,
- constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 240796,
- constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 240797,
- constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 392149,
constraints: ["esi is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.23-c0a199289365088782dcaceab6a81721d0d8ae0c.rb b/lib/one_gadget/builds/libc-2.23-c0a199289365088782dcaceab6a81721d0d8ae0c.rb
index e208599..ec1ea8f 100644
--- a/lib/one_gadget/builds/libc-2.23-c0a199289365088782dcaceab6a81721d0d8ae0c.rb
+++ b/lib/one_gadget/builds/libc-2.23-c0a199289365088782dcaceab6a81721d0d8ae0c.rb
@@ -19,25 +19,28 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 254482,
+ constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", r12, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 254489,
- constraints: ["rax == NULL"],
+ constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", r12, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 254573,
- constraints: ["[rsp+0x30] == NULL"],
+ constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 695079,
- constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, r12)")
OneGadget::Gadget.add(build_id, 695288,
- constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL || [rbp-0x40] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", [rbp-0x40], r12)")
OneGadget::Gadget.add(build_id, 823427,
- constraints: ["[rsp+0x70] == NULL"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x70, environ)")
OneGadget::Gadget.add(build_id, 823439,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rax])")
OneGadget::Gadget.add(build_id, 837905,
- constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", r9, rdx)")
diff --git a/lib/one_gadget/builds/libc-2.23-c0cc47b9f732f8150eb2bbfb18d0d60a7b3564a9.rb b/lib/one_gadget/builds/libc-2.23-c0cc47b9f732f8150eb2bbfb18d0d60a7b3564a9.rb
index ad731b2..25f9512 100644
--- a/lib/one_gadget/builds/libc-2.23-c0cc47b9f732f8150eb2bbfb18d0d60a7b3564a9.rb
+++ b/lib/one_gadget/builds/libc-2.23-c0cc47b9f732f8150eb2bbfb18d0d60a7b3564a9.rb
@@ -20,22 +20,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 233317,
- constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 233319,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 233323,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 233330,
- constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x38, environ)")
OneGadget::Gadget.add(build_id, 233365,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 233366,
- constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 383183,
constraints: ["ebx is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.23-c4fd86ec1eed57a09c79ce601f6c6e3796f574df.rb b/lib/one_gadget/builds/libc-2.23-c4fd86ec1eed57a09c79ce601f6c6e3796f574df.rb
index 1c354b8..c0550a8 100644
--- a/lib/one_gadget/builds/libc-2.23-c4fd86ec1eed57a09c79ce601f6c6e3796f574df.rb
+++ b/lib/one_gadget/builds/libc-2.23-c4fd86ec1eed57a09c79ce601f6c6e3796f574df.rb
@@ -19,28 +19,31 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 283167,
+ constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 283174,
- constraints: ["rax == NULL"],
+ constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 283258,
- constraints: ["[rsp+0x30] == NULL"],
+ constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 840051,
- constraints: ["[rcx] == NULL || rcx == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[rcx] == NULL || rcx == NULL || rcx is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", rcx, r12)")
OneGadget::Gadget.add(build_id, 840264,
- constraints: ["[rax] == NULL || rax == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[rax] == NULL || rax == NULL || rax is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", rax, r12)")
OneGadget::Gadget.add(build_id, 983908,
- constraints: ["[rsp+0x50] == NULL"],
+ constraints: ["[rsp+0x50] == NULL || {[rsp+0x50], [rsp+0x58], [rsp+0x60], [rsp+0x68], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x50, environ)")
OneGadget::Gadget.add(build_id, 983920,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rax])")
OneGadget::Gadget.add(build_id, 987655,
- constraints: ["[rsp+0x70] == NULL"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x70, environ)")
OneGadget::Gadget.add(build_id, 1009584,
- constraints: ["[rcx] == NULL || rcx == NULL", "[[rbp-0xf8]] == NULL || [rbp-0xf8] == NULL"],
+ constraints: ["[rcx] == NULL || rcx == NULL || rcx is a valid argv", "[[rbp-0xf8]] == NULL || [rbp-0xf8] == NULL || [rbp-0xf8] is a valid envp"],
effect: "execve(\"/bin/sh\", rcx, [rbp-0xf8])")
diff --git a/lib/one_gadget/builds/libc-2.23-d10743a8f3a9a7a2e9807b1af78026c0b5363f6b.rb b/lib/one_gadget/builds/libc-2.23-d10743a8f3a9a7a2e9807b1af78026c0b5363f6b.rb
index eef3b9d..eb2e3d7 100644
--- a/lib/one_gadget/builds/libc-2.23-d10743a8f3a9a7a2e9807b1af78026c0b5363f6b.rb
+++ b/lib/one_gadget/builds/libc-2.23-d10743a8f3a9a7a2e9807b1af78026c0b5363f6b.rb
@@ -20,22 +20,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 240700,
- constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x28, environ)")
OneGadget::Gadget.add(build_id, 240702,
- constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 240706,
- constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 240713,
- constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 240748,
- constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 240749,
- constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 391845,
constraints: ["esi is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.23-d10fbfd9328f5ffaca50aa93562cb3bfb618fbcc.rb b/lib/one_gadget/builds/libc-2.23-d10fbfd9328f5ffaca50aa93562cb3bfb618fbcc.rb
index 756a667..ad4e714 100644
--- a/lib/one_gadget/builds/libc-2.23-d10fbfd9328f5ffaca50aa93562cb3bfb618fbcc.rb
+++ b/lib/one_gadget/builds/libc-2.23-d10fbfd9328f5ffaca50aa93562cb3bfb618fbcc.rb
@@ -19,25 +19,28 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 259247,
+ constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 259254,
- constraints: ["rax == NULL"],
+ constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 259338,
- constraints: ["[rsp+0x30] == NULL"],
+ constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 753703,
- constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, r12)")
OneGadget::Gadget.add(build_id, 753912,
- constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL || [rbp-0x40] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", [rbp-0x40], r12)")
OneGadget::Gadget.add(build_id, 875047,
- constraints: ["[rsp+0x70] == NULL"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x70, environ)")
OneGadget::Gadget.add(build_id, 875059,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rax])")
OneGadget::Gadget.add(build_id, 889809,
- constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", r9, rdx)")
diff --git a/lib/one_gadget/builds/libc-2.23-d1df77a9cc06ba60c213852b01bc24282e49696a.rb b/lib/one_gadget/builds/libc-2.23-d1df77a9cc06ba60c213852b01bc24282e49696a.rb
index e4e4640..352bf83 100644
--- a/lib/one_gadget/builds/libc-2.23-d1df77a9cc06ba60c213852b01bc24282e49696a.rb
+++ b/lib/one_gadget/builds/libc-2.23-d1df77a9cc06ba60c213852b01bc24282e49696a.rb
@@ -19,25 +19,28 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 259215,
+ constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 259222,
- constraints: ["rax == NULL"],
+ constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 259306,
- constraints: ["[rsp+0x30] == NULL"],
+ constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 753591,
- constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, r12)")
OneGadget::Gadget.add(build_id, 753800,
- constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL || [rbp-0x40] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", [rbp-0x40], r12)")
OneGadget::Gadget.add(build_id, 875383,
- constraints: ["[rsp+0x70] == NULL"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x70, environ)")
OneGadget::Gadget.add(build_id, 875395,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rax])")
OneGadget::Gadget.add(build_id, 890225,
- constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", r9, rdx)")
diff --git a/lib/one_gadget/builds/libc-2.23-d2be9dbf540a6ca8b559ddfbd17f47b53e84ba8d.rb b/lib/one_gadget/builds/libc-2.23-d2be9dbf540a6ca8b559ddfbd17f47b53e84ba8d.rb
index c5acdbe..8bbf2b6 100644
--- a/lib/one_gadget/builds/libc-2.23-d2be9dbf540a6ca8b559ddfbd17f47b53e84ba8d.rb
+++ b/lib/one_gadget/builds/libc-2.23-d2be9dbf540a6ca8b559ddfbd17f47b53e84ba8d.rb
@@ -19,25 +19,28 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 258975,
+ constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 258982,
- constraints: ["rax == NULL"],
+ constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 259066,
- constraints: ["[rsp+0x30] == NULL"],
+ constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 752727,
- constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, r12)")
OneGadget::Gadget.add(build_id, 752936,
- constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL || [rbp-0x40] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", [rbp-0x40], r12)")
OneGadget::Gadget.add(build_id, 874055,
- constraints: ["[rsp+0x70] == NULL"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x70, environ)")
OneGadget::Gadget.add(build_id, 874067,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rax])")
OneGadget::Gadget.add(build_id, 888817,
- constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", r9, rdx)")
diff --git a/lib/one_gadget/builds/libc-2.23-d61f734abbd95e2ddeab19046141020d00aa2aaf.rb b/lib/one_gadget/builds/libc-2.23-d61f734abbd95e2ddeab19046141020d00aa2aaf.rb
index 99573a3..5d99bbc 100644
--- a/lib/one_gadget/builds/libc-2.23-d61f734abbd95e2ddeab19046141020d00aa2aaf.rb
+++ b/lib/one_gadget/builds/libc-2.23-d61f734abbd95e2ddeab19046141020d00aa2aaf.rb
@@ -19,19 +19,19 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 437088,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 437107,
- constraints: ["ebx is the GOT address of libc", "[esp+0x24] == NULL", "[[eax]] == NULL || [eax] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x24] == NULL || {[esp+0x24], [esp+0x28], [esp+0x2c], [esp+0x30], ...} is a valid argv", "[[eax]] == NULL || [eax] == NULL || [eax] is a valid envp"],
effect: "execve(\"/bin/sh\", esp+0x24, [eax])")
OneGadget::Gadget.add(build_id, 437109,
- constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", esp+0x28, [esp])")
OneGadget::Gadget.add(build_id, 437113,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 437114,
- constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 584400,
constraints: ["ebx is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.23-dcd02728e55c40d4a4b0d1482abe75cf2b853c2e.rb b/lib/one_gadget/builds/libc-2.23-dcd02728e55c40d4a4b0d1482abe75cf2b853c2e.rb
index 0b9987d..524b9f9 100644
--- a/lib/one_gadget/builds/libc-2.23-dcd02728e55c40d4a4b0d1482abe75cf2b853c2e.rb
+++ b/lib/one_gadget/builds/libc-2.23-dcd02728e55c40d4a4b0d1482abe75cf2b853c2e.rb
@@ -20,22 +20,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 240188,
- constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x28, environ)")
OneGadget::Gadget.add(build_id, 240190,
- constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 240194,
- constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 240201,
- constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 240236,
- constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 240237,
- constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 390101,
constraints: ["esi is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.23-dd5192a769e33ed6ca68a6ab5740ff9e8ec678a7.rb b/lib/one_gadget/builds/libc-2.23-dd5192a769e33ed6ca68a6ab5740ff9e8ec678a7.rb
index d94ecd1..bcd191f 100644
--- a/lib/one_gadget/builds/libc-2.23-dd5192a769e33ed6ca68a6ab5740ff9e8ec678a7.rb
+++ b/lib/one_gadget/builds/libc-2.23-dd5192a769e33ed6ca68a6ab5740ff9e8ec678a7.rb
@@ -20,22 +20,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 240732,
- constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x28, environ)")
OneGadget::Gadget.add(build_id, 240734,
- constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 240738,
- constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 240745,
- constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 240780,
- constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 240781,
- constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 392133,
constraints: ["esi is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.23-e388b883ef50189a2eb5e6c7931c52e03761a7fd.rb b/lib/one_gadget/builds/libc-2.23-e388b883ef50189a2eb5e6c7931c52e03761a7fd.rb
index 23e3f50..00908e5 100644
--- a/lib/one_gadget/builds/libc-2.23-e388b883ef50189a2eb5e6c7931c52e03761a7fd.rb
+++ b/lib/one_gadget/builds/libc-2.23-e388b883ef50189a2eb5e6c7931c52e03761a7fd.rb
@@ -19,25 +19,28 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 254610,
+ constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", r12, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 254617,
- constraints: ["rax == NULL"],
+ constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", r12, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 254701,
- constraints: ["[rsp+0x30] == NULL"],
+ constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 695895,
- constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, r12)")
OneGadget::Gadget.add(build_id, 696104,
- constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL || [rbp-0x40] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", [rbp-0x40], r12)")
OneGadget::Gadget.add(build_id, 824691,
- constraints: ["[rsp+0x70] == NULL"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x70, environ)")
OneGadget::Gadget.add(build_id, 824703,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rax])")
OneGadget::Gadget.add(build_id, 839169,
- constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", r9, rdx)")
diff --git a/lib/one_gadget/builds/libc-2.23-e7b96675bca2ca2e2e746ebcb706d9236178564c.rb b/lib/one_gadget/builds/libc-2.23-e7b96675bca2ca2e2e746ebcb706d9236178564c.rb
index 624bf6c..b6dc345 100644
--- a/lib/one_gadget/builds/libc-2.23-e7b96675bca2ca2e2e746ebcb706d9236178564c.rb
+++ b/lib/one_gadget/builds/libc-2.23-e7b96675bca2ca2e2e746ebcb706d9236178564c.rb
@@ -19,19 +19,22 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 258975,
+ constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 258982,
- constraints: ["rax == NULL"],
+ constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 259066,
- constraints: ["[rsp+0x30] == NULL"],
+ constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 753983,
- constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL", "[r13] == NULL || r13 == NULL"],
+ constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL || [rbp-0x40] is a valid argv", "[r13] == NULL || r13 == NULL || r13 is a valid envp"],
effect: "execve(\"/bin/sh\", [rbp-0x40], r13)")
OneGadget::Gadget.add(build_id, 875285,
- constraints: ["[rsp+0x70] == NULL"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x70, environ)")
OneGadget::Gadget.add(build_id, 875297,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rax])")
diff --git a/lib/one_gadget/builds/libc-2.23-e7c57c7dc7a4d8ca964993f19fd8b0fc4f72b617.rb b/lib/one_gadget/builds/libc-2.23-e7c57c7dc7a4d8ca964993f19fd8b0fc4f72b617.rb
index 71c05dc..e598cc4 100644
--- a/lib/one_gadget/builds/libc-2.23-e7c57c7dc7a4d8ca964993f19fd8b0fc4f72b617.rb
+++ b/lib/one_gadget/builds/libc-2.23-e7c57c7dc7a4d8ca964993f19fd8b0fc4f72b617.rb
@@ -19,25 +19,28 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 259055,
+ constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 259062,
- constraints: ["rax == NULL"],
+ constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 259146,
- constraints: ["[rsp+0x30] == NULL"],
+ constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 753031,
- constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, r12)")
OneGadget::Gadget.add(build_id, 753240,
- constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL || [rbp-0x40] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", [rbp-0x40], r12)")
OneGadget::Gadget.add(build_id, 874855,
- constraints: ["[rsp+0x70] == NULL"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x70, environ)")
OneGadget::Gadget.add(build_id, 874867,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rax])")
OneGadget::Gadget.add(build_id, 889617,
- constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", r9, rdx)")
diff --git a/lib/one_gadget/builds/libc-2.23-e8df4c3d58e99c87f9b22655e9180c7ac31cb44f.rb b/lib/one_gadget/builds/libc-2.23-e8df4c3d58e99c87f9b22655e9180c7ac31cb44f.rb
index d917390..965f7d4 100644
--- a/lib/one_gadget/builds/libc-2.23-e8df4c3d58e99c87f9b22655e9180c7ac31cb44f.rb
+++ b/lib/one_gadget/builds/libc-2.23-e8df4c3d58e99c87f9b22655e9180c7ac31cb44f.rb
@@ -20,22 +20,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 240108,
- constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x28, environ)")
OneGadget::Gadget.add(build_id, 240110,
- constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 240114,
- constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 240121,
- constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 240156,
- constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 240157,
- constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 390501,
constraints: ["esi is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.23-edceed30099baad51871c5fc277daf9b74dc726a.rb b/lib/one_gadget/builds/libc-2.23-edceed30099baad51871c5fc277daf9b74dc726a.rb
index edb063e..37f1520 100644
--- a/lib/one_gadget/builds/libc-2.23-edceed30099baad51871c5fc277daf9b74dc726a.rb
+++ b/lib/one_gadget/builds/libc-2.23-edceed30099baad51871c5fc277daf9b74dc726a.rb
@@ -20,22 +20,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 239596,
- constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x28, environ)")
OneGadget::Gadget.add(build_id, 239598,
- constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 239602,
- constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 239609,
- constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 239644,
- constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 239645,
- constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 388933,
constraints: ["esi is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.23-ee0b5a0f65e25f536a868d84e1d912403b56e742.rb b/lib/one_gadget/builds/libc-2.23-ee0b5a0f65e25f536a868d84e1d912403b56e742.rb
index f93feef..8d2c80d 100644
--- a/lib/one_gadget/builds/libc-2.23-ee0b5a0f65e25f536a868d84e1d912403b56e742.rb
+++ b/lib/one_gadget/builds/libc-2.23-ee0b5a0f65e25f536a868d84e1d912403b56e742.rb
@@ -19,25 +19,28 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 258927,
+ constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 258934,
- constraints: ["rax == NULL"],
+ constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 259018,
- constraints: ["[rsp+0x30] == NULL"],
+ constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 752471,
- constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, r12)")
OneGadget::Gadget.add(build_id, 752680,
- constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL || [rbp-0x40] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", [rbp-0x40], r12)")
OneGadget::Gadget.add(build_id, 873799,
- constraints: ["[rsp+0x70] == NULL"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x70, environ)")
OneGadget::Gadget.add(build_id, 873811,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rax])")
OneGadget::Gadget.add(build_id, 888561,
- constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", r9, rdx)")
diff --git a/lib/one_gadget/builds/libc-2.23-ee525f6c9b018c094beedd17b87a4573d7ea7e2e.rb b/lib/one_gadget/builds/libc-2.23-ee525f6c9b018c094beedd17b87a4573d7ea7e2e.rb
index 6a10e35..bd727e7 100644
--- a/lib/one_gadget/builds/libc-2.23-ee525f6c9b018c094beedd17b87a4573d7ea7e2e.rb
+++ b/lib/one_gadget/builds/libc-2.23-ee525f6c9b018c094beedd17b87a4573d7ea7e2e.rb
@@ -19,25 +19,28 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 258975,
+ constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 258982,
- constraints: ["rax == NULL"],
+ constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 259066,
- constraints: ["[rsp+0x30] == NULL"],
+ constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 752727,
- constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, r12)")
OneGadget::Gadget.add(build_id, 752936,
- constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL || [rbp-0x40] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", [rbp-0x40], r12)")
OneGadget::Gadget.add(build_id, 874055,
- constraints: ["[rsp+0x70] == NULL"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x70, environ)")
OneGadget::Gadget.add(build_id, 874067,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rax])")
OneGadget::Gadget.add(build_id, 888817,
- constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", r9, rdx)")
diff --git a/lib/one_gadget/builds/libc-2.23-f0c2e03955a845c9a7f9c85228b12c9700d66c50.rb b/lib/one_gadget/builds/libc-2.23-f0c2e03955a845c9a7f9c85228b12c9700d66c50.rb
index de67b4c..6aaaa18 100644
--- a/lib/one_gadget/builds/libc-2.23-f0c2e03955a845c9a7f9c85228b12c9700d66c50.rb
+++ b/lib/one_gadget/builds/libc-2.23-f0c2e03955a845c9a7f9c85228b12c9700d66c50.rb
@@ -20,22 +20,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 233301,
- constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 233303,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 233307,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 233314,
- constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x38, environ)")
OneGadget::Gadget.add(build_id, 233349,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 233350,
- constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 383167,
constraints: ["ebx is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.23-f202f01f10e845e14e7d8ca44cf5d9e4742fca6a.rb b/lib/one_gadget/builds/libc-2.23-f202f01f10e845e14e7d8ca44cf5d9e4742fca6a.rb
index 4c6bb8a..c3fdfea 100644
--- a/lib/one_gadget/builds/libc-2.23-f202f01f10e845e14e7d8ca44cf5d9e4742fca6a.rb
+++ b/lib/one_gadget/builds/libc-2.23-f202f01f10e845e14e7d8ca44cf5d9e4742fca6a.rb
@@ -19,19 +19,22 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 258863,
+ constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 258870,
- constraints: ["rax == NULL"],
+ constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 258954,
- constraints: ["[rsp+0x30] == NULL"],
+ constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 754533,
- constraints: ["[[rbp-0x38]] == NULL || [rbp-0x38] == NULL", "[rbx] == NULL || rbx == NULL"],
+ constraints: ["[[rbp-0x38]] == NULL || [rbp-0x38] == NULL || [rbp-0x38] is a valid argv", "[rbx] == NULL || rbx == NULL || rbx is a valid envp"],
effect: "execve(\"/bin/sh\", [rbp-0x38], rbx)")
OneGadget::Gadget.add(build_id, 875685,
- constraints: ["[rsp+0x70] == NULL"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x70, environ)")
OneGadget::Gadget.add(build_id, 875697,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rax])")
diff --git a/lib/one_gadget/builds/libc-2.23-f2f2f2af4f3e8597cca1fdff1008a834c78de42b.rb b/lib/one_gadget/builds/libc-2.23-f2f2f2af4f3e8597cca1fdff1008a834c78de42b.rb
index 491f857..52d54a6 100644
--- a/lib/one_gadget/builds/libc-2.23-f2f2f2af4f3e8597cca1fdff1008a834c78de42b.rb
+++ b/lib/one_gadget/builds/libc-2.23-f2f2f2af4f3e8597cca1fdff1008a834c78de42b.rb
@@ -19,25 +19,28 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 259279,
+ constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 259286,
- constraints: ["rax == NULL"],
+ constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 259370,
- constraints: ["[rsp+0x30] == NULL"],
+ constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 753847,
- constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, r12)")
OneGadget::Gadget.add(build_id, 754056,
- constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL || [rbp-0x40] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", [rbp-0x40], r12)")
OneGadget::Gadget.add(build_id, 875271,
- constraints: ["[rsp+0x70] == NULL"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x70, environ)")
OneGadget::Gadget.add(build_id, 875283,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rax])")
OneGadget::Gadget.add(build_id, 890033,
- constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", r9, rdx)")
diff --git a/lib/one_gadget/builds/libc-2.23-f303ce47c562225a4f3475170333494965760a6a.rb b/lib/one_gadget/builds/libc-2.23-f303ce47c562225a4f3475170333494965760a6a.rb
index 070cc21..c07f032 100644
--- a/lib/one_gadget/builds/libc-2.23-f303ce47c562225a4f3475170333494965760a6a.rb
+++ b/lib/one_gadget/builds/libc-2.23-f303ce47c562225a4f3475170333494965760a6a.rb
@@ -19,25 +19,28 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 259279,
+ constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 259286,
- constraints: ["rax == NULL"],
+ constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 259370,
- constraints: ["[rsp+0x30] == NULL"],
+ constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 753847,
- constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, r12)")
OneGadget::Gadget.add(build_id, 754056,
- constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL || [rbp-0x40] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", [rbp-0x40], r12)")
OneGadget::Gadget.add(build_id, 875223,
- constraints: ["[rsp+0x70] == NULL"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x70, environ)")
OneGadget::Gadget.add(build_id, 875235,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rax])")
OneGadget::Gadget.add(build_id, 889985,
- constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", r9, rdx)")
diff --git a/lib/one_gadget/builds/libc-2.23-f33f3937b8f458ffd96cf10a22deea1bd85ac61a.rb b/lib/one_gadget/builds/libc-2.23-f33f3937b8f458ffd96cf10a22deea1bd85ac61a.rb
index 7a787af..ff718ca 100644
--- a/lib/one_gadget/builds/libc-2.23-f33f3937b8f458ffd96cf10a22deea1bd85ac61a.rb
+++ b/lib/one_gadget/builds/libc-2.23-f33f3937b8f458ffd96cf10a22deea1bd85ac61a.rb
@@ -19,25 +19,28 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 259055,
+ constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 259062,
- constraints: ["rax == NULL"],
+ constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 259146,
- constraints: ["[rsp+0x30] == NULL"],
+ constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 753367,
- constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, r12)")
OneGadget::Gadget.add(build_id, 753576,
- constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL || [rbp-0x40] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", [rbp-0x40], r12)")
OneGadget::Gadget.add(build_id, 875223,
- constraints: ["[rsp+0x70] == NULL"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x70, environ)")
OneGadget::Gadget.add(build_id, 875235,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rax])")
OneGadget::Gadget.add(build_id, 889985,
- constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", r9, rdx)")
diff --git a/lib/one_gadget/builds/libc-2.23-f4490657edfef482025fff60e85acd5928e0d05b.rb b/lib/one_gadget/builds/libc-2.23-f4490657edfef482025fff60e85acd5928e0d05b.rb
index b0d499a..86c70a8 100644
--- a/lib/one_gadget/builds/libc-2.23-f4490657edfef482025fff60e85acd5928e0d05b.rb
+++ b/lib/one_gadget/builds/libc-2.23-f4490657edfef482025fff60e85acd5928e0d05b.rb
@@ -20,22 +20,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 239644,
- constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x28, environ)")
OneGadget::Gadget.add(build_id, 239646,
- constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 239650,
- constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 239657,
- constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 239692,
- constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 239693,
- constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 389237,
constraints: ["esi is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.23-ffb3662a7bc5e136fa8f464fc14ec23efb8d1817.rb b/lib/one_gadget/builds/libc-2.23-ffb3662a7bc5e136fa8f464fc14ec23efb8d1817.rb
index 6997868..b4e656c 100644
--- a/lib/one_gadget/builds/libc-2.23-ffb3662a7bc5e136fa8f464fc14ec23efb8d1817.rb
+++ b/lib/one_gadget/builds/libc-2.23-ffb3662a7bc5e136fa8f464fc14ec23efb8d1817.rb
@@ -19,19 +19,22 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 258863,
+ constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 258870,
- constraints: ["rax == NULL"],
+ constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 258954,
- constraints: ["[rsp+0x30] == NULL"],
+ constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 754533,
- constraints: ["[[rbp-0x38]] == NULL || [rbp-0x38] == NULL", "[rbx] == NULL || rbx == NULL"],
+ constraints: ["[[rbp-0x38]] == NULL || [rbp-0x38] == NULL || [rbp-0x38] is a valid argv", "[rbx] == NULL || rbx == NULL || rbx is a valid envp"],
effect: "execve(\"/bin/sh\", [rbp-0x38], rbx)")
OneGadget::Gadget.add(build_id, 876117,
- constraints: ["[rsp+0x70] == NULL"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x70, environ)")
OneGadget::Gadget.add(build_id, 876129,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rax])")
diff --git a/lib/one_gadget/builds/libc-2.23.90-203feaf8a7e40cef8a75568a406a22fdeda94f8b.rb b/lib/one_gadget/builds/libc-2.23.90-203feaf8a7e40cef8a75568a406a22fdeda94f8b.rb
index 9260433..fa8efe6 100644
--- a/lib/one_gadget/builds/libc-2.23.90-203feaf8a7e40cef8a75568a406a22fdeda94f8b.rb
+++ b/lib/one_gadget/builds/libc-2.23.90-203feaf8a7e40cef8a75568a406a22fdeda94f8b.rb
@@ -19,19 +19,22 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 259199,
+ constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 259206,
- constraints: ["rax == NULL"],
+ constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 259290,
- constraints: ["[rsp+0x30] == NULL"],
+ constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 755496,
- constraints: ["[r13] == NULL || r13 == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[r13] == NULL || r13 == NULL || r13 is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", r13, r12)")
OneGadget::Gadget.add(build_id, 878085,
- constraints: ["[rsp+0x70] == NULL"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x70, environ)")
OneGadget::Gadget.add(build_id, 878097,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rax])")
diff --git a/lib/one_gadget/builds/libc-2.23.90-392b643118f919a1827477e978d9cea2b09a34fc.rb b/lib/one_gadget/builds/libc-2.23.90-392b643118f919a1827477e978d9cea2b09a34fc.rb
index 95d245f..a394fb6 100644
--- a/lib/one_gadget/builds/libc-2.23.90-392b643118f919a1827477e978d9cea2b09a34fc.rb
+++ b/lib/one_gadget/builds/libc-2.23.90-392b643118f919a1827477e978d9cea2b09a34fc.rb
@@ -20,22 +20,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 232965,
- constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 232967,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 232971,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 232978,
- constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x38, environ)")
OneGadget::Gadget.add(build_id, 233013,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 233014,
- constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 384607,
constraints: ["ebx is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.23.90-52e411aed4443fbbcb9706fffa2362e4a108f28f.rb b/lib/one_gadget/builds/libc-2.23.90-52e411aed4443fbbcb9706fffa2362e4a108f28f.rb
index ba199f7..e2418b5 100644
--- a/lib/one_gadget/builds/libc-2.23.90-52e411aed4443fbbcb9706fffa2362e4a108f28f.rb
+++ b/lib/one_gadget/builds/libc-2.23.90-52e411aed4443fbbcb9706fffa2362e4a108f28f.rb
@@ -20,22 +20,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 232965,
- constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 232967,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 232971,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 232978,
- constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x38, environ)")
OneGadget::Gadget.add(build_id, 233013,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 233014,
- constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 384607,
constraints: ["ebx is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.23.90-604d873b711edeb971328656c4c17bbc15c7427f.rb b/lib/one_gadget/builds/libc-2.23.90-604d873b711edeb971328656c4c17bbc15c7427f.rb
index 8b9a6e8..3b9b12a 100644
--- a/lib/one_gadget/builds/libc-2.23.90-604d873b711edeb971328656c4c17bbc15c7427f.rb
+++ b/lib/one_gadget/builds/libc-2.23.90-604d873b711edeb971328656c4c17bbc15c7427f.rb
@@ -20,22 +20,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 240492,
- constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x28, environ)")
OneGadget::Gadget.add(build_id, 240494,
- constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 240498,
- constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 240505,
- constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 240540,
- constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 240541,
- constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 392117,
constraints: ["esi is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.23.90-63fbdf3e3928f6dc2bcac10e28aa233a625a3d27.rb b/lib/one_gadget/builds/libc-2.23.90-63fbdf3e3928f6dc2bcac10e28aa233a625a3d27.rb
index d612052..22f3710 100644
--- a/lib/one_gadget/builds/libc-2.23.90-63fbdf3e3928f6dc2bcac10e28aa233a625a3d27.rb
+++ b/lib/one_gadget/builds/libc-2.23.90-63fbdf3e3928f6dc2bcac10e28aa233a625a3d27.rb
@@ -20,22 +20,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 234677,
- constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 234679,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 234683,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 234690,
- constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x38, environ)")
OneGadget::Gadget.add(build_id, 234725,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 234726,
- constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 386143,
constraints: ["ebx is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.23.90-7439c4311f0dd7307f78c1b5530f52a590230e45.rb b/lib/one_gadget/builds/libc-2.23.90-7439c4311f0dd7307f78c1b5530f52a590230e45.rb
index 3b465c4..5d7aac8 100644
--- a/lib/one_gadget/builds/libc-2.23.90-7439c4311f0dd7307f78c1b5530f52a590230e45.rb
+++ b/lib/one_gadget/builds/libc-2.23.90-7439c4311f0dd7307f78c1b5530f52a590230e45.rb
@@ -20,22 +20,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 240492,
- constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x28, environ)")
OneGadget::Gadget.add(build_id, 240494,
- constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 240498,
- constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 240505,
- constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 240540,
- constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 240541,
- constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 392117,
constraints: ["esi is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.23.90-b23fcdbc7bead3c59600e0a6acfe9220c42e1b93.rb b/lib/one_gadget/builds/libc-2.23.90-b23fcdbc7bead3c59600e0a6acfe9220c42e1b93.rb
index 1dd3dbc..175111f 100644
--- a/lib/one_gadget/builds/libc-2.23.90-b23fcdbc7bead3c59600e0a6acfe9220c42e1b93.rb
+++ b/lib/one_gadget/builds/libc-2.23.90-b23fcdbc7bead3c59600e0a6acfe9220c42e1b93.rb
@@ -20,22 +20,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 238732,
- constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x28, environ)")
OneGadget::Gadget.add(build_id, 238734,
- constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 238738,
- constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 238745,
- constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 238780,
- constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 238781,
- constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 391189,
constraints: ["esi is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.23.90-c5238226a11b5538d56c713c97db1a36722e6322.rb b/lib/one_gadget/builds/libc-2.23.90-c5238226a11b5538d56c713c97db1a36722e6322.rb
index 1d08b88..2206671 100644
--- a/lib/one_gadget/builds/libc-2.23.90-c5238226a11b5538d56c713c97db1a36722e6322.rb
+++ b/lib/one_gadget/builds/libc-2.23.90-c5238226a11b5538d56c713c97db1a36722e6322.rb
@@ -19,19 +19,22 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 258991,
+ constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 258998,
- constraints: ["rax == NULL"],
+ constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 259082,
- constraints: ["[rsp+0x30] == NULL"],
+ constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 756488,
- constraints: ["[r13] == NULL || r13 == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[r13] == NULL || r13 == NULL || r13 is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", r13, r12)")
OneGadget::Gadget.add(build_id, 878773,
- constraints: ["[rsp+0x70] == NULL"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x70, environ)")
OneGadget::Gadget.add(build_id, 878785,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rax])")
diff --git a/lib/one_gadget/builds/libc-2.23.90-e1b43c632d35649e9b128528994426e34ae40d1a.rb b/lib/one_gadget/builds/libc-2.23.90-e1b43c632d35649e9b128528994426e34ae40d1a.rb
index e1bb239..0bab357 100644
--- a/lib/one_gadget/builds/libc-2.23.90-e1b43c632d35649e9b128528994426e34ae40d1a.rb
+++ b/lib/one_gadget/builds/libc-2.23.90-e1b43c632d35649e9b128528994426e34ae40d1a.rb
@@ -20,22 +20,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 234405,
- constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 234407,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 234411,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 234418,
- constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x38, environ)")
OneGadget::Gadget.add(build_id, 234453,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 234454,
- constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 384831,
constraints: ["ebx is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.23.90-e9ab765fb32204de2215d6117dcbc1fb92f26b9a.rb b/lib/one_gadget/builds/libc-2.23.90-e9ab765fb32204de2215d6117dcbc1fb92f26b9a.rb
index 9de69c1..e8ef3db 100644
--- a/lib/one_gadget/builds/libc-2.23.90-e9ab765fb32204de2215d6117dcbc1fb92f26b9a.rb
+++ b/lib/one_gadget/builds/libc-2.23.90-e9ab765fb32204de2215d6117dcbc1fb92f26b9a.rb
@@ -19,19 +19,22 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 259199,
+ constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 259206,
- constraints: ["rax == NULL"],
+ constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 259290,
- constraints: ["[rsp+0x30] == NULL"],
+ constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 755608,
- constraints: ["[r13] == NULL || r13 == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[r13] == NULL || r13 == NULL || r13 is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", r13, r12)")
OneGadget::Gadget.add(build_id, 878197,
- constraints: ["[rsp+0x70] == NULL"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x70, environ)")
OneGadget::Gadget.add(build_id, 878209,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rax])")
diff --git a/lib/one_gadget/builds/libc-2.23.90-ef3765f1e2595771cefa96291c647d0eff8a81e0.rb b/lib/one_gadget/builds/libc-2.23.90-ef3765f1e2595771cefa96291c647d0eff8a81e0.rb
index 79c41f7..ec1af56 100644
--- a/lib/one_gadget/builds/libc-2.23.90-ef3765f1e2595771cefa96291c647d0eff8a81e0.rb
+++ b/lib/one_gadget/builds/libc-2.23.90-ef3765f1e2595771cefa96291c647d0eff8a81e0.rb
@@ -19,19 +19,22 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 258991,
+ constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 258998,
- constraints: ["rax == NULL"],
+ constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 259082,
- constraints: ["[rsp+0x30] == NULL"],
+ constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 756488,
- constraints: ["[r13] == NULL || r13 == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[r13] == NULL || r13 == NULL || r13 is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", r13, r12)")
OneGadget::Gadget.add(build_id, 878773,
- constraints: ["[rsp+0x70] == NULL"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x70, environ)")
OneGadget::Gadget.add(build_id, 878785,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rax])")
diff --git a/lib/one_gadget/builds/libc-2.23.90-f149edaf4dee34b38f831bf0914af2ecf0a1a317.rb b/lib/one_gadget/builds/libc-2.23.90-f149edaf4dee34b38f831bf0914af2ecf0a1a317.rb
index 845ab09..324510d 100644
--- a/lib/one_gadget/builds/libc-2.23.90-f149edaf4dee34b38f831bf0914af2ecf0a1a317.rb
+++ b/lib/one_gadget/builds/libc-2.23.90-f149edaf4dee34b38f831bf0914af2ecf0a1a317.rb
@@ -20,22 +20,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 238732,
- constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x28, environ)")
OneGadget::Gadget.add(build_id, 238734,
- constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 238738,
- constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 238745,
- constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 238780,
- constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 238781,
- constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 391189,
constraints: ["esi is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.24-024385baa7aaf9c62ae336e896bcf245dda0fc01.rb b/lib/one_gadget/builds/libc-2.24-024385baa7aaf9c62ae336e896bcf245dda0fc01.rb
index 5b944dc..4b6d14d 100644
--- a/lib/one_gadget/builds/libc-2.24-024385baa7aaf9c62ae336e896bcf245dda0fc01.rb
+++ b/lib/one_gadget/builds/libc-2.24-024385baa7aaf9c62ae336e896bcf245dda0fc01.rb
@@ -20,22 +20,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 234677,
- constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 234679,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 234683,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 234690,
- constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x38, environ)")
OneGadget::Gadget.add(build_id, 234725,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 234726,
- constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 386143,
constraints: ["ebx is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.24-04b6f2a9e244a36a9f107febf832bbadea9f252c.rb b/lib/one_gadget/builds/libc-2.24-04b6f2a9e244a36a9f107febf832bbadea9f252c.rb
index 25d5e44..632c3cb 100644
--- a/lib/one_gadget/builds/libc-2.24-04b6f2a9e244a36a9f107febf832bbadea9f252c.rb
+++ b/lib/one_gadget/builds/libc-2.24-04b6f2a9e244a36a9f107febf832bbadea9f252c.rb
@@ -20,22 +20,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 239372,
- constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x28, environ)")
OneGadget::Gadget.add(build_id, 239374,
- constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 239378,
- constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 239385,
- constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 239420,
- constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 239421,
- constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 391093,
constraints: ["esi is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.24-0b88546716e2f1924986596ee7cc9215df89c6f5.rb b/lib/one_gadget/builds/libc-2.24-0b88546716e2f1924986596ee7cc9215df89c6f5.rb
index 3e09658..d845cce 100644
--- a/lib/one_gadget/builds/libc-2.24-0b88546716e2f1924986596ee7cc9215df89c6f5.rb
+++ b/lib/one_gadget/builds/libc-2.24-0b88546716e2f1924986596ee7cc9215df89c6f5.rb
@@ -20,22 +20,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 241148,
- constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x28, environ)")
OneGadget::Gadget.add(build_id, 241150,
- constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 241154,
- constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 241161,
- constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 241196,
- constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 241197,
- constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 394501,
constraints: ["esi is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.24-0c11fd6524ef7a7da877f940fba181ed746edb0a.rb b/lib/one_gadget/builds/libc-2.24-0c11fd6524ef7a7da877f940fba181ed746edb0a.rb
index 0077c7b..dfc0929 100644
--- a/lib/one_gadget/builds/libc-2.24-0c11fd6524ef7a7da877f940fba181ed746edb0a.rb
+++ b/lib/one_gadget/builds/libc-2.24-0c11fd6524ef7a7da877f940fba181ed746edb0a.rb
@@ -20,22 +20,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 233589,
- constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 233591,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 233595,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 233602,
- constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x38, environ)")
OneGadget::Gadget.add(build_id, 233637,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 233638,
- constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 385199,
constraints: ["ebx is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.24-0f523a27b7460f50befd3d281238c6f189c92d84.rb b/lib/one_gadget/builds/libc-2.24-0f523a27b7460f50befd3d281238c6f189c92d84.rb
index f40e5cc..d4680a1 100644
--- a/lib/one_gadget/builds/libc-2.24-0f523a27b7460f50befd3d281238c6f189c92d84.rb
+++ b/lib/one_gadget/builds/libc-2.24-0f523a27b7460f50befd3d281238c6f189c92d84.rb
@@ -20,22 +20,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 239564,
- constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x28, environ)")
OneGadget::Gadget.add(build_id, 239566,
- constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 239570,
- constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 239577,
- constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 239612,
- constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 239613,
- constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 391285,
constraints: ["esi is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.24-1c3ec3a011b1005cb1c2c32fc6dbc4e6e9cef4bb.rb b/lib/one_gadget/builds/libc-2.24-1c3ec3a011b1005cb1c2c32fc6dbc4e6e9cef4bb.rb
index cfcfc96..d9bfc71 100644
--- a/lib/one_gadget/builds/libc-2.24-1c3ec3a011b1005cb1c2c32fc6dbc4e6e9cef4bb.rb
+++ b/lib/one_gadget/builds/libc-2.24-1c3ec3a011b1005cb1c2c32fc6dbc4e6e9cef4bb.rb
@@ -19,22 +19,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 487261,
- constraints: ["ebx is the GOT address of libc", "[esp+0x24] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x24] == NULL || {[esp+0x24], [esp+0x28], [esp+0x2c], [esp+0x30], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x24, environ)")
OneGadget::Gadget.add(build_id, 487263,
- constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x28, environ)")
OneGadget::Gadget.add(build_id, 487267,
- constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 487274,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 487309,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 487310,
- constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 642435,
constraints: ["ebx is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.24-1da8c8ac3c71c30040cf58b563ae48e39bbae86f.rb b/lib/one_gadget/builds/libc-2.24-1da8c8ac3c71c30040cf58b563ae48e39bbae86f.rb
index fa9d294..bea0979 100644
--- a/lib/one_gadget/builds/libc-2.24-1da8c8ac3c71c30040cf58b563ae48e39bbae86f.rb
+++ b/lib/one_gadget/builds/libc-2.24-1da8c8ac3c71c30040cf58b563ae48e39bbae86f.rb
@@ -19,19 +19,22 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 254498,
+ constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", r12, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 254505,
- constraints: ["rax == NULL"],
+ constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", r12, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 254589,
- constraints: ["[rsp+0x30] == NULL"],
+ constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 706936,
- constraints: ["[r13] == NULL || r13 == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[r13] == NULL || r13 == NULL || r13 is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", r13, r12)")
OneGadget::Gadget.add(build_id, 836125,
- constraints: ["[rsp+0x70] == NULL"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x70, environ)")
OneGadget::Gadget.add(build_id, 836137,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rax])")
diff --git a/lib/one_gadget/builds/libc-2.24-1ddd6fca9cd87c66e6a19df018f5992e9fa6453d.rb b/lib/one_gadget/builds/libc-2.24-1ddd6fca9cd87c66e6a19df018f5992e9fa6453d.rb
index cc86605..398e394 100644
--- a/lib/one_gadget/builds/libc-2.24-1ddd6fca9cd87c66e6a19df018f5992e9fa6453d.rb
+++ b/lib/one_gadget/builds/libc-2.24-1ddd6fca9cd87c66e6a19df018f5992e9fa6453d.rb
@@ -20,22 +20,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 233509,
- constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 233511,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 233515,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 233522,
- constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x38, environ)")
OneGadget::Gadget.add(build_id, 233557,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 233558,
- constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 385119,
constraints: ["ebx is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.24-1f253610e390e5237eb7949212e08166fba3ca4b.rb b/lib/one_gadget/builds/libc-2.24-1f253610e390e5237eb7949212e08166fba3ca4b.rb
index a37d192..c5a972c 100644
--- a/lib/one_gadget/builds/libc-2.24-1f253610e390e5237eb7949212e08166fba3ca4b.rb
+++ b/lib/one_gadget/builds/libc-2.24-1f253610e390e5237eb7949212e08166fba3ca4b.rb
@@ -20,22 +20,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 241148,
- constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x28, environ)")
OneGadget::Gadget.add(build_id, 241150,
- constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 241154,
- constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 241161,
- constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 241196,
- constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 241197,
- constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 394501,
constraints: ["esi is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.24-1f7bdfb9a24714835cee6e6597ea7aa782821371.rb b/lib/one_gadget/builds/libc-2.24-1f7bdfb9a24714835cee6e6597ea7aa782821371.rb
index 4f48d28..fe4748e 100644
--- a/lib/one_gadget/builds/libc-2.24-1f7bdfb9a24714835cee6e6597ea7aa782821371.rb
+++ b/lib/one_gadget/builds/libc-2.24-1f7bdfb9a24714835cee6e6597ea7aa782821371.rb
@@ -20,22 +20,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 239484,
- constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x28, environ)")
OneGadget::Gadget.add(build_id, 239486,
- constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 239490,
- constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 239497,
- constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 239532,
- constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 239533,
- constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 391205,
constraints: ["esi is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.24-206b2bb216b6cdb6b1be565a6fcd29f3862db060.rb b/lib/one_gadget/builds/libc-2.24-206b2bb216b6cdb6b1be565a6fcd29f3862db060.rb
index db77078..fece880 100644
--- a/lib/one_gadget/builds/libc-2.24-206b2bb216b6cdb6b1be565a6fcd29f3862db060.rb
+++ b/lib/one_gadget/builds/libc-2.24-206b2bb216b6cdb6b1be565a6fcd29f3862db060.rb
@@ -19,31 +19,34 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 283983,
+ constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 283990,
- constraints: ["rax == NULL"],
+ constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 284074,
- constraints: ["[rsp+0x30] == NULL"],
+ constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 843370,
- constraints: ["[r15] == NULL || r15 == NULL", "[r13] == NULL || r13 == NULL"],
+ constraints: ["[r15] == NULL || r15 == NULL || r15 is a valid argv", "[r13] == NULL || r13 == NULL || r13 is a valid envp"],
effect: "execve(\"/bin/sh\", r15, r13)")
OneGadget::Gadget.add(build_id, 844053,
- constraints: ["[[rbp-0x78]] == NULL || [rbp-0x78] == NULL", "[[rbp-0x50]] == NULL || [rbp-0x50] == NULL"],
+ constraints: ["[[rbp-0x78]] == NULL || [rbp-0x78] == NULL || [rbp-0x78] is a valid argv", "[[rbp-0x50]] == NULL || [rbp-0x50] == NULL || [rbp-0x50] is a valid envp"],
effect: "execve(\"/bin/sh\", [rbp-0x78], [rbp-0x50])")
OneGadget::Gadget.add(build_id, 844057,
- constraints: ["[r9] == NULL || r9 == NULL", "[[rbp-0x50]] == NULL || [rbp-0x50] == NULL"],
+ constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[[rbp-0x50]] == NULL || [rbp-0x50] == NULL || [rbp-0x50] is a valid envp"],
effect: "execve(\"/bin/sh\", r9, [rbp-0x50])")
OneGadget::Gadget.add(build_id, 844061,
- constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", r9, rdx)")
OneGadget::Gadget.add(build_id, 988817,
- constraints: ["[rsp+0x50] == NULL"],
+ constraints: ["[rsp+0x50] == NULL || {[rsp+0x50], [rsp+0x58], [rsp+0x60], [rsp+0x68], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x50, environ)")
OneGadget::Gadget.add(build_id, 988829,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rax])")
OneGadget::Gadget.add(build_id, 992537,
- constraints: ["[rsp+0x70] == NULL"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x70, environ)")
diff --git a/lib/one_gadget/builds/libc-2.24-20cbb98b62f46ee16b182d1b357146577c40ebb7.rb b/lib/one_gadget/builds/libc-2.24-20cbb98b62f46ee16b182d1b357146577c40ebb7.rb
index 0129559..3667d6e 100644
--- a/lib/one_gadget/builds/libc-2.24-20cbb98b62f46ee16b182d1b357146577c40ebb7.rb
+++ b/lib/one_gadget/builds/libc-2.24-20cbb98b62f46ee16b182d1b357146577c40ebb7.rb
@@ -19,19 +19,22 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 258751,
+ constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 258758,
- constraints: ["rax == NULL"],
+ constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 258842,
- constraints: ["[rsp+0x30] == NULL"],
+ constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 756399,
- constraints: ["[r13] == NULL || r13 == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[r13] == NULL || r13 == NULL || r13 is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", r13, r12)")
OneGadget::Gadget.add(build_id, 878661,
- constraints: ["[rsp+0x70] == NULL"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x70, environ)")
OneGadget::Gadget.add(build_id, 878673,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rax])")
diff --git a/lib/one_gadget/builds/libc-2.24-236e52c7896f5403d8065cf3965fdb2d31d56891.rb b/lib/one_gadget/builds/libc-2.24-236e52c7896f5403d8065cf3965fdb2d31d56891.rb
index 3c9ac80..16d93b3 100644
--- a/lib/one_gadget/builds/libc-2.24-236e52c7896f5403d8065cf3965fdb2d31d56891.rb
+++ b/lib/one_gadget/builds/libc-2.24-236e52c7896f5403d8065cf3965fdb2d31d56891.rb
@@ -20,22 +20,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 239292,
- constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x28, environ)")
OneGadget::Gadget.add(build_id, 239294,
- constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 239298,
- constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 239305,
- constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 239340,
- constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 239341,
- constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 391013,
constraints: ["esi is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.24-24b1296687d36e24bd48b8c412157d94f074ecc2.rb b/lib/one_gadget/builds/libc-2.24-24b1296687d36e24bd48b8c412157d94f074ecc2.rb
index 576ee8f..f9389c8 100644
--- a/lib/one_gadget/builds/libc-2.24-24b1296687d36e24bd48b8c412157d94f074ecc2.rb
+++ b/lib/one_gadget/builds/libc-2.24-24b1296687d36e24bd48b8c412157d94f074ecc2.rb
@@ -19,19 +19,22 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 258991,
+ constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 258998,
- constraints: ["rax == NULL"],
+ constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 259082,
- constraints: ["[rsp+0x30] == NULL"],
+ constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 756360,
- constraints: ["[r13] == NULL || r13 == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[r13] == NULL || r13 == NULL || r13 is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", r13, r12)")
OneGadget::Gadget.add(build_id, 878645,
- constraints: ["[rsp+0x70] == NULL"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x70, environ)")
OneGadget::Gadget.add(build_id, 878657,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rax])")
diff --git a/lib/one_gadget/builds/libc-2.24-253debb34a7d493c0b8e2d6db2079e3d680459f5.rb b/lib/one_gadget/builds/libc-2.24-253debb34a7d493c0b8e2d6db2079e3d680459f5.rb
index afe1bf3..1a36a4c 100644
--- a/lib/one_gadget/builds/libc-2.24-253debb34a7d493c0b8e2d6db2079e3d680459f5.rb
+++ b/lib/one_gadget/builds/libc-2.24-253debb34a7d493c0b8e2d6db2079e3d680459f5.rb
@@ -19,19 +19,22 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 258783,
+ constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 258790,
- constraints: ["rax == NULL"],
+ constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 258874,
- constraints: ["[rsp+0x30] == NULL"],
+ constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 756424,
- constraints: ["[r13] == NULL || r13 == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[r13] == NULL || r13 == NULL || r13 is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", r13, r12)")
OneGadget::Gadget.add(build_id, 878693,
- constraints: ["[rsp+0x70] == NULL"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x70, environ)")
OneGadget::Gadget.add(build_id, 878705,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rax])")
diff --git a/lib/one_gadget/builds/libc-2.24-26e84118fee5788eb5d8dda66b7e7f029d2c7800.rb b/lib/one_gadget/builds/libc-2.24-26e84118fee5788eb5d8dda66b7e7f029d2c7800.rb
index e176de4..0eb358c 100644
--- a/lib/one_gadget/builds/libc-2.24-26e84118fee5788eb5d8dda66b7e7f029d2c7800.rb
+++ b/lib/one_gadget/builds/libc-2.24-26e84118fee5788eb5d8dda66b7e7f029d2c7800.rb
@@ -19,17 +19,26 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 248396,
+ constraints: ["writable: x19+0x258", "{\"sh\", \"-c\", x24, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", sp+0x68, environ)")
OneGadget::Gadget.add(build_id, 248400,
- constraints: ["writable: x19+0x258", "x3+0x9f8 == NULL"],
+ constraints: ["writable: x19+0x258", "x3+0x9f8 == NULL || {x3+0x9f8, \"-c\", x24, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", sp+0x68, environ)")
OneGadget::Gadget.add(build_id, 248404,
- constraints: ["writable: x19+0x258", "x3 == NULL"],
+ constraints: ["writable: x19+0x258", "x3 == NULL || {x3, \"-c\", x24, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", sp+0x68, environ)")
+OneGadget::Gadget.add(build_id, 248412,
+ constraints: ["writable: x19+0x258", "writable: x20+0x4", "x3 == NULL || {x3, x0+0xa00, x24, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", sp+0x68, environ)")
+OneGadget::Gadget.add(build_id, 248416,
+ constraints: ["writable: x19+0x258", "writable: x20+0x4", "x3 == NULL || {x3, x0, x24, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", sp+0x68, environ)")
OneGadget::Gadget.add(build_id, 248440,
- constraints: ["writable: x19+0x258", "writable: x20+0x4", "[sp+0x68] == NULL"],
+ constraints: ["writable: x19+0x258", "writable: x20+0x4", "[sp+0x68] == NULL || {[sp+0x68], [sp+0x70], [sp+0x78], [sp+0x80], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", sp+0x68, environ)")
OneGadget::Gadget.add(build_id, 248476,
- constraints: ["writable: x19+0x258", "writable: x20+0x4", "[x21] == NULL || x21 == NULL"],
+ constraints: ["writable: x19+0x258", "writable: x20+0x4", "[x21] == NULL || x21 == NULL || x21 is a valid argv"],
effect: "execve(\"/bin/sh\", x21, environ)")
OneGadget::Gadget.add(build_id, 398984,
constraints: ["x2+0xa00 == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.24-2ee9e1740da616757f2e6d5ba58576c0c7302fff.rb b/lib/one_gadget/builds/libc-2.24-2ee9e1740da616757f2e6d5ba58576c0c7302fff.rb
index d341a05..a36fdce 100644
--- a/lib/one_gadget/builds/libc-2.24-2ee9e1740da616757f2e6d5ba58576c0c7302fff.rb
+++ b/lib/one_gadget/builds/libc-2.24-2ee9e1740da616757f2e6d5ba58576c0c7302fff.rb
@@ -19,19 +19,22 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 258783,
+ constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 258790,
- constraints: ["rax == NULL"],
+ constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 258874,
- constraints: ["[rsp+0x30] == NULL"],
+ constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 756424,
- constraints: ["[r13] == NULL || r13 == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[r13] == NULL || r13 == NULL || r13 is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", r13, r12)")
OneGadget::Gadget.add(build_id, 878693,
- constraints: ["[rsp+0x70] == NULL"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x70, environ)")
OneGadget::Gadget.add(build_id, 878705,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rax])")
diff --git a/lib/one_gadget/builds/libc-2.24-30acfe88fed30ad3f8cb88425b80ea96899655aa.rb b/lib/one_gadget/builds/libc-2.24-30acfe88fed30ad3f8cb88425b80ea96899655aa.rb
index ea11551..414ce22 100644
--- a/lib/one_gadget/builds/libc-2.24-30acfe88fed30ad3f8cb88425b80ea96899655aa.rb
+++ b/lib/one_gadget/builds/libc-2.24-30acfe88fed30ad3f8cb88425b80ea96899655aa.rb
@@ -20,22 +20,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 240492,
- constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x28, environ)")
OneGadget::Gadget.add(build_id, 240494,
- constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 240498,
- constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 240505,
- constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 240540,
- constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 240541,
- constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 392117,
constraints: ["esi is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.24-33801a6f55c5c3cdf7d83590b433adcbab08a688.rb b/lib/one_gadget/builds/libc-2.24-33801a6f55c5c3cdf7d83590b433adcbab08a688.rb
index d6689b8..5fc86ea 100644
--- a/lib/one_gadget/builds/libc-2.24-33801a6f55c5c3cdf7d83590b433adcbab08a688.rb
+++ b/lib/one_gadget/builds/libc-2.24-33801a6f55c5c3cdf7d83590b433adcbab08a688.rb
@@ -19,19 +19,22 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 254482,
+ constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", r12, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 254489,
- constraints: ["rax == NULL"],
+ constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", r12, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 254573,
- constraints: ["[rsp+0x30] == NULL"],
+ constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 707343,
- constraints: ["[r13] == NULL || r13 == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[r13] == NULL || r13 == NULL || r13 is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", r13, r12)")
OneGadget::Gadget.add(build_id, 836503,
- constraints: ["[rsp+0x60] == NULL"],
+ constraints: ["[rsp+0x60] == NULL || {[rsp+0x60], [rsp+0x68], [rsp+0x70], [rsp+0x78], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x60, environ)")
OneGadget::Gadget.add(build_id, 836515,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rax])")
diff --git a/lib/one_gadget/builds/libc-2.24-349119af9e223829ea24f6b7226bdff0182e73f2.rb b/lib/one_gadget/builds/libc-2.24-349119af9e223829ea24f6b7226bdff0182e73f2.rb
index 110f29b..d473f49 100644
--- a/lib/one_gadget/builds/libc-2.24-349119af9e223829ea24f6b7226bdff0182e73f2.rb
+++ b/lib/one_gadget/builds/libc-2.24-349119af9e223829ea24f6b7226bdff0182e73f2.rb
@@ -19,31 +19,34 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 283983,
+ constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 283990,
- constraints: ["rax == NULL"],
+ constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 284074,
- constraints: ["[rsp+0x30] == NULL"],
+ constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 840298,
- constraints: ["[r15] == NULL || r15 == NULL", "[r13] == NULL || r13 == NULL"],
+ constraints: ["[r15] == NULL || r15 == NULL || r15 is a valid argv", "[r13] == NULL || r13 == NULL || r13 is a valid envp"],
effect: "execve(\"/bin/sh\", r15, r13)")
OneGadget::Gadget.add(build_id, 840981,
- constraints: ["[[rbp-0x78]] == NULL || [rbp-0x78] == NULL", "[[rbp-0x50]] == NULL || [rbp-0x50] == NULL"],
+ constraints: ["[[rbp-0x78]] == NULL || [rbp-0x78] == NULL || [rbp-0x78] is a valid argv", "[[rbp-0x50]] == NULL || [rbp-0x50] == NULL || [rbp-0x50] is a valid envp"],
effect: "execve(\"/bin/sh\", [rbp-0x78], [rbp-0x50])")
OneGadget::Gadget.add(build_id, 840985,
- constraints: ["[r9] == NULL || r9 == NULL", "[[rbp-0x50]] == NULL || [rbp-0x50] == NULL"],
+ constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[[rbp-0x50]] == NULL || [rbp-0x50] == NULL || [rbp-0x50] is a valid envp"],
effect: "execve(\"/bin/sh\", r9, [rbp-0x50])")
OneGadget::Gadget.add(build_id, 840989,
- constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", r9, rdx)")
OneGadget::Gadget.add(build_id, 985745,
- constraints: ["[rsp+0x50] == NULL"],
+ constraints: ["[rsp+0x50] == NULL || {[rsp+0x50], [rsp+0x58], [rsp+0x60], [rsp+0x68], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x50, environ)")
OneGadget::Gadget.add(build_id, 985757,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rax])")
OneGadget::Gadget.add(build_id, 989465,
- constraints: ["[rsp+0x70] == NULL"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x70, environ)")
diff --git a/lib/one_gadget/builds/libc-2.24-35764bd71c58942e9131e3547b7c343098212d03.rb b/lib/one_gadget/builds/libc-2.24-35764bd71c58942e9131e3547b7c343098212d03.rb
index 19f3ba6..586f0dc 100644
--- a/lib/one_gadget/builds/libc-2.24-35764bd71c58942e9131e3547b7c343098212d03.rb
+++ b/lib/one_gadget/builds/libc-2.24-35764bd71c58942e9131e3547b7c343098212d03.rb
@@ -20,22 +20,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 233589,
- constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 233591,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 233595,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 233602,
- constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x38, environ)")
OneGadget::Gadget.add(build_id, 233637,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 233638,
- constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 385199,
constraints: ["ebx is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.24-389260a6758c3f1dbc741c197e747341ed277cd2.rb b/lib/one_gadget/builds/libc-2.24-389260a6758c3f1dbc741c197e747341ed277cd2.rb
index d3ca473..98e5573 100644
--- a/lib/one_gadget/builds/libc-2.24-389260a6758c3f1dbc741c197e747341ed277cd2.rb
+++ b/lib/one_gadget/builds/libc-2.24-389260a6758c3f1dbc741c197e747341ed277cd2.rb
@@ -20,22 +20,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 233589,
- constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 233591,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 233595,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 233602,
- constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x38, environ)")
OneGadget::Gadget.add(build_id, 233637,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 233638,
- constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 385199,
constraints: ["ebx is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.24-3b24749bb184473f81819312e3d86903915eaf65.rb b/lib/one_gadget/builds/libc-2.24-3b24749bb184473f81819312e3d86903915eaf65.rb
index 9d2fd06..67ffe16 100644
--- a/lib/one_gadget/builds/libc-2.24-3b24749bb184473f81819312e3d86903915eaf65.rb
+++ b/lib/one_gadget/builds/libc-2.24-3b24749bb184473f81819312e3d86903915eaf65.rb
@@ -20,22 +20,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 239372,
- constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x28, environ)")
OneGadget::Gadget.add(build_id, 239374,
- constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 239378,
- constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 239385,
- constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 239420,
- constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 239421,
- constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 391093,
constraints: ["esi is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.24-3ea4c67e60e49b8164b692166115bbf927e521db.rb b/lib/one_gadget/builds/libc-2.24-3ea4c67e60e49b8164b692166115bbf927e521db.rb
index 362cb6d..f988af4 100644
--- a/lib/one_gadget/builds/libc-2.24-3ea4c67e60e49b8164b692166115bbf927e521db.rb
+++ b/lib/one_gadget/builds/libc-2.24-3ea4c67e60e49b8164b692166115bbf927e521db.rb
@@ -19,22 +19,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 489965,
- constraints: ["ebx is the GOT address of libc", "[esp+0x24] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x24] == NULL || {[esp+0x24], [esp+0x28], [esp+0x2c], [esp+0x30], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x24, environ)")
OneGadget::Gadget.add(build_id, 489967,
- constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x28, environ)")
OneGadget::Gadget.add(build_id, 489971,
- constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 489978,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 490013,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 490014,
- constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 645139,
constraints: ["ebx is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.24-3f89db5baa7e88162377fab6a1590f732a355401.rb b/lib/one_gadget/builds/libc-2.24-3f89db5baa7e88162377fab6a1590f732a355401.rb
index f66cf98..1504b3d 100644
--- a/lib/one_gadget/builds/libc-2.24-3f89db5baa7e88162377fab6a1590f732a355401.rb
+++ b/lib/one_gadget/builds/libc-2.24-3f89db5baa7e88162377fab6a1590f732a355401.rb
@@ -19,22 +19,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 489549,
- constraints: ["ebx is the GOT address of libc", "[esp+0x24] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x24] == NULL || {[esp+0x24], [esp+0x28], [esp+0x2c], [esp+0x30], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x24, environ)")
OneGadget::Gadget.add(build_id, 489551,
- constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x28, environ)")
OneGadget::Gadget.add(build_id, 489555,
- constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 489562,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 489597,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 489598,
- constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 644723,
constraints: ["ebx is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.24-3fce81d490804af9759c70bf197380bc05a584c2.rb b/lib/one_gadget/builds/libc-2.24-3fce81d490804af9759c70bf197380bc05a584c2.rb
index 0a41e28..4eb1549 100644
--- a/lib/one_gadget/builds/libc-2.24-3fce81d490804af9759c70bf197380bc05a584c2.rb
+++ b/lib/one_gadget/builds/libc-2.24-3fce81d490804af9759c70bf197380bc05a584c2.rb
@@ -20,22 +20,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 239484,
- constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x28, environ)")
OneGadget::Gadget.add(build_id, 239486,
- constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 239490,
- constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 239497,
- constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 239532,
- constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 239533,
- constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 391205,
constraints: ["esi is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.24-43adbb1e7368c94fba1ba9020d8ef0808bff5bc4.rb b/lib/one_gadget/builds/libc-2.24-43adbb1e7368c94fba1ba9020d8ef0808bff5bc4.rb
index 1a99f0b..47aa224 100644
--- a/lib/one_gadget/builds/libc-2.24-43adbb1e7368c94fba1ba9020d8ef0808bff5bc4.rb
+++ b/lib/one_gadget/builds/libc-2.24-43adbb1e7368c94fba1ba9020d8ef0808bff5bc4.rb
@@ -19,19 +19,22 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 258959,
+ constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 258966,
- constraints: ["rax == NULL"],
+ constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 259050,
- constraints: ["[rsp+0x30] == NULL"],
+ constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 757064,
- constraints: ["[r13] == NULL || r13 == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[r13] == NULL || r13 == NULL || r13 is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", r13, r12)")
OneGadget::Gadget.add(build_id, 879333,
- constraints: ["[rsp+0x70] == NULL"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x70, environ)")
OneGadget::Gadget.add(build_id, 879345,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rax])")
diff --git a/lib/one_gadget/builds/libc-2.24-43faee19af5e1d20163c6492862fca1a4146b668.rb b/lib/one_gadget/builds/libc-2.24-43faee19af5e1d20163c6492862fca1a4146b668.rb
index 11f5cb7..bef8c4e 100644
--- a/lib/one_gadget/builds/libc-2.24-43faee19af5e1d20163c6492862fca1a4146b668.rb
+++ b/lib/one_gadget/builds/libc-2.24-43faee19af5e1d20163c6492862fca1a4146b668.rb
@@ -19,19 +19,22 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 254498,
+ constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", r12, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 254505,
- constraints: ["rax == NULL"],
+ constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", r12, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 254589,
- constraints: ["[rsp+0x30] == NULL"],
+ constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 706936,
- constraints: ["[r13] == NULL || r13 == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[r13] == NULL || r13 == NULL || r13 is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", r13, r12)")
OneGadget::Gadget.add(build_id, 836125,
- constraints: ["[rsp+0x70] == NULL"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x70, environ)")
OneGadget::Gadget.add(build_id, 836137,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rax])")
diff --git a/lib/one_gadget/builds/libc-2.24-45adab2b0ad8604e35eeea0b30d6ec1ad11642af.rb b/lib/one_gadget/builds/libc-2.24-45adab2b0ad8604e35eeea0b30d6ec1ad11642af.rb
index c6132a0..a5d9adc 100644
--- a/lib/one_gadget/builds/libc-2.24-45adab2b0ad8604e35eeea0b30d6ec1ad11642af.rb
+++ b/lib/one_gadget/builds/libc-2.24-45adab2b0ad8604e35eeea0b30d6ec1ad11642af.rb
@@ -19,19 +19,22 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 258927,
+ constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 258934,
- constraints: ["rax == NULL"],
+ constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 259018,
- constraints: ["[rsp+0x30] == NULL"],
+ constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 756520,
- constraints: ["[r13] == NULL || r13 == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[r13] == NULL || r13 == NULL || r13 is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", r13, r12)")
OneGadget::Gadget.add(build_id, 878805,
- constraints: ["[rsp+0x70] == NULL"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x70, environ)")
OneGadget::Gadget.add(build_id, 878817,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rax])")
diff --git a/lib/one_gadget/builds/libc-2.24-46bb6303e03d21ec9b79334370e1b39a51f883b1.rb b/lib/one_gadget/builds/libc-2.24-46bb6303e03d21ec9b79334370e1b39a51f883b1.rb
index 77eddba..d820e13 100644
--- a/lib/one_gadget/builds/libc-2.24-46bb6303e03d21ec9b79334370e1b39a51f883b1.rb
+++ b/lib/one_gadget/builds/libc-2.24-46bb6303e03d21ec9b79334370e1b39a51f883b1.rb
@@ -20,22 +20,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 234677,
- constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 234679,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 234683,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 234690,
- constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x38, environ)")
OneGadget::Gadget.add(build_id, 234725,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 234726,
- constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 386143,
constraints: ["ebx is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.24-497931f8d2346a6d0e300a65d8fc6106c6c88c15.rb b/lib/one_gadget/builds/libc-2.24-497931f8d2346a6d0e300a65d8fc6106c6c88c15.rb
index 16ba144..e458e74 100644
--- a/lib/one_gadget/builds/libc-2.24-497931f8d2346a6d0e300a65d8fc6106c6c88c15.rb
+++ b/lib/one_gadget/builds/libc-2.24-497931f8d2346a6d0e300a65d8fc6106c6c88c15.rb
@@ -19,14 +19,23 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 248276,
+ constraints: ["writable: x19+0x258", "{\"sh\", \"-c\", x23, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", sp+0x58, environ)")
+OneGadget::Gadget.add(build_id, 248284,
+ constraints: ["writable: x19+0x258", "writable: x20+0x4", "x4+0x3a8 == NULL || {x4+0x3a8, \"-c\", x23, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", sp+0x58, environ)")
OneGadget::Gadget.add(build_id, 248288,
- constraints: ["writable: x19+0x258", "writable: x20+0x4", "x4+0x3a8 == NULL"],
+ constraints: ["writable: x19+0x258", "writable: x20+0x4", "x4+0x3a8 == NULL || {x4+0x3a8, x3+0x3b0, x23, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", sp+0x58, environ)")
+OneGadget::Gadget.add(build_id, 248292,
+ constraints: ["writable: x19+0x258", "writable: x20+0x4", "x4 == NULL || {x4, x3+0x3b0, x23, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", sp+0x58, environ)")
OneGadget::Gadget.add(build_id, 248300,
- constraints: ["writable: x19+0x258", "writable: x20+0x4", "x4 == NULL"],
+ constraints: ["writable: x19+0x258", "writable: x20+0x4", "x4 == NULL || {x4, x3, x23, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", sp+0x58, environ)")
OneGadget::Gadget.add(build_id, 248360,
- constraints: ["writable: x20+0x4", "[x22] == NULL || x22 == NULL"],
+ constraints: ["writable: x20+0x4", "[x22] == NULL || x22 == NULL || x22 is a valid argv"],
effect: "execve(\"/bin/sh\", x22, environ)")
OneGadget::Gadget.add(build_id, 398708,
constraints: ["x2+0x3b0 == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.24-4d0bb76f378375d584a373929f6d5b695f53db99.rb b/lib/one_gadget/builds/libc-2.24-4d0bb76f378375d584a373929f6d5b695f53db99.rb
index 476d6d2..b2b4040 100644
--- a/lib/one_gadget/builds/libc-2.24-4d0bb76f378375d584a373929f6d5b695f53db99.rb
+++ b/lib/one_gadget/builds/libc-2.24-4d0bb76f378375d584a373929f6d5b695f53db99.rb
@@ -19,19 +19,22 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 258751,
+ constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 258758,
- constraints: ["rax == NULL"],
+ constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 258842,
- constraints: ["[rsp+0x30] == NULL"],
+ constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 756392,
- constraints: ["[r13] == NULL || r13 == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[r13] == NULL || r13 == NULL || r13 is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", r13, r12)")
OneGadget::Gadget.add(build_id, 878661,
- constraints: ["[rsp+0x70] == NULL"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x70, environ)")
OneGadget::Gadget.add(build_id, 878673,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rax])")
diff --git a/lib/one_gadget/builds/libc-2.24-4dac034d41342a93593b3e18aa05f4b69c2909c9.rb b/lib/one_gadget/builds/libc-2.24-4dac034d41342a93593b3e18aa05f4b69c2909c9.rb
index cc48de6..4202f45 100644
--- a/lib/one_gadget/builds/libc-2.24-4dac034d41342a93593b3e18aa05f4b69c2909c9.rb
+++ b/lib/one_gadget/builds/libc-2.24-4dac034d41342a93593b3e18aa05f4b69c2909c9.rb
@@ -19,22 +19,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 487597,
- constraints: ["ebx is the GOT address of libc", "[esp+0x24] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x24] == NULL || {[esp+0x24], [esp+0x28], [esp+0x2c], [esp+0x30], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x24, environ)")
OneGadget::Gadget.add(build_id, 487599,
- constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x28, environ)")
OneGadget::Gadget.add(build_id, 487603,
- constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 487610,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 487645,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 487646,
- constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 642771,
constraints: ["ebx is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.24-4fa7401566d6b3e2c7ee5df3b4d85a01f85b595c.rb b/lib/one_gadget/builds/libc-2.24-4fa7401566d6b3e2c7ee5df3b4d85a01f85b595c.rb
index fdbf9c2..ec15792 100644
--- a/lib/one_gadget/builds/libc-2.24-4fa7401566d6b3e2c7ee5df3b4d85a01f85b595c.rb
+++ b/lib/one_gadget/builds/libc-2.24-4fa7401566d6b3e2c7ee5df3b4d85a01f85b595c.rb
@@ -19,14 +19,23 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 248468,
+ constraints: ["writable: x19+0x258", "{\"sh\", \"-c\", x23, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", sp+0x58, environ)")
+OneGadget::Gadget.add(build_id, 248476,
+ constraints: ["writable: x19+0x258", "writable: x20+0x4", "x4+0xc48 == NULL || {x4+0xc48, \"-c\", x23, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", sp+0x58, environ)")
OneGadget::Gadget.add(build_id, 248480,
- constraints: ["writable: x19+0x258", "writable: x20+0x4", "x4+0xc48 == NULL"],
+ constraints: ["writable: x19+0x258", "writable: x20+0x4", "x4+0xc48 == NULL || {x4+0xc48, x3+0xc50, x23, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", sp+0x58, environ)")
+OneGadget::Gadget.add(build_id, 248484,
+ constraints: ["writable: x19+0x258", "writable: x20+0x4", "x4 == NULL || {x4, x3+0xc50, x23, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", sp+0x58, environ)")
OneGadget::Gadget.add(build_id, 248492,
- constraints: ["writable: x19+0x258", "writable: x20+0x4", "x4 == NULL"],
+ constraints: ["writable: x19+0x258", "writable: x20+0x4", "x4 == NULL || {x4, x3, x23, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", sp+0x58, environ)")
OneGadget::Gadget.add(build_id, 248552,
- constraints: ["writable: x20+0x4", "[x22] == NULL || x22 == NULL"],
+ constraints: ["writable: x20+0x4", "[x22] == NULL || x22 == NULL || x22 is a valid argv"],
effect: "execve(\"/bin/sh\", x22, environ)")
OneGadget::Gadget.add(build_id, 399116,
constraints: ["x2+0xc50 == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.24-5284cbfbd543755c2fa4df64a20ccb14e7ded30c.rb b/lib/one_gadget/builds/libc-2.24-5284cbfbd543755c2fa4df64a20ccb14e7ded30c.rb
index d31f077..5c97b58 100644
--- a/lib/one_gadget/builds/libc-2.24-5284cbfbd543755c2fa4df64a20ccb14e7ded30c.rb
+++ b/lib/one_gadget/builds/libc-2.24-5284cbfbd543755c2fa4df64a20ccb14e7ded30c.rb
@@ -20,22 +20,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 233509,
- constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 233511,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 233515,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 233522,
- constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x38, environ)")
OneGadget::Gadget.add(build_id, 233557,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 233558,
- constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 385119,
constraints: ["ebx is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.24-53bab59259db20458dc7d753dd2950916f6e47de.rb b/lib/one_gadget/builds/libc-2.24-53bab59259db20458dc7d753dd2950916f6e47de.rb
index afa6d78..843fea6 100644
--- a/lib/one_gadget/builds/libc-2.24-53bab59259db20458dc7d753dd2950916f6e47de.rb
+++ b/lib/one_gadget/builds/libc-2.24-53bab59259db20458dc7d753dd2950916f6e47de.rb
@@ -20,22 +20,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 234245,
- constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 234247,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 234251,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 234258,
- constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x38, environ)")
OneGadget::Gadget.add(build_id, 234293,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 234294,
- constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 384815,
constraints: ["ebx is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.24-568d20b7e0d08bc282fb42ae405c7054e4209ede.rb b/lib/one_gadget/builds/libc-2.24-568d20b7e0d08bc282fb42ae405c7054e4209ede.rb
index 6b34297..ac8e7e5 100644
--- a/lib/one_gadget/builds/libc-2.24-568d20b7e0d08bc282fb42ae405c7054e4209ede.rb
+++ b/lib/one_gadget/builds/libc-2.24-568d20b7e0d08bc282fb42ae405c7054e4209ede.rb
@@ -19,19 +19,22 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 258943,
+ constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 258950,
- constraints: ["rax == NULL"],
+ constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 259034,
- constraints: ["[rsp+0x30] == NULL"],
+ constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 756607,
- constraints: ["[r13] == NULL || r13 == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[r13] == NULL || r13 == NULL || r13 is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", r13, r12)")
OneGadget::Gadget.add(build_id, 878847,
- constraints: ["[rsp+0x60] == NULL"],
+ constraints: ["[rsp+0x60] == NULL || {[rsp+0x60], [rsp+0x68], [rsp+0x70], [rsp+0x78], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x60, environ)")
OneGadget::Gadget.add(build_id, 878859,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rax])")
diff --git a/lib/one_gadget/builds/libc-2.24-595aeaf311d354bbcd3f311e218f6b40fe711046.rb b/lib/one_gadget/builds/libc-2.24-595aeaf311d354bbcd3f311e218f6b40fe711046.rb
index c199aec..e914628 100644
--- a/lib/one_gadget/builds/libc-2.24-595aeaf311d354bbcd3f311e218f6b40fe711046.rb
+++ b/lib/one_gadget/builds/libc-2.24-595aeaf311d354bbcd3f311e218f6b40fe711046.rb
@@ -20,22 +20,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 234309,
- constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 234311,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 234315,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 234322,
- constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x38, environ)")
OneGadget::Gadget.add(build_id, 234357,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 234358,
- constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 384879,
constraints: ["ebx is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.24-5a75868ead9dbb03eb4d668ff2918f341f949387.rb b/lib/one_gadget/builds/libc-2.24-5a75868ead9dbb03eb4d668ff2918f341f949387.rb
index 4b2b32b..6f5e89f 100644
--- a/lib/one_gadget/builds/libc-2.24-5a75868ead9dbb03eb4d668ff2918f341f949387.rb
+++ b/lib/one_gadget/builds/libc-2.24-5a75868ead9dbb03eb4d668ff2918f341f949387.rb
@@ -20,22 +20,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 239292,
- constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x28, environ)")
OneGadget::Gadget.add(build_id, 239294,
- constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 239298,
- constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 239305,
- constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 239340,
- constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 239341,
- constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 391013,
constraints: ["esi is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.24-5b72576ff331e93852355123afecdec70fd247b5.rb b/lib/one_gadget/builds/libc-2.24-5b72576ff331e93852355123afecdec70fd247b5.rb
index 4eb7858..b8ba826 100644
--- a/lib/one_gadget/builds/libc-2.24-5b72576ff331e93852355123afecdec70fd247b5.rb
+++ b/lib/one_gadget/builds/libc-2.24-5b72576ff331e93852355123afecdec70fd247b5.rb
@@ -19,31 +19,34 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 283935,
+ constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 283942,
- constraints: ["rax == NULL"],
+ constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 284026,
- constraints: ["[rsp+0x30] == NULL"],
+ constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 840257,
- constraints: ["[r15] == NULL || r15 == NULL", "[r13] == NULL || r13 == NULL"],
+ constraints: ["[r15] == NULL || r15 == NULL || r15 is a valid argv", "[r13] == NULL || r13 == NULL || r13 is a valid envp"],
effect: "execve(\"/bin/sh\", r15, r13)")
OneGadget::Gadget.add(build_id, 840929,
- constraints: ["[[rbp-0x78]] == NULL || [rbp-0x78] == NULL", "[[rbp-0x50]] == NULL || [rbp-0x50] == NULL"],
+ constraints: ["[[rbp-0x78]] == NULL || [rbp-0x78] == NULL || [rbp-0x78] is a valid argv", "[[rbp-0x50]] == NULL || [rbp-0x50] == NULL || [rbp-0x50] is a valid envp"],
effect: "execve(\"/bin/sh\", [rbp-0x78], [rbp-0x50])")
OneGadget::Gadget.add(build_id, 840933,
- constraints: ["[r9] == NULL || r9 == NULL", "[[rbp-0x50]] == NULL || [rbp-0x50] == NULL"],
+ constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[[rbp-0x50]] == NULL || [rbp-0x50] == NULL || [rbp-0x50] is a valid envp"],
effect: "execve(\"/bin/sh\", r9, [rbp-0x50])")
OneGadget::Gadget.add(build_id, 840937,
- constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", r9, rdx)")
OneGadget::Gadget.add(build_id, 985681,
- constraints: ["[rsp+0x40] == NULL"],
+ constraints: ["[rsp+0x40] == NULL || {[rsp+0x40], [rsp+0x48], [rsp+0x50], [rsp+0x58], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x40, environ)")
OneGadget::Gadget.add(build_id, 985693,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rax])")
OneGadget::Gadget.add(build_id, 989387,
- constraints: ["[rsp+0x60] == NULL"],
+ constraints: ["[rsp+0x60] == NULL || {[rsp+0x60], [rsp+0x68], [rsp+0x70], [rsp+0x78], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x60, environ)")
diff --git a/lib/one_gadget/builds/libc-2.24-6194e9b483a157d38ab633a5bf3c37f9ed6b7e04.rb b/lib/one_gadget/builds/libc-2.24-6194e9b483a157d38ab633a5bf3c37f9ed6b7e04.rb
index 2981650..08314ee 100644
--- a/lib/one_gadget/builds/libc-2.24-6194e9b483a157d38ab633a5bf3c37f9ed6b7e04.rb
+++ b/lib/one_gadget/builds/libc-2.24-6194e9b483a157d38ab633a5bf3c37f9ed6b7e04.rb
@@ -19,19 +19,22 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 254674,
+ constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", r12, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 254681,
- constraints: ["rax == NULL"],
+ constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", r12, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 254765,
- constraints: ["[rsp+0x30] == NULL"],
+ constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 707144,
- constraints: ["[r13] == NULL || r13 == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[r13] == NULL || r13 == NULL || r13 is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", r13, r12)")
OneGadget::Gadget.add(build_id, 836605,
- constraints: ["[rsp+0x70] == NULL"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x70, environ)")
OneGadget::Gadget.add(build_id, 836617,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rax])")
diff --git a/lib/one_gadget/builds/libc-2.24-6a5885d005a0e25074da79038453af3c1bbd16a1.rb b/lib/one_gadget/builds/libc-2.24-6a5885d005a0e25074da79038453af3c1bbd16a1.rb
index 7515ba7..b9923ba 100644
--- a/lib/one_gadget/builds/libc-2.24-6a5885d005a0e25074da79038453af3c1bbd16a1.rb
+++ b/lib/one_gadget/builds/libc-2.24-6a5885d005a0e25074da79038453af3c1bbd16a1.rb
@@ -19,19 +19,22 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 258959,
+ constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 258966,
- constraints: ["rax == NULL"],
+ constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 259050,
- constraints: ["[rsp+0x30] == NULL"],
+ constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 756344,
- constraints: ["[r13] == NULL || r13 == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[r13] == NULL || r13 == NULL || r13 is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", r13, r12)")
OneGadget::Gadget.add(build_id, 878629,
- constraints: ["[rsp+0x70] == NULL"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x70, environ)")
OneGadget::Gadget.add(build_id, 878641,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rax])")
diff --git a/lib/one_gadget/builds/libc-2.24-6a6d4ead4f4d511091e34c8baebaab04b97913e0.rb b/lib/one_gadget/builds/libc-2.24-6a6d4ead4f4d511091e34c8baebaab04b97913e0.rb
index 1d9b514..7347ae1 100644
--- a/lib/one_gadget/builds/libc-2.24-6a6d4ead4f4d511091e34c8baebaab04b97913e0.rb
+++ b/lib/one_gadget/builds/libc-2.24-6a6d4ead4f4d511091e34c8baebaab04b97913e0.rb
@@ -20,22 +20,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 234405,
- constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 234407,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 234411,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 234418,
- constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x38, environ)")
OneGadget::Gadget.add(build_id, 234453,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 234454,
- constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 384831,
constraints: ["ebx is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.24-6d3ffad6407f2ea71f9121d761426f3a917f4216.rb b/lib/one_gadget/builds/libc-2.24-6d3ffad6407f2ea71f9121d761426f3a917f4216.rb
index 6567fad..8b83759 100644
--- a/lib/one_gadget/builds/libc-2.24-6d3ffad6407f2ea71f9121d761426f3a917f4216.rb
+++ b/lib/one_gadget/builds/libc-2.24-6d3ffad6407f2ea71f9121d761426f3a917f4216.rb
@@ -20,22 +20,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 234245,
- constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 234247,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 234251,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 234258,
- constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x38, environ)")
OneGadget::Gadget.add(build_id, 234293,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 234294,
- constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 384815,
constraints: ["ebx is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.24-6dd40dc4bc5ee908b857c00c1b2a00c58ebc1596.rb b/lib/one_gadget/builds/libc-2.24-6dd40dc4bc5ee908b857c00c1b2a00c58ebc1596.rb
index d30c70a..8fb29d4 100644
--- a/lib/one_gadget/builds/libc-2.24-6dd40dc4bc5ee908b857c00c1b2a00c58ebc1596.rb
+++ b/lib/one_gadget/builds/libc-2.24-6dd40dc4bc5ee908b857c00c1b2a00c58ebc1596.rb
@@ -19,22 +19,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 486989,
- constraints: ["ebx is the GOT address of libc", "[esp+0x24] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x24] == NULL || {[esp+0x24], [esp+0x28], [esp+0x2c], [esp+0x30], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x24, environ)")
OneGadget::Gadget.add(build_id, 486991,
- constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x28, environ)")
OneGadget::Gadget.add(build_id, 486995,
- constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 487002,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 487037,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 487038,
- constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 642163,
constraints: ["ebx is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.24-756da9d194e16bccf2c342a12d8ea01e677fcba7.rb b/lib/one_gadget/builds/libc-2.24-756da9d194e16bccf2c342a12d8ea01e677fcba7.rb
index b5eb4b9..d291291 100644
--- a/lib/one_gadget/builds/libc-2.24-756da9d194e16bccf2c342a12d8ea01e677fcba7.rb
+++ b/lib/one_gadget/builds/libc-2.24-756da9d194e16bccf2c342a12d8ea01e677fcba7.rb
@@ -19,19 +19,22 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 258735,
+ constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 258742,
- constraints: ["rax == NULL"],
+ constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 258826,
- constraints: ["[rsp+0x30] == NULL"],
+ constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 756767,
- constraints: ["[r13] == NULL || r13 == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[r13] == NULL || r13 == NULL || r13 is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", r13, r12)")
OneGadget::Gadget.add(build_id, 878959,
- constraints: ["[rsp+0x60] == NULL"],
+ constraints: ["[rsp+0x60] == NULL || {[rsp+0x60], [rsp+0x68], [rsp+0x70], [rsp+0x78], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x60, environ)")
OneGadget::Gadget.add(build_id, 878971,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rax])")
diff --git a/lib/one_gadget/builds/libc-2.24-7a7fafb866f1680656f7343e9d38fa76986bcfff.rb b/lib/one_gadget/builds/libc-2.24-7a7fafb866f1680656f7343e9d38fa76986bcfff.rb
index 732ff7b..f13d9a6 100644
--- a/lib/one_gadget/builds/libc-2.24-7a7fafb866f1680656f7343e9d38fa76986bcfff.rb
+++ b/lib/one_gadget/builds/libc-2.24-7a7fafb866f1680656f7343e9d38fa76986bcfff.rb
@@ -19,22 +19,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 489965,
- constraints: ["ebx is the GOT address of libc", "[esp+0x24] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x24] == NULL || {[esp+0x24], [esp+0x28], [esp+0x2c], [esp+0x30], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x24, environ)")
OneGadget::Gadget.add(build_id, 489967,
- constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x28, environ)")
OneGadget::Gadget.add(build_id, 489971,
- constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 489978,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 490013,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 490014,
- constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 645139,
constraints: ["ebx is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.24-7e0f1b3a8efe3adcf3080b20447ac4bd47aaf489.rb b/lib/one_gadget/builds/libc-2.24-7e0f1b3a8efe3adcf3080b20447ac4bd47aaf489.rb
index 93e2b4e..62bcec2 100644
--- a/lib/one_gadget/builds/libc-2.24-7e0f1b3a8efe3adcf3080b20447ac4bd47aaf489.rb
+++ b/lib/one_gadget/builds/libc-2.24-7e0f1b3a8efe3adcf3080b20447ac4bd47aaf489.rb
@@ -19,19 +19,22 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 258927,
+ constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 258934,
- constraints: ["rax == NULL"],
+ constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 259018,
- constraints: ["[rsp+0x30] == NULL"],
+ constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 756520,
- constraints: ["[r13] == NULL || r13 == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[r13] == NULL || r13 == NULL || r13 is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", r13, r12)")
OneGadget::Gadget.add(build_id, 878805,
- constraints: ["[rsp+0x70] == NULL"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x70, environ)")
OneGadget::Gadget.add(build_id, 878817,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rax])")
diff --git a/lib/one_gadget/builds/libc-2.24-805005b60c0c3e63eb593a5041fc9f7803e3b87d.rb b/lib/one_gadget/builds/libc-2.24-805005b60c0c3e63eb593a5041fc9f7803e3b87d.rb
index e81d236..75e4b0e 100644
--- a/lib/one_gadget/builds/libc-2.24-805005b60c0c3e63eb593a5041fc9f7803e3b87d.rb
+++ b/lib/one_gadget/builds/libc-2.24-805005b60c0c3e63eb593a5041fc9f7803e3b87d.rb
@@ -20,22 +20,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 240492,
- constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x28, environ)")
OneGadget::Gadget.add(build_id, 240494,
- constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 240498,
- constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 240505,
- constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 240540,
- constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 240541,
- constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 392117,
constraints: ["esi is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.24-856e263a6c8431b34f1ab69b55abbe453a135c52.rb b/lib/one_gadget/builds/libc-2.24-856e263a6c8431b34f1ab69b55abbe453a135c52.rb
index 0fe064a..5aec5cb 100644
--- a/lib/one_gadget/builds/libc-2.24-856e263a6c8431b34f1ab69b55abbe453a135c52.rb
+++ b/lib/one_gadget/builds/libc-2.24-856e263a6c8431b34f1ab69b55abbe453a135c52.rb
@@ -19,22 +19,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 489965,
- constraints: ["ebx is the GOT address of libc", "[esp+0x24] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x24] == NULL || {[esp+0x24], [esp+0x28], [esp+0x2c], [esp+0x30], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x24, environ)")
OneGadget::Gadget.add(build_id, 489967,
- constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x28, environ)")
OneGadget::Gadget.add(build_id, 489971,
- constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 489978,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 490013,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 490014,
- constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 645139,
constraints: ["ebx is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.24-8a683c08dbc27e1ceab72d87cd00b5d6208f7620.rb b/lib/one_gadget/builds/libc-2.24-8a683c08dbc27e1ceab72d87cd00b5d6208f7620.rb
index f5d5cce..bf3a94a 100644
--- a/lib/one_gadget/builds/libc-2.24-8a683c08dbc27e1ceab72d87cd00b5d6208f7620.rb
+++ b/lib/one_gadget/builds/libc-2.24-8a683c08dbc27e1ceab72d87cd00b5d6208f7620.rb
@@ -19,19 +19,22 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 254498,
+ constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", r12, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 254505,
- constraints: ["rax == NULL"],
+ constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", r12, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 254589,
- constraints: ["[rsp+0x30] == NULL"],
+ constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 706968,
- constraints: ["[r13] == NULL || r13 == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[r13] == NULL || r13 == NULL || r13 is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", r13, r12)")
OneGadget::Gadget.add(build_id, 836157,
- constraints: ["[rsp+0x70] == NULL"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x70, environ)")
OneGadget::Gadget.add(build_id, 836169,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rax])")
diff --git a/lib/one_gadget/builds/libc-2.24-8cba3297f538691eb1875be62986993c004f3f4d.rb b/lib/one_gadget/builds/libc-2.24-8cba3297f538691eb1875be62986993c004f3f4d.rb
index 856358d..c2dc5c0 100644
--- a/lib/one_gadget/builds/libc-2.24-8cba3297f538691eb1875be62986993c004f3f4d.rb
+++ b/lib/one_gadget/builds/libc-2.24-8cba3297f538691eb1875be62986993c004f3f4d.rb
@@ -19,19 +19,22 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 258895,
+ constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 258902,
- constraints: ["rax == NULL"],
+ constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 258986,
- constraints: ["[rsp+0x30] == NULL"],
+ constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 756280,
- constraints: ["[r13] == NULL || r13 == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[r13] == NULL || r13 == NULL || r13 is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", r13, r12)")
OneGadget::Gadget.add(build_id, 878565,
- constraints: ["[rsp+0x70] == NULL"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x70, environ)")
OneGadget::Gadget.add(build_id, 878577,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rax])")
diff --git a/lib/one_gadget/builds/libc-2.24-8eb1e49d70f349433d3d4a712b4746c73481012d.rb b/lib/one_gadget/builds/libc-2.24-8eb1e49d70f349433d3d4a712b4746c73481012d.rb
index 5149501..8482cb6 100644
--- a/lib/one_gadget/builds/libc-2.24-8eb1e49d70f349433d3d4a712b4746c73481012d.rb
+++ b/lib/one_gadget/builds/libc-2.24-8eb1e49d70f349433d3d4a712b4746c73481012d.rb
@@ -20,22 +20,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 233589,
- constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 233591,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 233595,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 233602,
- constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x38, environ)")
OneGadget::Gadget.add(build_id, 233637,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 233638,
- constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 385199,
constraints: ["ebx is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.24-91b0020fb992b67e3c368576943fde81e4ec7ec9.rb b/lib/one_gadget/builds/libc-2.24-91b0020fb992b67e3c368576943fde81e4ec7ec9.rb
index f51e4a1..089e739 100644
--- a/lib/one_gadget/builds/libc-2.24-91b0020fb992b67e3c368576943fde81e4ec7ec9.rb
+++ b/lib/one_gadget/builds/libc-2.24-91b0020fb992b67e3c368576943fde81e4ec7ec9.rb
@@ -19,19 +19,22 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 254674,
+ constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", r12, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 254681,
- constraints: ["rax == NULL"],
+ constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", r12, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 254765,
- constraints: ["[rsp+0x30] == NULL"],
+ constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 707144,
- constraints: ["[r13] == NULL || r13 == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[r13] == NULL || r13 == NULL || r13 is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", r13, r12)")
OneGadget::Gadget.add(build_id, 836605,
- constraints: ["[rsp+0x70] == NULL"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x70, environ)")
OneGadget::Gadget.add(build_id, 836617,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rax])")
diff --git a/lib/one_gadget/builds/libc-2.24-9378343c5442ef04933110045638b2daafa16098.rb b/lib/one_gadget/builds/libc-2.24-9378343c5442ef04933110045638b2daafa16098.rb
index 37c3281..33f88bf 100644
--- a/lib/one_gadget/builds/libc-2.24-9378343c5442ef04933110045638b2daafa16098.rb
+++ b/lib/one_gadget/builds/libc-2.24-9378343c5442ef04933110045638b2daafa16098.rb
@@ -20,22 +20,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 239372,
- constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x28, environ)")
OneGadget::Gadget.add(build_id, 239374,
- constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 239378,
- constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 239385,
- constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 239420,
- constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 239421,
- constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 391093,
constraints: ["esi is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.24-976f2a94a6a1db73c935bce8db1e5a28a46d8535.rb b/lib/one_gadget/builds/libc-2.24-976f2a94a6a1db73c935bce8db1e5a28a46d8535.rb
index 0674395..7f078ef 100644
--- a/lib/one_gadget/builds/libc-2.24-976f2a94a6a1db73c935bce8db1e5a28a46d8535.rb
+++ b/lib/one_gadget/builds/libc-2.24-976f2a94a6a1db73c935bce8db1e5a28a46d8535.rb
@@ -20,22 +20,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 239292,
- constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x28, environ)")
OneGadget::Gadget.add(build_id, 239294,
- constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 239298,
- constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 239305,
- constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 239340,
- constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 239341,
- constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 391013,
constraints: ["esi is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.24-980296526a2060e4e53dfa8ded76917c3f9b851c.rb b/lib/one_gadget/builds/libc-2.24-980296526a2060e4e53dfa8ded76917c3f9b851c.rb
index ebedc00..428111e 100644
--- a/lib/one_gadget/builds/libc-2.24-980296526a2060e4e53dfa8ded76917c3f9b851c.rb
+++ b/lib/one_gadget/builds/libc-2.24-980296526a2060e4e53dfa8ded76917c3f9b851c.rb
@@ -20,22 +20,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 233589,
- constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 233591,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 233595,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 233602,
- constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x38, environ)")
OneGadget::Gadget.add(build_id, 233637,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 233638,
- constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 385199,
constraints: ["ebx is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.24-9a006ea92b333aa035fdecc8dc0b28e1d04edd37.rb b/lib/one_gadget/builds/libc-2.24-9a006ea92b333aa035fdecc8dc0b28e1d04edd37.rb
index 71b688f..22c5d9d 100644
--- a/lib/one_gadget/builds/libc-2.24-9a006ea92b333aa035fdecc8dc0b28e1d04edd37.rb
+++ b/lib/one_gadget/builds/libc-2.24-9a006ea92b333aa035fdecc8dc0b28e1d04edd37.rb
@@ -20,22 +20,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 240492,
- constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x28, environ)")
OneGadget::Gadget.add(build_id, 240494,
- constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 240498,
- constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 240505,
- constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 240540,
- constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 240541,
- constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 392117,
constraints: ["esi is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.24-9ae48d5843f29af366655a00fb0636db91328abb.rb b/lib/one_gadget/builds/libc-2.24-9ae48d5843f29af366655a00fb0636db91328abb.rb
index fe9cd4e..3a54ab1 100644
--- a/lib/one_gadget/builds/libc-2.24-9ae48d5843f29af366655a00fb0636db91328abb.rb
+++ b/lib/one_gadget/builds/libc-2.24-9ae48d5843f29af366655a00fb0636db91328abb.rb
@@ -19,19 +19,22 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 254498,
+ constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", r12, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 254505,
- constraints: ["rax == NULL"],
+ constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", r12, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 254589,
- constraints: ["[rsp+0x30] == NULL"],
+ constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 706911,
- constraints: ["[r13] == NULL || r13 == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[r13] == NULL || r13 == NULL || r13 is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", r13, r12)")
OneGadget::Gadget.add(build_id, 836077,
- constraints: ["[rsp+0x70] == NULL"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x70, environ)")
OneGadget::Gadget.add(build_id, 836089,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rax])")
diff --git a/lib/one_gadget/builds/libc-2.24-9b7db6636c9f2f03c9523b02db229741e2250550.rb b/lib/one_gadget/builds/libc-2.24-9b7db6636c9f2f03c9523b02db229741e2250550.rb
index c681087..5ce2624 100644
--- a/lib/one_gadget/builds/libc-2.24-9b7db6636c9f2f03c9523b02db229741e2250550.rb
+++ b/lib/one_gadget/builds/libc-2.24-9b7db6636c9f2f03c9523b02db229741e2250550.rb
@@ -19,19 +19,22 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 258751,
+ constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 258758,
- constraints: ["rax == NULL"],
+ constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 258842,
- constraints: ["[rsp+0x30] == NULL"],
+ constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 756424,
- constraints: ["[r13] == NULL || r13 == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[r13] == NULL || r13 == NULL || r13 is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", r13, r12)")
OneGadget::Gadget.add(build_id, 878693,
- constraints: ["[rsp+0x70] == NULL"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x70, environ)")
OneGadget::Gadget.add(build_id, 878705,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rax])")
diff --git a/lib/one_gadget/builds/libc-2.24-9e638553dc7a08748d03c42455ecd6bb9bd8f8cd.rb b/lib/one_gadget/builds/libc-2.24-9e638553dc7a08748d03c42455ecd6bb9bd8f8cd.rb
index b82e4e1..102aa3c 100644
--- a/lib/one_gadget/builds/libc-2.24-9e638553dc7a08748d03c42455ecd6bb9bd8f8cd.rb
+++ b/lib/one_gadget/builds/libc-2.24-9e638553dc7a08748d03c42455ecd6bb9bd8f8cd.rb
@@ -20,22 +20,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 233589,
- constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 233591,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 233595,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 233602,
- constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x38, environ)")
OneGadget::Gadget.add(build_id, 233637,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 233638,
- constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 385199,
constraints: ["ebx is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.24-a4c01d397b6584f7040ef266b16a5d4da0b7a087.rb b/lib/one_gadget/builds/libc-2.24-a4c01d397b6584f7040ef266b16a5d4da0b7a087.rb
index e17f044..fd16e17 100644
--- a/lib/one_gadget/builds/libc-2.24-a4c01d397b6584f7040ef266b16a5d4da0b7a087.rb
+++ b/lib/one_gadget/builds/libc-2.24-a4c01d397b6584f7040ef266b16a5d4da0b7a087.rb
@@ -19,17 +19,26 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 248396,
+ constraints: ["writable: x19+0x258", "{\"sh\", \"-c\", x24, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", sp+0x68, environ)")
OneGadget::Gadget.add(build_id, 248400,
- constraints: ["writable: x19+0x258", "x3+0xbb8 == NULL"],
+ constraints: ["writable: x19+0x258", "x3+0xbb8 == NULL || {x3+0xbb8, \"-c\", x24, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", sp+0x68, environ)")
OneGadget::Gadget.add(build_id, 248404,
- constraints: ["writable: x19+0x258", "x3 == NULL"],
+ constraints: ["writable: x19+0x258", "x3 == NULL || {x3, \"-c\", x24, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", sp+0x68, environ)")
+OneGadget::Gadget.add(build_id, 248412,
+ constraints: ["writable: x19+0x258", "writable: x20+0x4", "x3 == NULL || {x3, x0+0xbc0, x24, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", sp+0x68, environ)")
+OneGadget::Gadget.add(build_id, 248416,
+ constraints: ["writable: x19+0x258", "writable: x20+0x4", "x3 == NULL || {x3, x0, x24, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", sp+0x68, environ)")
OneGadget::Gadget.add(build_id, 248440,
- constraints: ["writable: x19+0x258", "writable: x20+0x4", "[sp+0x68] == NULL"],
+ constraints: ["writable: x19+0x258", "writable: x20+0x4", "[sp+0x68] == NULL || {[sp+0x68], [sp+0x70], [sp+0x78], [sp+0x80], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", sp+0x68, environ)")
OneGadget::Gadget.add(build_id, 248476,
- constraints: ["writable: x19+0x258", "writable: x20+0x4", "[x21] == NULL || x21 == NULL"],
+ constraints: ["writable: x19+0x258", "writable: x20+0x4", "[x21] == NULL || x21 == NULL || x21 is a valid argv"],
effect: "execve(\"/bin/sh\", x21, environ)")
OneGadget::Gadget.add(build_id, 398984,
constraints: ["x2+0xbc0 == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.24-a51ace667ccae6a8887837efb18259a906704bed.rb b/lib/one_gadget/builds/libc-2.24-a51ace667ccae6a8887837efb18259a906704bed.rb
index b5123f9..d311b37 100644
--- a/lib/one_gadget/builds/libc-2.24-a51ace667ccae6a8887837efb18259a906704bed.rb
+++ b/lib/one_gadget/builds/libc-2.24-a51ace667ccae6a8887837efb18259a906704bed.rb
@@ -20,22 +20,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 241372,
- constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x28, environ)")
OneGadget::Gadget.add(build_id, 241374,
- constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 241378,
- constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 241385,
- constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 241420,
- constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 241421,
- constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 393909,
constraints: ["esi is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.24-a822e789c3428254f309f81600b9e5ae551a3461.rb b/lib/one_gadget/builds/libc-2.24-a822e789c3428254f309f81600b9e5ae551a3461.rb
index 42976ce..4e8cc36 100644
--- a/lib/one_gadget/builds/libc-2.24-a822e789c3428254f309f81600b9e5ae551a3461.rb
+++ b/lib/one_gadget/builds/libc-2.24-a822e789c3428254f309f81600b9e5ae551a3461.rb
@@ -20,22 +20,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 233509,
- constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 233511,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 233515,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 233522,
- constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x38, environ)")
OneGadget::Gadget.add(build_id, 233557,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 233558,
- constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 385119,
constraints: ["ebx is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.24-aad7dbe330f23ea00ca63daf793b766b51aceb5d.rb b/lib/one_gadget/builds/libc-2.24-aad7dbe330f23ea00ca63daf793b766b51aceb5d.rb
index 615a146..2d87598 100644
--- a/lib/one_gadget/builds/libc-2.24-aad7dbe330f23ea00ca63daf793b766b51aceb5d.rb
+++ b/lib/one_gadget/builds/libc-2.24-aad7dbe330f23ea00ca63daf793b766b51aceb5d.rb
@@ -19,31 +19,34 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 283935,
+ constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 283942,
- constraints: ["rax == NULL"],
+ constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 284026,
- constraints: ["[rsp+0x30] == NULL"],
+ constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 843329,
- constraints: ["[r15] == NULL || r15 == NULL", "[r13] == NULL || r13 == NULL"],
+ constraints: ["[r15] == NULL || r15 == NULL || r15 is a valid argv", "[r13] == NULL || r13 == NULL || r13 is a valid envp"],
effect: "execve(\"/bin/sh\", r15, r13)")
OneGadget::Gadget.add(build_id, 844001,
- constraints: ["[[rbp-0x78]] == NULL || [rbp-0x78] == NULL", "[[rbp-0x50]] == NULL || [rbp-0x50] == NULL"],
+ constraints: ["[[rbp-0x78]] == NULL || [rbp-0x78] == NULL || [rbp-0x78] is a valid argv", "[[rbp-0x50]] == NULL || [rbp-0x50] == NULL || [rbp-0x50] is a valid envp"],
effect: "execve(\"/bin/sh\", [rbp-0x78], [rbp-0x50])")
OneGadget::Gadget.add(build_id, 844005,
- constraints: ["[r9] == NULL || r9 == NULL", "[[rbp-0x50]] == NULL || [rbp-0x50] == NULL"],
+ constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[[rbp-0x50]] == NULL || [rbp-0x50] == NULL || [rbp-0x50] is a valid envp"],
effect: "execve(\"/bin/sh\", r9, [rbp-0x50])")
OneGadget::Gadget.add(build_id, 844009,
- constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", r9, rdx)")
OneGadget::Gadget.add(build_id, 988753,
- constraints: ["[rsp+0x40] == NULL"],
+ constraints: ["[rsp+0x40] == NULL || {[rsp+0x40], [rsp+0x48], [rsp+0x50], [rsp+0x58], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x40, environ)")
OneGadget::Gadget.add(build_id, 988765,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rax])")
OneGadget::Gadget.add(build_id, 992459,
- constraints: ["[rsp+0x60] == NULL"],
+ constraints: ["[rsp+0x60] == NULL || {[rsp+0x60], [rsp+0x68], [rsp+0x70], [rsp+0x78], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x60, environ)")
diff --git a/lib/one_gadget/builds/libc-2.24-acd08eb60d44e32e85530f0537d46f8cd422403e.rb b/lib/one_gadget/builds/libc-2.24-acd08eb60d44e32e85530f0537d46f8cd422403e.rb
index 1553d64..75adc03 100644
--- a/lib/one_gadget/builds/libc-2.24-acd08eb60d44e32e85530f0537d46f8cd422403e.rb
+++ b/lib/one_gadget/builds/libc-2.24-acd08eb60d44e32e85530f0537d46f8cd422403e.rb
@@ -20,22 +20,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 233589,
- constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 233591,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 233595,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 233602,
- constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x38, environ)")
OneGadget::Gadget.add(build_id, 233637,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 233638,
- constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 385199,
constraints: ["ebx is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.24-b81a06f0ac241c4aa8860602d9abcc903adbb675.rb b/lib/one_gadget/builds/libc-2.24-b81a06f0ac241c4aa8860602d9abcc903adbb675.rb
index ffd96dd..d17b3f3 100644
--- a/lib/one_gadget/builds/libc-2.24-b81a06f0ac241c4aa8860602d9abcc903adbb675.rb
+++ b/lib/one_gadget/builds/libc-2.24-b81a06f0ac241c4aa8860602d9abcc903adbb675.rb
@@ -20,22 +20,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 239564,
- constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x28, environ)")
OneGadget::Gadget.add(build_id, 239566,
- constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 239570,
- constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 239577,
- constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 239612,
- constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 239613,
- constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 391285,
constraints: ["esi is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.24-b8a944084a03aec90d871ca8a5fac48801cc064d.rb b/lib/one_gadget/builds/libc-2.24-b8a944084a03aec90d871ca8a5fac48801cc064d.rb
index 54ecd74..7833cd8 100644
--- a/lib/one_gadget/builds/libc-2.24-b8a944084a03aec90d871ca8a5fac48801cc064d.rb
+++ b/lib/one_gadget/builds/libc-2.24-b8a944084a03aec90d871ca8a5fac48801cc064d.rb
@@ -20,22 +20,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 239372,
- constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x28, environ)")
OneGadget::Gadget.add(build_id, 239374,
- constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 239378,
- constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 239385,
- constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 239420,
- constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 239421,
- constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 391093,
constraints: ["esi is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.24-b95a6603e6113924f82409ff65e6ed1514afd3db.rb b/lib/one_gadget/builds/libc-2.24-b95a6603e6113924f82409ff65e6ed1514afd3db.rb
index c7cc26b..0ce065d 100644
--- a/lib/one_gadget/builds/libc-2.24-b95a6603e6113924f82409ff65e6ed1514afd3db.rb
+++ b/lib/one_gadget/builds/libc-2.24-b95a6603e6113924f82409ff65e6ed1514afd3db.rb
@@ -19,19 +19,22 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 254482,
+ constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", r12, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 254489,
- constraints: ["rax == NULL"],
+ constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", r12, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 254573,
- constraints: ["[rsp+0x30] == NULL"],
+ constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 706911,
- constraints: ["[r13] == NULL || r13 == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[r13] == NULL || r13 == NULL || r13 is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", r13, r12)")
OneGadget::Gadget.add(build_id, 836071,
- constraints: ["[rsp+0x60] == NULL"],
+ constraints: ["[rsp+0x60] == NULL || {[rsp+0x60], [rsp+0x68], [rsp+0x70], [rsp+0x78], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x60, environ)")
OneGadget::Gadget.add(build_id, 836083,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rax])")
diff --git a/lib/one_gadget/builds/libc-2.24-bb0d156759d9bdfec06f5decd1c03785bcbc0ba1.rb b/lib/one_gadget/builds/libc-2.24-bb0d156759d9bdfec06f5decd1c03785bcbc0ba1.rb
index 8423dea..7a84bca 100644
--- a/lib/one_gadget/builds/libc-2.24-bb0d156759d9bdfec06f5decd1c03785bcbc0ba1.rb
+++ b/lib/one_gadget/builds/libc-2.24-bb0d156759d9bdfec06f5decd1c03785bcbc0ba1.rb
@@ -20,22 +20,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 239372,
- constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x28, environ)")
OneGadget::Gadget.add(build_id, 239374,
- constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 239378,
- constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 239385,
- constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 239420,
- constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 239421,
- constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 391093,
constraints: ["esi is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.24-bccffaa4c34e166b9c09e8802ce09989d1e8f46a.rb b/lib/one_gadget/builds/libc-2.24-bccffaa4c34e166b9c09e8802ce09989d1e8f46a.rb
index 71c1a93..cdec359 100644
--- a/lib/one_gadget/builds/libc-2.24-bccffaa4c34e166b9c09e8802ce09989d1e8f46a.rb
+++ b/lib/one_gadget/builds/libc-2.24-bccffaa4c34e166b9c09e8802ce09989d1e8f46a.rb
@@ -19,19 +19,22 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 258735,
+ constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 258742,
- constraints: ["rax == NULL"],
+ constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 258826,
- constraints: ["[rsp+0x30] == NULL"],
+ constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 756655,
- constraints: ["[r13] == NULL || r13 == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[r13] == NULL || r13 == NULL || r13 is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", r13, r12)")
OneGadget::Gadget.add(build_id, 878847,
- constraints: ["[rsp+0x60] == NULL"],
+ constraints: ["[rsp+0x60] == NULL || {[rsp+0x60], [rsp+0x68], [rsp+0x70], [rsp+0x78], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x60, environ)")
OneGadget::Gadget.add(build_id, 878859,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rax])")
diff --git a/lib/one_gadget/builds/libc-2.24-be6d412ecc4816c46eb49e750b02f714a9131c4e.rb b/lib/one_gadget/builds/libc-2.24-be6d412ecc4816c46eb49e750b02f714a9131c4e.rb
index 78283ef..fc6c138 100644
--- a/lib/one_gadget/builds/libc-2.24-be6d412ecc4816c46eb49e750b02f714a9131c4e.rb
+++ b/lib/one_gadget/builds/libc-2.24-be6d412ecc4816c46eb49e750b02f714a9131c4e.rb
@@ -20,22 +20,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 241372,
- constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x28, environ)")
OneGadget::Gadget.add(build_id, 241374,
- constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 241378,
- constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 241385,
- constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 241420,
- constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 241421,
- constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 393909,
constraints: ["esi is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.24-c116abd24efe14f6dc2f98cef3d673934f6d66d0.rb b/lib/one_gadget/builds/libc-2.24-c116abd24efe14f6dc2f98cef3d673934f6d66d0.rb
index f2e39d9..136ada2 100644
--- a/lib/one_gadget/builds/libc-2.24-c116abd24efe14f6dc2f98cef3d673934f6d66d0.rb
+++ b/lib/one_gadget/builds/libc-2.24-c116abd24efe14f6dc2f98cef3d673934f6d66d0.rb
@@ -19,19 +19,19 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 438928,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 438947,
- constraints: ["ebx is the GOT address of libc", "[esp+0x24] == NULL", "[[eax]] == NULL || [eax] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x24] == NULL || {[esp+0x24], [esp+0x28], [esp+0x2c], [esp+0x30], ...} is a valid argv", "[[eax]] == NULL || [eax] == NULL || [eax] is a valid envp"],
effect: "execve(\"/bin/sh\", esp+0x24, [eax])")
OneGadget::Gadget.add(build_id, 438949,
- constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", esp+0x28, [esp])")
OneGadget::Gadget.add(build_id, 438953,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 438954,
- constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 591648,
constraints: ["ebx is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.24-c1fd7dc1c8a6915e5f7a7f24a5901a239d473f08.rb b/lib/one_gadget/builds/libc-2.24-c1fd7dc1c8a6915e5f7a7f24a5901a239d473f08.rb
index 7282ae9..336a587 100644
--- a/lib/one_gadget/builds/libc-2.24-c1fd7dc1c8a6915e5f7a7f24a5901a239d473f08.rb
+++ b/lib/one_gadget/builds/libc-2.24-c1fd7dc1c8a6915e5f7a7f24a5901a239d473f08.rb
@@ -20,22 +20,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 239372,
- constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x28, environ)")
OneGadget::Gadget.add(build_id, 239374,
- constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 239378,
- constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 239385,
- constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 239420,
- constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 239421,
- constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 391093,
constraints: ["esi is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.24-c451b072ff6aa62ba6e054c06e633fa297a3a7eb.rb b/lib/one_gadget/builds/libc-2.24-c451b072ff6aa62ba6e054c06e633fa297a3a7eb.rb
index 75c3109..131161e 100644
--- a/lib/one_gadget/builds/libc-2.24-c451b072ff6aa62ba6e054c06e633fa297a3a7eb.rb
+++ b/lib/one_gadget/builds/libc-2.24-c451b072ff6aa62ba6e054c06e633fa297a3a7eb.rb
@@ -19,19 +19,22 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 258751,
+ constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 258758,
- constraints: ["rax == NULL"],
+ constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 258842,
- constraints: ["[rsp+0x30] == NULL"],
+ constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 756392,
- constraints: ["[r13] == NULL || r13 == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[r13] == NULL || r13 == NULL || r13 is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", r13, r12)")
OneGadget::Gadget.add(build_id, 878661,
- constraints: ["[rsp+0x70] == NULL"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x70, environ)")
OneGadget::Gadget.add(build_id, 878673,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rax])")
diff --git a/lib/one_gadget/builds/libc-2.24-c5a0679981d0258465ddba6b975c9340cbf20d22.rb b/lib/one_gadget/builds/libc-2.24-c5a0679981d0258465ddba6b975c9340cbf20d22.rb
index cfad77d..21c6699 100644
--- a/lib/one_gadget/builds/libc-2.24-c5a0679981d0258465ddba6b975c9340cbf20d22.rb
+++ b/lib/one_gadget/builds/libc-2.24-c5a0679981d0258465ddba6b975c9340cbf20d22.rb
@@ -19,19 +19,22 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 258751,
+ constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 258758,
- constraints: ["rax == NULL"],
+ constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 258842,
- constraints: ["[rsp+0x30] == NULL"],
+ constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 756383,
- constraints: ["[r13] == NULL || r13 == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[r13] == NULL || r13 == NULL || r13 is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", r13, r12)")
OneGadget::Gadget.add(build_id, 878629,
- constraints: ["[rsp+0x70] == NULL"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x70, environ)")
OneGadget::Gadget.add(build_id, 878641,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rax])")
diff --git a/lib/one_gadget/builds/libc-2.24-c62f8c5ce9f5304f054922d39d0c0fa94d9e9531.rb b/lib/one_gadget/builds/libc-2.24-c62f8c5ce9f5304f054922d39d0c0fa94d9e9531.rb
index 7ce4e24..b933be0 100644
--- a/lib/one_gadget/builds/libc-2.24-c62f8c5ce9f5304f054922d39d0c0fa94d9e9531.rb
+++ b/lib/one_gadget/builds/libc-2.24-c62f8c5ce9f5304f054922d39d0c0fa94d9e9531.rb
@@ -20,22 +20,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 240876,
- constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x28, environ)")
OneGadget::Gadget.add(build_id, 240878,
- constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 240882,
- constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 240889,
- constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 240924,
- constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 240925,
- constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 393429,
constraints: ["esi is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.24-c7d3ac73ddd0865d350bd570771cf3a964a1ddbd.rb b/lib/one_gadget/builds/libc-2.24-c7d3ac73ddd0865d350bd570771cf3a964a1ddbd.rb
index bb2b683..4e88daf 100644
--- a/lib/one_gadget/builds/libc-2.24-c7d3ac73ddd0865d350bd570771cf3a964a1ddbd.rb
+++ b/lib/one_gadget/builds/libc-2.24-c7d3ac73ddd0865d350bd570771cf3a964a1ddbd.rb
@@ -20,22 +20,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 239372,
- constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x28, environ)")
OneGadget::Gadget.add(build_id, 239374,
- constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 239378,
- constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 239385,
- constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 239420,
- constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 239421,
- constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 391093,
constraints: ["esi is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.24-c9133ae8d86b5d469422e0c51a19e7910ebeae41.rb b/lib/one_gadget/builds/libc-2.24-c9133ae8d86b5d469422e0c51a19e7910ebeae41.rb
index f083fc6..25911ef 100644
--- a/lib/one_gadget/builds/libc-2.24-c9133ae8d86b5d469422e0c51a19e7910ebeae41.rb
+++ b/lib/one_gadget/builds/libc-2.24-c9133ae8d86b5d469422e0c51a19e7910ebeae41.rb
@@ -19,19 +19,22 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 258735,
+ constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 258742,
- constraints: ["rax == NULL"],
+ constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 258826,
- constraints: ["[rsp+0x30] == NULL"],
+ constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 756767,
- constraints: ["[r13] == NULL || r13 == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[r13] == NULL || r13 == NULL || r13 is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", r13, r12)")
OneGadget::Gadget.add(build_id, 878959,
- constraints: ["[rsp+0x60] == NULL"],
+ constraints: ["[rsp+0x60] == NULL || {[rsp+0x60], [rsp+0x68], [rsp+0x70], [rsp+0x78], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x60, environ)")
OneGadget::Gadget.add(build_id, 878971,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rax])")
diff --git a/lib/one_gadget/builds/libc-2.24-cc7e13208dfc283e75a9491f8507429f647eac05.rb b/lib/one_gadget/builds/libc-2.24-cc7e13208dfc283e75a9491f8507429f647eac05.rb
index 1f87c34..e12a297 100644
--- a/lib/one_gadget/builds/libc-2.24-cc7e13208dfc283e75a9491f8507429f647eac05.rb
+++ b/lib/one_gadget/builds/libc-2.24-cc7e13208dfc283e75a9491f8507429f647eac05.rb
@@ -19,19 +19,22 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 254498,
+ constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", r12, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 254505,
- constraints: ["rax == NULL"],
+ constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", r12, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 254589,
- constraints: ["[rsp+0x30] == NULL"],
+ constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 706943,
- constraints: ["[r13] == NULL || r13 == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[r13] == NULL || r13 == NULL || r13 is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", r13, r12)")
OneGadget::Gadget.add(build_id, 836125,
- constraints: ["[rsp+0x70] == NULL"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x70, environ)")
OneGadget::Gadget.add(build_id, 836137,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rax])")
diff --git a/lib/one_gadget/builds/libc-2.24-d2a8a8ac188a6c3bafa4813a3d2789240ee49489.rb b/lib/one_gadget/builds/libc-2.24-d2a8a8ac188a6c3bafa4813a3d2789240ee49489.rb
index 20eb995..dd275a3 100644
--- a/lib/one_gadget/builds/libc-2.24-d2a8a8ac188a6c3bafa4813a3d2789240ee49489.rb
+++ b/lib/one_gadget/builds/libc-2.24-d2a8a8ac188a6c3bafa4813a3d2789240ee49489.rb
@@ -20,22 +20,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 241436,
- constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x28, environ)")
OneGadget::Gadget.add(build_id, 241438,
- constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 241442,
- constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 241449,
- constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 241484,
- constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 241485,
- constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 393973,
constraints: ["esi is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.24-d67af93d54c07bbe5d252ef6f176ec77b866c786.rb b/lib/one_gadget/builds/libc-2.24-d67af93d54c07bbe5d252ef6f176ec77b866c786.rb
index 078352c..7cfadb7 100644
--- a/lib/one_gadget/builds/libc-2.24-d67af93d54c07bbe5d252ef6f176ec77b866c786.rb
+++ b/lib/one_gadget/builds/libc-2.24-d67af93d54c07bbe5d252ef6f176ec77b866c786.rb
@@ -20,22 +20,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 240876,
- constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x28, environ)")
OneGadget::Gadget.add(build_id, 240878,
- constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 240882,
- constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 240889,
- constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 240924,
- constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 240925,
- constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 393429,
constraints: ["esi is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.24-d8ba284042773fed1189bcf927960999f4c1de55.rb b/lib/one_gadget/builds/libc-2.24-d8ba284042773fed1189bcf927960999f4c1de55.rb
index 2ce71e3..761ee79 100644
--- a/lib/one_gadget/builds/libc-2.24-d8ba284042773fed1189bcf927960999f4c1de55.rb
+++ b/lib/one_gadget/builds/libc-2.24-d8ba284042773fed1189bcf927960999f4c1de55.rb
@@ -19,22 +19,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 487261,
- constraints: ["ebx is the GOT address of libc", "[esp+0x24] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x24] == NULL || {[esp+0x24], [esp+0x28], [esp+0x2c], [esp+0x30], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x24, environ)")
OneGadget::Gadget.add(build_id, 487263,
- constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x28, environ)")
OneGadget::Gadget.add(build_id, 487267,
- constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 487274,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 487309,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 487310,
- constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 642435,
constraints: ["ebx is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.24-da518391ad926bb7535f2095df0be265180eeed5.rb b/lib/one_gadget/builds/libc-2.24-da518391ad926bb7535f2095df0be265180eeed5.rb
index 0a5f730..3a40f3e 100644
--- a/lib/one_gadget/builds/libc-2.24-da518391ad926bb7535f2095df0be265180eeed5.rb
+++ b/lib/one_gadget/builds/libc-2.24-da518391ad926bb7535f2095df0be265180eeed5.rb
@@ -19,19 +19,22 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 258751,
+ constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 258758,
- constraints: ["rax == NULL"],
+ constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 258842,
- constraints: ["[rsp+0x30] == NULL"],
+ constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 756424,
- constraints: ["[r13] == NULL || r13 == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[r13] == NULL || r13 == NULL || r13 is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", r13, r12)")
OneGadget::Gadget.add(build_id, 878693,
- constraints: ["[rsp+0x70] == NULL"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x70, environ)")
OneGadget::Gadget.add(build_id, 878705,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rax])")
diff --git a/lib/one_gadget/builds/libc-2.24-dab413a7e3b33dde527af308a09a55ade6b41e84.rb b/lib/one_gadget/builds/libc-2.24-dab413a7e3b33dde527af308a09a55ade6b41e84.rb
index 1947fcb..7ce2b9c 100644
--- a/lib/one_gadget/builds/libc-2.24-dab413a7e3b33dde527af308a09a55ade6b41e84.rb
+++ b/lib/one_gadget/builds/libc-2.24-dab413a7e3b33dde527af308a09a55ade6b41e84.rb
@@ -19,19 +19,22 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 258735,
+ constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 258742,
- constraints: ["rax == NULL"],
+ constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 258826,
- constraints: ["[rsp+0x30] == NULL"],
+ constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 756319,
- constraints: ["[r13] == NULL || r13 == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[r13] == NULL || r13 == NULL || r13 is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", r13, r12)")
OneGadget::Gadget.add(build_id, 878511,
- constraints: ["[rsp+0x60] == NULL"],
+ constraints: ["[rsp+0x60] == NULL || {[rsp+0x60], [rsp+0x68], [rsp+0x70], [rsp+0x78], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x60, environ)")
OneGadget::Gadget.add(build_id, 878523,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rax])")
diff --git a/lib/one_gadget/builds/libc-2.24-dc799b9197929f88cebc6aa72e3be388cacfb1df.rb b/lib/one_gadget/builds/libc-2.24-dc799b9197929f88cebc6aa72e3be388cacfb1df.rb
index 82ed978..753672c 100644
--- a/lib/one_gadget/builds/libc-2.24-dc799b9197929f88cebc6aa72e3be388cacfb1df.rb
+++ b/lib/one_gadget/builds/libc-2.24-dc799b9197929f88cebc6aa72e3be388cacfb1df.rb
@@ -20,22 +20,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 239372,
- constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x28, environ)")
OneGadget::Gadget.add(build_id, 239374,
- constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 239378,
- constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 239385,
- constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 239420,
- constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 239421,
- constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 391093,
constraints: ["esi is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.24-deefae132c5a39ba892bc189edd91f73c1ea1f14.rb b/lib/one_gadget/builds/libc-2.24-deefae132c5a39ba892bc189edd91f73c1ea1f14.rb
index 1eb1cc9..ac538f3 100644
--- a/lib/one_gadget/builds/libc-2.24-deefae132c5a39ba892bc189edd91f73c1ea1f14.rb
+++ b/lib/one_gadget/builds/libc-2.24-deefae132c5a39ba892bc189edd91f73c1ea1f14.rb
@@ -19,19 +19,22 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 258959,
+ constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 258966,
- constraints: ["rax == NULL"],
+ constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 259050,
- constraints: ["[rsp+0x30] == NULL"],
+ constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 756632,
- constraints: ["[r13] == NULL || r13 == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[r13] == NULL || r13 == NULL || r13 is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", r13, r12)")
OneGadget::Gadget.add(build_id, 878901,
- constraints: ["[rsp+0x70] == NULL"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x70, environ)")
OneGadget::Gadget.add(build_id, 878913,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rax])")
diff --git a/lib/one_gadget/builds/libc-2.24-dff06414a29b97b865ef938e06a7751fe8b1b2d0.rb b/lib/one_gadget/builds/libc-2.24-dff06414a29b97b865ef938e06a7751fe8b1b2d0.rb
index 3a3b986..90d9fd3 100644
--- a/lib/one_gadget/builds/libc-2.24-dff06414a29b97b865ef938e06a7751fe8b1b2d0.rb
+++ b/lib/one_gadget/builds/libc-2.24-dff06414a29b97b865ef938e06a7751fe8b1b2d0.rb
@@ -20,22 +20,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 241436,
- constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x28, environ)")
OneGadget::Gadget.add(build_id, 241438,
- constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 241442,
- constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 241449,
- constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 241484,
- constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 241485,
- constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 393973,
constraints: ["esi is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.24-e0206d9b8d7ad3abc39a94dbc37bb3b42c9f1345.rb b/lib/one_gadget/builds/libc-2.24-e0206d9b8d7ad3abc39a94dbc37bb3b42c9f1345.rb
index dab4c8b..7dea270 100644
--- a/lib/one_gadget/builds/libc-2.24-e0206d9b8d7ad3abc39a94dbc37bb3b42c9f1345.rb
+++ b/lib/one_gadget/builds/libc-2.24-e0206d9b8d7ad3abc39a94dbc37bb3b42c9f1345.rb
@@ -20,22 +20,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 239292,
- constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x28, environ)")
OneGadget::Gadget.add(build_id, 239294,
- constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 239298,
- constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 239305,
- constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 239340,
- constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 239341,
- constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 391013,
constraints: ["esi is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.24-e5dc6c0caa39828fa10ed37e642723a581acdb6d.rb b/lib/one_gadget/builds/libc-2.24-e5dc6c0caa39828fa10ed37e642723a581acdb6d.rb
index a63467b..61b4190 100644
--- a/lib/one_gadget/builds/libc-2.24-e5dc6c0caa39828fa10ed37e642723a581acdb6d.rb
+++ b/lib/one_gadget/builds/libc-2.24-e5dc6c0caa39828fa10ed37e642723a581acdb6d.rb
@@ -19,19 +19,22 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 258943,
+ constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 258950,
- constraints: ["rax == NULL"],
+ constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 259034,
- constraints: ["[rsp+0x30] == NULL"],
+ constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 757039,
- constraints: ["[r13] == NULL || r13 == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[r13] == NULL || r13 == NULL || r13 is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", r13, r12)")
OneGadget::Gadget.add(build_id, 879279,
- constraints: ["[rsp+0x60] == NULL"],
+ constraints: ["[rsp+0x60] == NULL || {[rsp+0x60], [rsp+0x68], [rsp+0x70], [rsp+0x78], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x60, environ)")
OneGadget::Gadget.add(build_id, 879291,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rax])")
diff --git a/lib/one_gadget/builds/libc-2.24-e7de387eec0b57da248cc4e74edefcfcb55bd204.rb b/lib/one_gadget/builds/libc-2.24-e7de387eec0b57da248cc4e74edefcfcb55bd204.rb
index f766273..5adebe1 100644
--- a/lib/one_gadget/builds/libc-2.24-e7de387eec0b57da248cc4e74edefcfcb55bd204.rb
+++ b/lib/one_gadget/builds/libc-2.24-e7de387eec0b57da248cc4e74edefcfcb55bd204.rb
@@ -19,22 +19,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 487725,
- constraints: ["ebx is the GOT address of libc", "[esp+0x24] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x24] == NULL || {[esp+0x24], [esp+0x28], [esp+0x2c], [esp+0x30], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x24, environ)")
OneGadget::Gadget.add(build_id, 487727,
- constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x28, environ)")
OneGadget::Gadget.add(build_id, 487731,
- constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 487738,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 487773,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 487774,
- constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 642899,
constraints: ["ebx is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.24-eaadebbded05e24bc9853c39b2241436f96d41ef.rb b/lib/one_gadget/builds/libc-2.24-eaadebbded05e24bc9853c39b2241436f96d41ef.rb
index c50a836..3577d76 100644
--- a/lib/one_gadget/builds/libc-2.24-eaadebbded05e24bc9853c39b2241436f96d41ef.rb
+++ b/lib/one_gadget/builds/libc-2.24-eaadebbded05e24bc9853c39b2241436f96d41ef.rb
@@ -20,22 +20,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 233509,
- constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 233511,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 233515,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 233522,
- constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x38, environ)")
OneGadget::Gadget.add(build_id, 233557,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 233558,
- constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 385119,
constraints: ["ebx is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.24-eb6b0b1e1c5cf4579e66eadb083885884dc0b648.rb b/lib/one_gadget/builds/libc-2.24-eb6b0b1e1c5cf4579e66eadb083885884dc0b648.rb
index b836f82..89d09ed 100644
--- a/lib/one_gadget/builds/libc-2.24-eb6b0b1e1c5cf4579e66eadb083885884dc0b648.rb
+++ b/lib/one_gadget/builds/libc-2.24-eb6b0b1e1c5cf4579e66eadb083885884dc0b648.rb
@@ -19,19 +19,22 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 254482,
+ constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", r12, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 254489,
- constraints: ["rax == NULL"],
+ constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", r12, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 254573,
- constraints: ["[rsp+0x30] == NULL"],
+ constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 707343,
- constraints: ["[r13] == NULL || r13 == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[r13] == NULL || r13 == NULL || r13 is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", r13, r12)")
OneGadget::Gadget.add(build_id, 836503,
- constraints: ["[rsp+0x60] == NULL"],
+ constraints: ["[rsp+0x60] == NULL || {[rsp+0x60], [rsp+0x68], [rsp+0x70], [rsp+0x78], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x60, environ)")
OneGadget::Gadget.add(build_id, 836515,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rax])")
diff --git a/lib/one_gadget/builds/libc-2.24-f5ffc1b2b1282d79097f4ce84b519d326dce1247.rb b/lib/one_gadget/builds/libc-2.24-f5ffc1b2b1282d79097f4ce84b519d326dce1247.rb
index 8019c31..763c0bb 100644
--- a/lib/one_gadget/builds/libc-2.24-f5ffc1b2b1282d79097f4ce84b519d326dce1247.rb
+++ b/lib/one_gadget/builds/libc-2.24-f5ffc1b2b1282d79097f4ce84b519d326dce1247.rb
@@ -19,19 +19,22 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 258751,
+ constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 258758,
- constraints: ["rax == NULL"],
+ constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 258842,
- constraints: ["[rsp+0x30] == NULL"],
+ constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 756399,
- constraints: ["[r13] == NULL || r13 == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[r13] == NULL || r13 == NULL || r13 is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", r13, r12)")
OneGadget::Gadget.add(build_id, 878661,
- constraints: ["[rsp+0x70] == NULL"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x70, environ)")
OneGadget::Gadget.add(build_id, 878673,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rax])")
diff --git a/lib/one_gadget/builds/libc-2.24-fb431a54ddae802fd1c59850cbbc408a05d3deb8.rb b/lib/one_gadget/builds/libc-2.24-fb431a54ddae802fd1c59850cbbc408a05d3deb8.rb
index 030d9ff..d265440 100644
--- a/lib/one_gadget/builds/libc-2.24-fb431a54ddae802fd1c59850cbbc408a05d3deb8.rb
+++ b/lib/one_gadget/builds/libc-2.24-fb431a54ddae802fd1c59850cbbc408a05d3deb8.rb
@@ -20,22 +20,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 240124,
- constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x28, environ)")
OneGadget::Gadget.add(build_id, 240126,
- constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 240130,
- constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 240137,
- constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 240172,
- constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 240173,
- constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 391077,
constraints: ["esi is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.24-fc121fe8b1eaa6ea0babbc3b8ce6e12adfcc3719.rb b/lib/one_gadget/builds/libc-2.24-fc121fe8b1eaa6ea0babbc3b8ce6e12adfcc3719.rb
index a8e14cc..1c75ca9 100644
--- a/lib/one_gadget/builds/libc-2.24-fc121fe8b1eaa6ea0babbc3b8ce6e12adfcc3719.rb
+++ b/lib/one_gadget/builds/libc-2.24-fc121fe8b1eaa6ea0babbc3b8ce6e12adfcc3719.rb
@@ -19,22 +19,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 488013,
- constraints: ["ebx is the GOT address of libc", "[esp+0x24] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x24] == NULL || {[esp+0x24], [esp+0x28], [esp+0x2c], [esp+0x30], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x24, environ)")
OneGadget::Gadget.add(build_id, 488015,
- constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x28, environ)")
OneGadget::Gadget.add(build_id, 488019,
- constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 488026,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 488061,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 488062,
- constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 643139,
constraints: ["ebx is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.24-fd0655c4d2073eda4235084e1d0e558f0251be8a.rb b/lib/one_gadget/builds/libc-2.24-fd0655c4d2073eda4235084e1d0e558f0251be8a.rb
index 13ebf3c..0bf21fd 100644
--- a/lib/one_gadget/builds/libc-2.24-fd0655c4d2073eda4235084e1d0e558f0251be8a.rb
+++ b/lib/one_gadget/builds/libc-2.24-fd0655c4d2073eda4235084e1d0e558f0251be8a.rb
@@ -19,14 +19,23 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 248092,
+ constraints: ["writable: x19+0x258", "{\"sh\", \"-c\", x23, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", sp+0x58, environ)")
+OneGadget::Gadget.add(build_id, 248100,
+ constraints: ["writable: x19+0x258", "writable: x20+0x4", "x4+0xad0 == NULL || {x4+0xad0, \"-c\", x23, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", sp+0x58, environ)")
OneGadget::Gadget.add(build_id, 248104,
- constraints: ["writable: x19+0x258", "writable: x20+0x4", "x4+0xad0 == NULL"],
+ constraints: ["writable: x19+0x258", "writable: x20+0x4", "x4+0xad0 == NULL || {x4+0xad0, x3+0xad8, x23, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", sp+0x58, environ)")
+OneGadget::Gadget.add(build_id, 248108,
+ constraints: ["writable: x19+0x258", "writable: x20+0x4", "x4 == NULL || {x4, x3+0xad8, x23, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", sp+0x58, environ)")
OneGadget::Gadget.add(build_id, 248116,
- constraints: ["writable: x19+0x258", "writable: x20+0x4", "x4 == NULL"],
+ constraints: ["writable: x19+0x258", "writable: x20+0x4", "x4 == NULL || {x4, x3, x23, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", sp+0x58, environ)")
OneGadget::Gadget.add(build_id, 248176,
- constraints: ["writable: x20+0x4", "[x22] == NULL || x22 == NULL"],
+ constraints: ["writable: x20+0x4", "[x22] == NULL || x22 == NULL || x22 is a valid argv"],
effect: "execve(\"/bin/sh\", x22, environ)")
OneGadget::Gadget.add(build_id, 398468,
constraints: ["x2+0xad8 == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.24-fe976940471b3f683eeebb268f095b7ff1c898c1.rb b/lib/one_gadget/builds/libc-2.24-fe976940471b3f683eeebb268f095b7ff1c898c1.rb
index 8608272..6ee5c76 100644
--- a/lib/one_gadget/builds/libc-2.24-fe976940471b3f683eeebb268f095b7ff1c898c1.rb
+++ b/lib/one_gadget/builds/libc-2.24-fe976940471b3f683eeebb268f095b7ff1c898c1.rb
@@ -20,22 +20,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 234677,
- constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x2c, environ)")
OneGadget::Gadget.add(build_id, 234679,
- constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x30, environ)")
OneGadget::Gadget.add(build_id, 234683,
- constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 234690,
- constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x38, environ)")
OneGadget::Gadget.add(build_id, 234725,
- constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 234726,
- constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 386143,
constraints: ["ebx is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.25-58c735bc7b19b0aeb395cce70cf63bd62ac75e4a.rb b/lib/one_gadget/builds/libc-2.25-58c735bc7b19b0aeb395cce70cf63bd62ac75e4a.rb
index c8b8034..56a2103 100644
--- a/lib/one_gadget/builds/libc-2.25-58c735bc7b19b0aeb395cce70cf63bd62ac75e4a.rb
+++ b/lib/one_gadget/builds/libc-2.25-58c735bc7b19b0aeb395cce70cf63bd62ac75e4a.rb
@@ -19,28 +19,34 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 265092,
+ constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 265099,
- constraints: ["rax == NULL"],
+ constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 265183,
- constraints: ["[rsp+0x30] == NULL"],
+ constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 765680,
- constraints: ["[r12] == NULL || r12 == NULL", "[r13] == NULL || r13 == NULL"],
+ constraints: ["[r12] == NULL || r12 == NULL || r12 is a valid argv", "[r13] == NULL || r13 == NULL || r13 is a valid envp"],
effect: "execve(\"/bin/sh\", r12, r13)")
+OneGadget::Gadget.add(build_id, 765728,
+ constraints: ["writable: rbp-0x38", "rdi == NULL || {\"/bin/sh\", rdi, NULL} is a valid argv", "[r13] == NULL || r13 == NULL || r13 is a valid envp"],
+ effect: "execve(\"/bin/sh\", rbp-0x40, r13)")
OneGadget::Gadget.add(build_id, 765738,
- constraints: ["writable: rbp-0x38", "[rbp-0x40] == NULL || rbp-0x40 == NULL", "[r13] == NULL || r13 == NULL"],
+ constraints: ["writable: rbp-0x38", "rax == NULL || {rax, rdi, NULL} is a valid argv", "[r13] == NULL || r13 == NULL || r13 is a valid envp"],
effect: "execve(\"/bin/sh\", rbp-0x40, r13)")
OneGadget::Gadget.add(build_id, 765742,
- constraints: ["writable: rbp-0x30", "[rbp-0x40] == NULL || rbp-0x40 == NULL", "[r13] == NULL || r13 == NULL"],
+ constraints: ["writable: rbp-0x30", "rax == NULL || {rax, [rbp-0x38], NULL} is a valid argv", "[r13] == NULL || r13 == NULL || r13 is a valid envp"],
effect: "execve(\"/bin/sh\", rbp-0x40, r13)")
OneGadget::Gadget.add(build_id, 765750,
- constraints: ["writable: rbp-0x40", "[rbp-0x40] == NULL || rbp-0x40 == NULL", "[r13] == NULL || r13 == NULL"],
+ constraints: ["writable: rbp-0x40", "rax == NULL || {rax, [rbp-0x38], [rbp-0x30], [rbp-0x28], ...} is a valid argv", "[r13] == NULL || r13 == NULL || r13 is a valid envp"],
effect: "execve(\"/bin/sh\", rbp-0x40, r13)")
OneGadget::Gadget.add(build_id, 890131,
- constraints: ["[rsp+0x80] == NULL"],
+ constraints: ["[rsp+0x80] == NULL || {[rsp+0x80], [rsp+0x88], [rsp+0x90], [rsp+0x98], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x80, environ)")
OneGadget::Gadget.add(build_id, 890146,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rax])")
diff --git a/lib/one_gadget/builds/libc-2.25-912fc00c0da67045111928bd5c8a350e5be18c41.rb b/lib/one_gadget/builds/libc-2.25-912fc00c0da67045111928bd5c8a350e5be18c41.rb
index 84b226d..f40fe1b 100644
--- a/lib/one_gadget/builds/libc-2.25-912fc00c0da67045111928bd5c8a350e5be18c41.rb
+++ b/lib/one_gadget/builds/libc-2.25-912fc00c0da67045111928bd5c8a350e5be18c41.rb
@@ -20,22 +20,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 246145,
- constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 246147,
- constraints: ["esi is the GOT address of libc", "[esp+0x38] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x38, environ)")
OneGadget::Gadget.add(build_id, 246151,
- constraints: ["esi is the GOT address of libc", "[esp+0x3c] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x3c] == NULL || {[esp+0x3c], [esp+0x40], [esp+0x44], [esp+0x48], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x3c, environ)")
OneGadget::Gadget.add(build_id, 246158,
- constraints: ["esi is the GOT address of libc", "[esp+0x40] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x40] == NULL || {[esp+0x40], [esp+0x44], [esp+0x48], [esp+0x4c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x40, environ)")
OneGadget::Gadget.add(build_id, 246193,
- constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 246194,
- constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 401519,
constraints: ["edi is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.25-e5eb6347f0629b37bf698200022a683b7efb10ed.rb b/lib/one_gadget/builds/libc-2.25-e5eb6347f0629b37bf698200022a683b7efb10ed.rb
index c66be96..b7ce455 100644
--- a/lib/one_gadget/builds/libc-2.25-e5eb6347f0629b37bf698200022a683b7efb10ed.rb
+++ b/lib/one_gadget/builds/libc-2.25-e5eb6347f0629b37bf698200022a683b7efb10ed.rb
@@ -19,14 +19,23 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 250588,
+ constraints: ["writable: x19+0x258", "{\"sh\", \"-c\", x23, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", sp+0x58, environ)")
+OneGadget::Gadget.add(build_id, 250596,
+ constraints: ["writable: x19+0x258", "writable: x20+0x4", "x4+0x7e0 == NULL || {x4+0x7e0, \"-c\", x23, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", sp+0x58, environ)")
OneGadget::Gadget.add(build_id, 250600,
- constraints: ["writable: x19+0x258", "writable: x20+0x4", "x4+0x7e0 == NULL"],
+ constraints: ["writable: x19+0x258", "writable: x20+0x4", "x4+0x7e0 == NULL || {x4+0x7e0, x3+0x7e8, x23, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", sp+0x58, environ)")
+OneGadget::Gadget.add(build_id, 250604,
+ constraints: ["writable: x19+0x258", "writable: x20+0x4", "x4 == NULL || {x4, x3+0x7e8, x23, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", sp+0x58, environ)")
OneGadget::Gadget.add(build_id, 250612,
- constraints: ["writable: x19+0x258", "writable: x20+0x4", "x4 == NULL"],
+ constraints: ["writable: x19+0x258", "writable: x20+0x4", "x4 == NULL || {x4, x3, x23, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", sp+0x58, environ)")
OneGadget::Gadget.add(build_id, 250672,
- constraints: ["writable: x20+0x4", "[x22] == NULL || x22 == NULL"],
+ constraints: ["writable: x20+0x4", "[x22] == NULL || x22 == NULL || x22 is a valid argv"],
effect: "execve(\"/bin/sh\", x22, environ)")
OneGadget::Gadget.add(build_id, 400676,
constraints: ["x2+0x7e8 == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.25-eae5038c2b9ae67d9eda345aa9fbe0a7185ab436.rb b/lib/one_gadget/builds/libc-2.25-eae5038c2b9ae67d9eda345aa9fbe0a7185ab436.rb
index dd6045a..45d6e61 100644
--- a/lib/one_gadget/builds/libc-2.25-eae5038c2b9ae67d9eda345aa9fbe0a7185ab436.rb
+++ b/lib/one_gadget/builds/libc-2.25-eae5038c2b9ae67d9eda345aa9fbe0a7185ab436.rb
@@ -20,22 +20,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 246097,
- constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 246099,
- constraints: ["esi is the GOT address of libc", "[esp+0x38] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x38, environ)")
OneGadget::Gadget.add(build_id, 246103,
- constraints: ["esi is the GOT address of libc", "[esp+0x3c] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x3c] == NULL || {[esp+0x3c], [esp+0x40], [esp+0x44], [esp+0x48], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x3c, environ)")
OneGadget::Gadget.add(build_id, 246110,
- constraints: ["esi is the GOT address of libc", "[esp+0x40] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x40] == NULL || {[esp+0x40], [esp+0x44], [esp+0x48], [esp+0x4c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x40, environ)")
OneGadget::Gadget.add(build_id, 246145,
- constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 246146,
- constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 401983,
constraints: ["edi is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.26-1c39b3b3faa2a2cbb0fa0b6845b29332562262d3.rb b/lib/one_gadget/builds/libc-2.26-1c39b3b3faa2a2cbb0fa0b6845b29332562262d3.rb
index c43288f..64619a1 100644
--- a/lib/one_gadget/builds/libc-2.26-1c39b3b3faa2a2cbb0fa0b6845b29332562262d3.rb
+++ b/lib/one_gadget/builds/libc-2.26-1c39b3b3faa2a2cbb0fa0b6845b29332562262d3.rb
@@ -19,28 +19,34 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 269091,
+ constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", r12, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 269098,
- constraints: ["rax == NULL"],
+ constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", r12, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 269182,
- constraints: ["[rsp+0x30] == NULL"],
+ constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 799344,
- constraints: ["[r12] == NULL || r12 == NULL", "[r13] == NULL || r13 == NULL"],
+ constraints: ["[r12] == NULL || r12 == NULL || r12 is a valid argv", "[r13] == NULL || r13 == NULL || r13 is a valid envp"],
effect: "execve(\"/bin/sh\", r12, r13)")
+OneGadget::Gadget.add(build_id, 799392,
+ constraints: ["writable: rbp-0x38", "rdi == NULL || {\"/bin/sh\", rdi, NULL} is a valid argv", "[r13] == NULL || r13 == NULL || r13 is a valid envp"],
+ effect: "execve(\"/bin/sh\", rbp-0x40, r13)")
OneGadget::Gadget.add(build_id, 799402,
- constraints: ["writable: rbp-0x38", "[rbp-0x40] == NULL || rbp-0x40 == NULL", "[r13] == NULL || r13 == NULL"],
+ constraints: ["writable: rbp-0x38", "rax == NULL || {rax, rdi, NULL} is a valid argv", "[r13] == NULL || r13 == NULL || r13 is a valid envp"],
effect: "execve(\"/bin/sh\", rbp-0x40, r13)")
OneGadget::Gadget.add(build_id, 799406,
- constraints: ["writable: rbp-0x30", "[rbp-0x40] == NULL || rbp-0x40 == NULL", "[r13] == NULL || r13 == NULL"],
+ constraints: ["writable: rbp-0x30", "rax == NULL || {rax, [rbp-0x38], NULL} is a valid argv", "[r13] == NULL || r13 == NULL || r13 is a valid envp"],
effect: "execve(\"/bin/sh\", rbp-0x40, r13)")
OneGadget::Gadget.add(build_id, 799414,
- constraints: ["writable: rbp-0x40", "[rbp-0x40] == NULL || rbp-0x40 == NULL", "[r13] == NULL || r13 == NULL"],
+ constraints: ["writable: rbp-0x40", "rax == NULL || {rax, [rbp-0x38], [rbp-0x30], [rbp-0x28], ...} is a valid argv", "[r13] == NULL || r13 == NULL || r13 is a valid envp"],
effect: "execve(\"/bin/sh\", rbp-0x40, r13)")
OneGadget::Gadget.add(build_id, 921646,
- constraints: ["[rsp+0x70] == NULL"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x70, environ)")
OneGadget::Gadget.add(build_id, 921658,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rax])")
diff --git a/lib/one_gadget/builds/libc-2.26-3b850bf60461afbdd83317b248b3f687e52ff18e.rb b/lib/one_gadget/builds/libc-2.26-3b850bf60461afbdd83317b248b3f687e52ff18e.rb
index 936dd25..9c1b954 100644
--- a/lib/one_gadget/builds/libc-2.26-3b850bf60461afbdd83317b248b3f687e52ff18e.rb
+++ b/lib/one_gadget/builds/libc-2.26-3b850bf60461afbdd83317b248b3f687e52ff18e.rb
@@ -19,17 +19,26 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 255548,
+ constraints: ["writable: x20+0x318", "{\"sh\", \"-c\", x25, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", sp+0x70, environ)")
OneGadget::Gadget.add(build_id, 255552,
- constraints: ["writable: x20+0x318", "x3+0xca0 == NULL"],
+ constraints: ["writable: x20+0x318", "x3+0xca0 == NULL || {x3+0xca0, \"-c\", x25, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", sp+0x70, environ)")
OneGadget::Gadget.add(build_id, 255556,
- constraints: ["writable: x20+0x318", "x3 == NULL"],
+ constraints: ["writable: x20+0x318", "x3 == NULL || {x3, \"-c\", x25, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", sp+0x70, environ)")
+OneGadget::Gadget.add(build_id, 255564,
+ constraints: ["writable: x19+0x4", "writable: x20+0x318", "x3 == NULL || {x3, x0+0xca8, x25, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", sp+0x70, environ)")
+OneGadget::Gadget.add(build_id, 255568,
+ constraints: ["writable: x19+0x4", "writable: x20+0x318", "x3 == NULL || {x3, x0, x25, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", sp+0x70, environ)")
OneGadget::Gadget.add(build_id, 255592,
- constraints: ["writable: x19+0x4", "writable: x20+0x318", "[sp+0x70] == NULL"],
+ constraints: ["writable: x19+0x4", "writable: x20+0x318", "[sp+0x70] == NULL || {[sp+0x70], [sp+0x78], [sp+0x80], [sp+0x88], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", sp+0x70, environ)")
OneGadget::Gadget.add(build_id, 255628,
- constraints: ["writable: x19+0x4", "writable: x20+0x318", "[x21] == NULL || x21 == NULL"],
+ constraints: ["writable: x19+0x4", "writable: x20+0x318", "[x21] == NULL || x21 == NULL || x21 is a valid argv"],
effect: "execve(\"/bin/sh\", x21, environ)")
OneGadget::Gadget.add(build_id, 409132,
constraints: ["x2+0xca8 == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.26-499b381aaf00ce85ee5d4a12770ea369b30d2a41.rb b/lib/one_gadget/builds/libc-2.26-499b381aaf00ce85ee5d4a12770ea369b30d2a41.rb
index a0a33c6..a85572f 100644
--- a/lib/one_gadget/builds/libc-2.26-499b381aaf00ce85ee5d4a12770ea369b30d2a41.rb
+++ b/lib/one_gadget/builds/libc-2.26-499b381aaf00ce85ee5d4a12770ea369b30d2a41.rb
@@ -20,22 +20,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 248879,
- constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 248881,
- constraints: ["esi is the GOT address of libc", "[esp+0x38] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x38, environ)")
OneGadget::Gadget.add(build_id, 248885,
- constraints: ["esi is the GOT address of libc", "[esp+0x3c] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x3c] == NULL || {[esp+0x3c], [esp+0x40], [esp+0x44], [esp+0x48], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x3c, environ)")
OneGadget::Gadget.add(build_id, 248892,
- constraints: ["esi is the GOT address of libc", "[esp+0x40] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x40] == NULL || {[esp+0x40], [esp+0x44], [esp+0x48], [esp+0x4c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x40, environ)")
OneGadget::Gadget.add(build_id, 248927,
- constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 248928,
- constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 421503,
constraints: ["edi is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.26-4cc84abfe1fd26a485fc2b1b954c281ce9d358fd.rb b/lib/one_gadget/builds/libc-2.26-4cc84abfe1fd26a485fc2b1b954c281ce9d358fd.rb
index f7d808e..065d246 100644
--- a/lib/one_gadget/builds/libc-2.26-4cc84abfe1fd26a485fc2b1b954c281ce9d358fd.rb
+++ b/lib/one_gadget/builds/libc-2.26-4cc84abfe1fd26a485fc2b1b954c281ce9d358fd.rb
@@ -20,22 +20,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 250868,
- constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 250870,
- constraints: ["esi is the GOT address of libc", "[esp+0x38] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x38, environ)")
OneGadget::Gadget.add(build_id, 250874,
- constraints: ["esi is the GOT address of libc", "[esp+0x3c] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x3c] == NULL || {[esp+0x3c], [esp+0x40], [esp+0x44], [esp+0x48], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x3c, environ)")
OneGadget::Gadget.add(build_id, 250881,
- constraints: ["esi is the GOT address of libc", "[esp+0x40] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x40] == NULL || {[esp+0x40], [esp+0x44], [esp+0x48], [esp+0x4c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x40, environ)")
OneGadget::Gadget.add(build_id, 250916,
- constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 250917,
- constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 425551,
constraints: ["edi is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.26-4ea852c9d6a5084b8b58509b3b3d37d3d8cddb90.rb b/lib/one_gadget/builds/libc-2.26-4ea852c9d6a5084b8b58509b3b3d37d3d8cddb90.rb
index aafc251..769d577 100644
--- a/lib/one_gadget/builds/libc-2.26-4ea852c9d6a5084b8b58509b3b3d37d3d8cddb90.rb
+++ b/lib/one_gadget/builds/libc-2.26-4ea852c9d6a5084b8b58509b3b3d37d3d8cddb90.rb
@@ -20,22 +20,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 250868,
- constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 250870,
- constraints: ["esi is the GOT address of libc", "[esp+0x38] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x38, environ)")
OneGadget::Gadget.add(build_id, 250874,
- constraints: ["esi is the GOT address of libc", "[esp+0x3c] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x3c] == NULL || {[esp+0x3c], [esp+0x40], [esp+0x44], [esp+0x48], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x3c, environ)")
OneGadget::Gadget.add(build_id, 250881,
- constraints: ["esi is the GOT address of libc", "[esp+0x40] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x40] == NULL || {[esp+0x40], [esp+0x44], [esp+0x48], [esp+0x4c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x40, environ)")
OneGadget::Gadget.add(build_id, 250916,
- constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 250917,
- constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 425551,
constraints: ["edi is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.26-6d2b609f0c8e7b338f767b08c5ac712fac809d31.rb b/lib/one_gadget/builds/libc-2.26-6d2b609f0c8e7b338f767b08c5ac712fac809d31.rb
index 5e32aa7..702d56c 100644
--- a/lib/one_gadget/builds/libc-2.26-6d2b609f0c8e7b338f767b08c5ac712fac809d31.rb
+++ b/lib/one_gadget/builds/libc-2.26-6d2b609f0c8e7b338f767b08c5ac712fac809d31.rb
@@ -19,40 +19,46 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 293951,
+ constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 293958,
- constraints: ["rax == NULL"],
+ constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 294042,
- constraints: ["[rsp+0x30] == NULL"],
+ constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 890627,
- constraints: ["[r13] == NULL || r13 == NULL", "[rbx] == NULL || rbx == NULL"],
+ constraints: ["[r13] == NULL || r13 == NULL || r13 is a valid argv", "[rbx] == NULL || rbx == NULL || rbx is a valid envp"],
effect: "execve(\"/bin/sh\", r13, rbx)")
+OneGadget::Gadget.add(build_id, 890912,
+ constraints: ["writable: rbp-0x48", "r14 == NULL || {\"/bin/sh\", r14, NULL} is a valid argv", "[rbx] == NULL || rbx == NULL || rbx is a valid envp"],
+ effect: "execve(\"/bin/sh\", rbp-0x50, rbx)")
OneGadget::Gadget.add(build_id, 890922,
- constraints: ["writable: rbp-0x48", "[rbp-0x50] == NULL || rbp-0x50 == NULL", "[rbx] == NULL || rbx == NULL"],
+ constraints: ["writable: rbp-0x48", "rax == NULL || {rax, r14, NULL} is a valid argv", "[rbx] == NULL || rbx == NULL || rbx is a valid envp"],
effect: "execve(\"/bin/sh\", rbp-0x50, rbx)")
OneGadget::Gadget.add(build_id, 890926,
- constraints: ["writable: rbp-0x40", "[rbp-0x50] == NULL || rbp-0x50 == NULL", "[rbx] == NULL || rbx == NULL"],
+ constraints: ["writable: rbp-0x40", "rax == NULL || {rax, [rbp-0x48], NULL} is a valid argv", "[rbx] == NULL || rbx == NULL || rbx is a valid envp"],
effect: "execve(\"/bin/sh\", rbp-0x50, rbx)")
OneGadget::Gadget.add(build_id, 890934,
- constraints: ["writable: rbp-0x50", "[rbp-0x50] == NULL || rbp-0x50 == NULL", "[rbx] == NULL || rbx == NULL"],
+ constraints: ["writable: rbp-0x50", "rax == NULL || {rax, [rbp-0x48], [rbp-0x40], [rbp-0x38], ...} is a valid argv", "[rbx] == NULL || rbx == NULL || rbx is a valid envp"],
effect: "execve(\"/bin/sh\", rbp-0x50, rbx)")
OneGadget::Gadget.add(build_id, 891345,
- constraints: ["[[rbp-0xa0]] == NULL || [rbp-0xa0] == NULL", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL"],
+ constraints: ["[[rbp-0xa0]] == NULL || [rbp-0xa0] == NULL || [rbp-0xa0] is a valid argv", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL || [rbp-0x70] is a valid envp"],
effect: "execve(\"/bin/sh\", [rbp-0xa0], [rbp-0x70])")
OneGadget::Gadget.add(build_id, 891352,
- constraints: ["[rcx] == NULL || rcx == NULL", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL"],
+ constraints: ["[rcx] == NULL || rcx == NULL || rcx is a valid argv", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL || [rbp-0x70] is a valid envp"],
effect: "execve(\"/bin/sh\", rcx, [rbp-0x70])")
OneGadget::Gadget.add(build_id, 891356,
- constraints: ["[rcx] == NULL || rcx == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[rcx] == NULL || rcx == NULL || rcx is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", rcx, rdx)")
OneGadget::Gadget.add(build_id, 1035374,
- constraints: ["[rsp+0x40] == NULL"],
+ constraints: ["[rsp+0x40] == NULL || {[rsp+0x40], [rsp+0x48], [rsp+0x50], [rsp+0x58], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x40, environ)")
OneGadget::Gadget.add(build_id, 1035386,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rax])")
OneGadget::Gadget.add(build_id, 1039134,
- constraints: ["[rsp+0x70] == NULL"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x70, environ)")
diff --git a/lib/one_gadget/builds/libc-2.26-d4dd444f86cfc66c97c5e3eecb69fc5b86ea6539.rb b/lib/one_gadget/builds/libc-2.26-d4dd444f86cfc66c97c5e3eecb69fc5b86ea6539.rb
index e3e36e7..e505ee6 100644
--- a/lib/one_gadget/builds/libc-2.26-d4dd444f86cfc66c97c5e3eecb69fc5b86ea6539.rb
+++ b/lib/one_gadget/builds/libc-2.26-d4dd444f86cfc66c97c5e3eecb69fc5b86ea6539.rb
@@ -19,17 +19,26 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 255548,
+ constraints: ["writable: x20+0x318", "{\"sh\", \"-c\", x25, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", sp+0x70, environ)")
OneGadget::Gadget.add(build_id, 255552,
- constraints: ["writable: x20+0x318", "x3+0xcc0 == NULL"],
+ constraints: ["writable: x20+0x318", "x3+0xcc0 == NULL || {x3+0xcc0, \"-c\", x25, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", sp+0x70, environ)")
OneGadget::Gadget.add(build_id, 255556,
- constraints: ["writable: x20+0x318", "x3 == NULL"],
+ constraints: ["writable: x20+0x318", "x3 == NULL || {x3, \"-c\", x25, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", sp+0x70, environ)")
+OneGadget::Gadget.add(build_id, 255564,
+ constraints: ["writable: x19+0x4", "writable: x20+0x318", "x3 == NULL || {x3, x0+0xcc8, x25, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", sp+0x70, environ)")
+OneGadget::Gadget.add(build_id, 255568,
+ constraints: ["writable: x19+0x4", "writable: x20+0x318", "x3 == NULL || {x3, x0, x25, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", sp+0x70, environ)")
OneGadget::Gadget.add(build_id, 255592,
- constraints: ["writable: x19+0x4", "writable: x20+0x318", "[sp+0x70] == NULL"],
+ constraints: ["writable: x19+0x4", "writable: x20+0x318", "[sp+0x70] == NULL || {[sp+0x70], [sp+0x78], [sp+0x80], [sp+0x88], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", sp+0x70, environ)")
OneGadget::Gadget.add(build_id, 255628,
- constraints: ["writable: x19+0x4", "writable: x20+0x318", "[x21] == NULL || x21 == NULL"],
+ constraints: ["writable: x19+0x4", "writable: x20+0x318", "[x21] == NULL || x21 == NULL || x21 is a valid argv"],
effect: "execve(\"/bin/sh\", x21, environ)")
OneGadget::Gadget.add(build_id, 409132,
constraints: ["x2+0xcc8 == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.26-ddcc13122ddbfe5e5ef77d4ebe66d124ae5762c2.rb b/lib/one_gadget/builds/libc-2.26-ddcc13122ddbfe5e5ef77d4ebe66d124ae5762c2.rb
index 933b81f..bb31f4d 100644
--- a/lib/one_gadget/builds/libc-2.26-ddcc13122ddbfe5e5ef77d4ebe66d124ae5762c2.rb
+++ b/lib/one_gadget/builds/libc-2.26-ddcc13122ddbfe5e5ef77d4ebe66d124ae5762c2.rb
@@ -19,40 +19,46 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 293951,
+ constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 293958,
- constraints: ["rax == NULL"],
+ constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 294042,
- constraints: ["[rsp+0x30] == NULL"],
+ constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 890723,
- constraints: ["[r13] == NULL || r13 == NULL", "[rbx] == NULL || rbx == NULL"],
+ constraints: ["[r13] == NULL || r13 == NULL || r13 is a valid argv", "[rbx] == NULL || rbx == NULL || rbx is a valid envp"],
effect: "execve(\"/bin/sh\", r13, rbx)")
+OneGadget::Gadget.add(build_id, 891008,
+ constraints: ["writable: rbp-0x48", "r14 == NULL || {\"/bin/sh\", r14, NULL} is a valid argv", "[rbx] == NULL || rbx == NULL || rbx is a valid envp"],
+ effect: "execve(\"/bin/sh\", rbp-0x50, rbx)")
OneGadget::Gadget.add(build_id, 891018,
- constraints: ["writable: rbp-0x48", "[rbp-0x50] == NULL || rbp-0x50 == NULL", "[rbx] == NULL || rbx == NULL"],
+ constraints: ["writable: rbp-0x48", "rax == NULL || {rax, r14, NULL} is a valid argv", "[rbx] == NULL || rbx == NULL || rbx is a valid envp"],
effect: "execve(\"/bin/sh\", rbp-0x50, rbx)")
OneGadget::Gadget.add(build_id, 891022,
- constraints: ["writable: rbp-0x40", "[rbp-0x50] == NULL || rbp-0x50 == NULL", "[rbx] == NULL || rbx == NULL"],
+ constraints: ["writable: rbp-0x40", "rax == NULL || {rax, [rbp-0x48], NULL} is a valid argv", "[rbx] == NULL || rbx == NULL || rbx is a valid envp"],
effect: "execve(\"/bin/sh\", rbp-0x50, rbx)")
OneGadget::Gadget.add(build_id, 891030,
- constraints: ["writable: rbp-0x50", "[rbp-0x50] == NULL || rbp-0x50 == NULL", "[rbx] == NULL || rbx == NULL"],
+ constraints: ["writable: rbp-0x50", "rax == NULL || {rax, [rbp-0x48], [rbp-0x40], [rbp-0x38], ...} is a valid argv", "[rbx] == NULL || rbx == NULL || rbx is a valid envp"],
effect: "execve(\"/bin/sh\", rbp-0x50, rbx)")
OneGadget::Gadget.add(build_id, 891441,
- constraints: ["[[rbp-0xa0]] == NULL || [rbp-0xa0] == NULL", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL"],
+ constraints: ["[[rbp-0xa0]] == NULL || [rbp-0xa0] == NULL || [rbp-0xa0] is a valid argv", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL || [rbp-0x70] is a valid envp"],
effect: "execve(\"/bin/sh\", [rbp-0xa0], [rbp-0x70])")
OneGadget::Gadget.add(build_id, 891448,
- constraints: ["[rcx] == NULL || rcx == NULL", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL"],
+ constraints: ["[rcx] == NULL || rcx == NULL || rcx is a valid argv", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL || [rbp-0x70] is a valid envp"],
effect: "execve(\"/bin/sh\", rcx, [rbp-0x70])")
OneGadget::Gadget.add(build_id, 891452,
- constraints: ["[rcx] == NULL || rcx == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[rcx] == NULL || rcx == NULL || rcx is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", rcx, rdx)")
OneGadget::Gadget.add(build_id, 1035486,
- constraints: ["[rsp+0x40] == NULL"],
+ constraints: ["[rsp+0x40] == NULL || {[rsp+0x40], [rsp+0x48], [rsp+0x50], [rsp+0x58], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x40, environ)")
OneGadget::Gadget.add(build_id, 1035498,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rax])")
OneGadget::Gadget.add(build_id, 1039246,
- constraints: ["[rsp+0x70] == NULL"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x70, environ)")
diff --git a/lib/one_gadget/builds/libc-2.26-f65648a832414f2144ce795d75b6045a1ec2e252.rb b/lib/one_gadget/builds/libc-2.26-f65648a832414f2144ce795d75b6045a1ec2e252.rb
index cd3de51..d27d5ac 100644
--- a/lib/one_gadget/builds/libc-2.26-f65648a832414f2144ce795d75b6045a1ec2e252.rb
+++ b/lib/one_gadget/builds/libc-2.26-f65648a832414f2144ce795d75b6045a1ec2e252.rb
@@ -20,22 +20,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 248879,
- constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 248881,
- constraints: ["esi is the GOT address of libc", "[esp+0x38] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x38, environ)")
OneGadget::Gadget.add(build_id, 248885,
- constraints: ["esi is the GOT address of libc", "[esp+0x3c] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x3c] == NULL || {[esp+0x3c], [esp+0x40], [esp+0x44], [esp+0x48], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x3c, environ)")
OneGadget::Gadget.add(build_id, 248892,
- constraints: ["esi is the GOT address of libc", "[esp+0x40] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x40] == NULL || {[esp+0x40], [esp+0x44], [esp+0x48], [esp+0x4c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x40, environ)")
OneGadget::Gadget.add(build_id, 248927,
- constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 248928,
- constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 421503,
constraints: ["edi is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.26-fb587bc4429e7d1b0de31a3b9ee8ae78ee797eb0.rb b/lib/one_gadget/builds/libc-2.26-fb587bc4429e7d1b0de31a3b9ee8ae78ee797eb0.rb
index d4a87ec..9cf0e71 100644
--- a/lib/one_gadget/builds/libc-2.26-fb587bc4429e7d1b0de31a3b9ee8ae78ee797eb0.rb
+++ b/lib/one_gadget/builds/libc-2.26-fb587bc4429e7d1b0de31a3b9ee8ae78ee797eb0.rb
@@ -19,28 +19,34 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 269091,
+ constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", r12, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 269098,
- constraints: ["rax == NULL"],
+ constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", r12, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 269182,
- constraints: ["[rsp+0x30] == NULL"],
+ constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 799376,
- constraints: ["[r12] == NULL || r12 == NULL", "[r13] == NULL || r13 == NULL"],
+ constraints: ["[r12] == NULL || r12 == NULL || r12 is a valid argv", "[r13] == NULL || r13 == NULL || r13 is a valid envp"],
effect: "execve(\"/bin/sh\", r12, r13)")
+OneGadget::Gadget.add(build_id, 799424,
+ constraints: ["writable: rbp-0x38", "rdi == NULL || {\"/bin/sh\", rdi, NULL} is a valid argv", "[r13] == NULL || r13 == NULL || r13 is a valid envp"],
+ effect: "execve(\"/bin/sh\", rbp-0x40, r13)")
OneGadget::Gadget.add(build_id, 799434,
- constraints: ["writable: rbp-0x38", "[rbp-0x40] == NULL || rbp-0x40 == NULL", "[r13] == NULL || r13 == NULL"],
+ constraints: ["writable: rbp-0x38", "rax == NULL || {rax, rdi, NULL} is a valid argv", "[r13] == NULL || r13 == NULL || r13 is a valid envp"],
effect: "execve(\"/bin/sh\", rbp-0x40, r13)")
OneGadget::Gadget.add(build_id, 799438,
- constraints: ["writable: rbp-0x30", "[rbp-0x40] == NULL || rbp-0x40 == NULL", "[r13] == NULL || r13 == NULL"],
+ constraints: ["writable: rbp-0x30", "rax == NULL || {rax, [rbp-0x38], NULL} is a valid argv", "[r13] == NULL || r13 == NULL || r13 is a valid envp"],
effect: "execve(\"/bin/sh\", rbp-0x40, r13)")
OneGadget::Gadget.add(build_id, 799446,
- constraints: ["writable: rbp-0x40", "[rbp-0x40] == NULL || rbp-0x40 == NULL", "[r13] == NULL || r13 == NULL"],
+ constraints: ["writable: rbp-0x40", "rax == NULL || {rax, [rbp-0x38], [rbp-0x30], [rbp-0x28], ...} is a valid argv", "[r13] == NULL || r13 == NULL || r13 is a valid envp"],
effect: "execve(\"/bin/sh\", rbp-0x40, r13)")
OneGadget::Gadget.add(build_id, 921694,
- constraints: ["[rsp+0x70] == NULL"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x70, environ)")
OneGadget::Gadget.add(build_id, 921706,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rax])")
diff --git a/lib/one_gadget/builds/libc-2.27-0e188ec5f09c187a7a92784d4b97aa251b15a93c.rb b/lib/one_gadget/builds/libc-2.27-0e188ec5f09c187a7a92784d4b97aa251b15a93c.rb
index fbf58c0..8de55ab 100644
--- a/lib/one_gadget/builds/libc-2.27-0e188ec5f09c187a7a92784d4b97aa251b15a93c.rb
+++ b/lib/one_gadget/builds/libc-2.27-0e188ec5f09c187a7a92784d4b97aa251b15a93c.rb
@@ -15,22 +15,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 250067,
- constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 250069,
- constraints: ["esi is the GOT address of libc", "[esp+0x38] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x38, environ)")
OneGadget::Gadget.add(build_id, 250073,
- constraints: ["esi is the GOT address of libc", "[esp+0x3c] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x3c] == NULL || {[esp+0x3c], [esp+0x40], [esp+0x44], [esp+0x48], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x3c, environ)")
OneGadget::Gadget.add(build_id, 250080,
- constraints: ["esi is the GOT address of libc", "[esp+0x40] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x40] == NULL || {[esp+0x40], [esp+0x44], [esp+0x48], [esp+0x4c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x40, environ)")
OneGadget::Gadget.add(build_id, 250115,
- constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 250116,
- constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 424575,
constraints: ["esi is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.27-14cd15d2eb0bc25c89045873cf807f7533e4788d.rb b/lib/one_gadget/builds/libc-2.27-14cd15d2eb0bc25c89045873cf807f7533e4788d.rb
index 5c20258..c2c3892 100644
--- a/lib/one_gadget/builds/libc-2.27-14cd15d2eb0bc25c89045873cf807f7533e4788d.rb
+++ b/lib/one_gadget/builds/libc-2.27-14cd15d2eb0bc25c89045873cf807f7533e4788d.rb
@@ -15,22 +15,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 250291,
- constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 250293,
- constraints: ["esi is the GOT address of libc", "[esp+0x38] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x38, environ)")
OneGadget::Gadget.add(build_id, 250297,
- constraints: ["esi is the GOT address of libc", "[esp+0x3c] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x3c] == NULL || {[esp+0x3c], [esp+0x40], [esp+0x44], [esp+0x48], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x3c, environ)")
OneGadget::Gadget.add(build_id, 250304,
- constraints: ["esi is the GOT address of libc", "[esp+0x40] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x40] == NULL || {[esp+0x40], [esp+0x44], [esp+0x48], [esp+0x4c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x40, environ)")
OneGadget::Gadget.add(build_id, 250339,
- constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 250340,
- constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 424927,
constraints: ["esi is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.27-2d1c5e0b85cb06ff47fa6fa088ec22cb6e06074e.rb b/lib/one_gadget/builds/libc-2.27-2d1c5e0b85cb06ff47fa6fa088ec22cb6e06074e.rb
index a184c7d..f2682c8 100644
--- a/lib/one_gadget/builds/libc-2.27-2d1c5e0b85cb06ff47fa6fa088ec22cb6e06074e.rb
+++ b/lib/one_gadget/builds/libc-2.27-2d1c5e0b85cb06ff47fa6fa088ec22cb6e06074e.rb
@@ -15,22 +15,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 248922,
- constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 248924,
- constraints: ["esi is the GOT address of libc", "[esp+0x38] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x38, environ)")
OneGadget::Gadget.add(build_id, 248928,
- constraints: ["esi is the GOT address of libc", "[esp+0x3c] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x3c] == NULL || {[esp+0x3c], [esp+0x40], [esp+0x44], [esp+0x48], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x3c, environ)")
OneGadget::Gadget.add(build_id, 248935,
- constraints: ["esi is the GOT address of libc", "[esp+0x40] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x40] == NULL || {[esp+0x40], [esp+0x44], [esp+0x48], [esp+0x4c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x40, environ)")
OneGadget::Gadget.add(build_id, 248970,
- constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 248971,
- constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 422671,
constraints: ["esi is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.27-63b3d43ad45e1b0f601848c65b067f9e9b40528b.rb b/lib/one_gadget/builds/libc-2.27-63b3d43ad45e1b0f601848c65b067f9e9b40528b.rb
index 8218118..cbc21fb 100644
--- a/lib/one_gadget/builds/libc-2.27-63b3d43ad45e1b0f601848c65b067f9e9b40528b.rb
+++ b/lib/one_gadget/builds/libc-2.27-63b3d43ad45e1b0f601848c65b067f9e9b40528b.rb
@@ -15,22 +15,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 248810,
- constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 248812,
- constraints: ["esi is the GOT address of libc", "[esp+0x38] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x38, environ)")
OneGadget::Gadget.add(build_id, 248816,
- constraints: ["esi is the GOT address of libc", "[esp+0x3c] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x3c] == NULL || {[esp+0x3c], [esp+0x40], [esp+0x44], [esp+0x48], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x3c, environ)")
OneGadget::Gadget.add(build_id, 248823,
- constraints: ["esi is the GOT address of libc", "[esp+0x40] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x40] == NULL || {[esp+0x40], [esp+0x44], [esp+0x48], [esp+0x4c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x40, environ)")
OneGadget::Gadget.add(build_id, 248858,
- constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 248859,
- constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 422559,
constraints: ["esi is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.27-71f0f3074a929e519e85f6a5c03a7d1fd976bfe4.rb b/lib/one_gadget/builds/libc-2.27-71f0f3074a929e519e85f6a5c03a7d1fd976bfe4.rb
index a49dbfd..a1cdef7 100644
--- a/lib/one_gadget/builds/libc-2.27-71f0f3074a929e519e85f6a5c03a7d1fd976bfe4.rb
+++ b/lib/one_gadget/builds/libc-2.27-71f0f3074a929e519e85f6a5c03a7d1fd976bfe4.rb
@@ -14,31 +14,34 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 324247,
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x50", "{\"sh\", \"-c\", r12, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", rsp+0x40, environ)")
+OneGadget::Gadget.add(build_id, 324254,
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x50", "rcx == NULL || {rcx, \"-c\", r12, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", rsp+0x40, environ)")
OneGadget::Gadget.add(build_id, 324261,
- constraints: ["rsp & 0xf == 0", "rcx == NULL"],
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x50", "rcx == NULL || {rcx, rax, r12, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x40, environ)")
OneGadget::Gadget.add(build_id, 324354,
- constraints: ["[rsp+0x40] == NULL"],
+ constraints: ["[rsp+0x40] == NULL || {[rsp+0x40], [rsp+0x48], [rsp+0x50], [rsp+0x58], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x40, environ)")
OneGadget::Gadget.add(build_id, 938831,
- constraints: ["[r13] == NULL || r13 == NULL", "[rbx] == NULL || rbx == NULL"],
+ constraints: ["[r13] == NULL || r13 == NULL || r13 is a valid argv", "[rbx] == NULL || rbx == NULL || rbx is a valid envp"],
effect: "execve(\"/bin/sh\", r13, rbx)")
OneGadget::Gadget.add(build_id, 939255,
- constraints: ["[[rbp-0x88]] == NULL || [rbp-0x88] == NULL", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL"],
+ constraints: ["[[rbp-0x88]] == NULL || [rbp-0x88] == NULL || [rbp-0x88] is a valid argv", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL || [rbp-0x70] is a valid envp"],
effect: "execve(\"/bin/sh\", [rbp-0x88], [rbp-0x70])")
OneGadget::Gadget.add(build_id, 939262,
- constraints: ["[rcx] == NULL || rcx == NULL", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL"],
+ constraints: ["[rcx] == NULL || rcx == NULL || rcx is a valid argv", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL || [rbp-0x70] is a valid envp"],
effect: "execve(\"/bin/sh\", rcx, [rbp-0x70])")
OneGadget::Gadget.add(build_id, 939266,
- constraints: ["[rcx] == NULL || rcx == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[rcx] == NULL || rcx == NULL || rcx is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", rcx, rdx)")
-OneGadget::Gadget.add(build_id, 939325,
- constraints: ["writable: [rbp-0x78]+0x10", "writable: rbp-0x80", "[[rbp-0x78]] == NULL || [rbp-0x78] == NULL", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL"],
- effect: "execve(\"/bin/sh\", [rbp-0x78], [rbp-0x70])")
OneGadget::Gadget.add(build_id, 1090300,
- constraints: ["[rsp+0x70] == NULL"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x70, environ)")
OneGadget::Gadget.add(build_id, 1090312,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rax])")
diff --git a/lib/one_gadget/builds/libc-2.27-73cd526a553b3b47c6dd0d6dc62175263cdc646e.rb b/lib/one_gadget/builds/libc-2.27-73cd526a553b3b47c6dd0d6dc62175263cdc646e.rb
index fdfdcfe..8ddaff3 100644
--- a/lib/one_gadget/builds/libc-2.27-73cd526a553b3b47c6dd0d6dc62175263cdc646e.rb
+++ b/lib/one_gadget/builds/libc-2.27-73cd526a553b3b47c6dd0d6dc62175263cdc646e.rb
@@ -14,22 +14,28 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 271543,
+ constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", r12, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 271550,
- constraints: ["rax == NULL"],
+ constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", r12, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 271634,
- constraints: ["[rsp+0x30] == NULL"],
+ constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 806271,
- constraints: ["[r13] == NULL || r13 == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[r13] == NULL || r13 == NULL || r13 is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", r13, r12)")
+OneGadget::Gadget.add(build_id, 806318,
+ constraints: ["writable: rbp-0x38", "rdi == NULL || {\"/bin/sh\", rdi, NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
+ effect: "execve(\"/bin/sh\", rbp-0x40, r12)")
OneGadget::Gadget.add(build_id, 806325,
- constraints: ["writable: rbp-0x38", "[rbp-0x40] == NULL || rbp-0x40 == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["writable: rbp-0x38", "rax == NULL || {rax, rdi, NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", rbp-0x40, r12)")
OneGadget::Gadget.add(build_id, 929870,
- constraints: ["[rsp+0x60] == NULL"],
+ constraints: ["[rsp+0x60] == NULL || {[rsp+0x60], [rsp+0x68], [rsp+0x70], [rsp+0x78], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x60, environ)")
OneGadget::Gadget.add(build_id, 929882,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rax])")
diff --git a/lib/one_gadget/builds/libc-2.27-9dd0bb57f81671704475d1e5163405f7b4d4b454.rb b/lib/one_gadget/builds/libc-2.27-9dd0bb57f81671704475d1e5163405f7b4d4b454.rb
index ee40789..0b42da1 100644
--- a/lib/one_gadget/builds/libc-2.27-9dd0bb57f81671704475d1e5163405f7b4d4b454.rb
+++ b/lib/one_gadget/builds/libc-2.27-9dd0bb57f81671704475d1e5163405f7b4d4b454.rb
@@ -14,22 +14,28 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 271367,
+ constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", r12, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 271374,
- constraints: ["rax == NULL"],
+ constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", r12, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 271458,
- constraints: ["[rsp+0x30] == NULL"],
+ constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 806783,
- constraints: ["[r13] == NULL || r13 == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[r13] == NULL || r13 == NULL || r13 is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", r13, r12)")
+OneGadget::Gadget.add(build_id, 806830,
+ constraints: ["writable: rbp-0x38", "rdi == NULL || {\"/bin/sh\", rdi, NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
+ effect: "execve(\"/bin/sh\", rbp-0x40, r12)")
OneGadget::Gadget.add(build_id, 806837,
- constraints: ["writable: rbp-0x38", "[rbp-0x40] == NULL || rbp-0x40 == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["writable: rbp-0x38", "rax == NULL || {rax, rdi, NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", rbp-0x40, r12)")
OneGadget::Gadget.add(build_id, 930286,
- constraints: ["[rsp+0x60] == NULL"],
+ constraints: ["[rsp+0x60] == NULL || {[rsp+0x60], [rsp+0x68], [rsp+0x70], [rsp+0x78], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x60, environ)")
OneGadget::Gadget.add(build_id, 930298,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rax])")
diff --git a/lib/one_gadget/builds/libc-2.27-a5e88eb34369fb48113b9eda7a92e07b372f3cb7.rb b/lib/one_gadget/builds/libc-2.27-a5e88eb34369fb48113b9eda7a92e07b372f3cb7.rb
index 513bd0a..dd4f2a6 100644
--- a/lib/one_gadget/builds/libc-2.27-a5e88eb34369fb48113b9eda7a92e07b372f3cb7.rb
+++ b/lib/one_gadget/builds/libc-2.27-a5e88eb34369fb48113b9eda7a92e07b372f3cb7.rb
@@ -14,22 +14,28 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 271655,
+ constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", r12, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 271662,
- constraints: ["rax == NULL"],
+ constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", r12, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 271746,
- constraints: ["[rsp+0x30] == NULL"],
+ constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 806383,
- constraints: ["[r13] == NULL || r13 == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[r13] == NULL || r13 == NULL || r13 is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", r13, r12)")
+OneGadget::Gadget.add(build_id, 806430,
+ constraints: ["writable: rbp-0x38", "rdi == NULL || {\"/bin/sh\", rdi, NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
+ effect: "execve(\"/bin/sh\", rbp-0x40, r12)")
OneGadget::Gadget.add(build_id, 806437,
- constraints: ["writable: rbp-0x38", "[rbp-0x40] == NULL || rbp-0x40 == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["writable: rbp-0x38", "rax == NULL || {rax, rdi, NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", rbp-0x40, r12)")
OneGadget::Gadget.add(build_id, 929982,
- constraints: ["[rsp+0x60] == NULL"],
+ constraints: ["[rsp+0x60] == NULL || {[rsp+0x60], [rsp+0x68], [rsp+0x70], [rsp+0x78], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x60, environ)")
OneGadget::Gadget.add(build_id, 929994,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rax])")
diff --git a/lib/one_gadget/builds/libc-2.27-b417c0ba7cc5cf06d1d1bed6652cedb9253c60d0.rb b/lib/one_gadget/builds/libc-2.27-b417c0ba7cc5cf06d1d1bed6652cedb9253c60d0.rb
index ec13773..cc7a386 100644
--- a/lib/one_gadget/builds/libc-2.27-b417c0ba7cc5cf06d1d1bed6652cedb9253c60d0.rb
+++ b/lib/one_gadget/builds/libc-2.27-b417c0ba7cc5cf06d1d1bed6652cedb9253c60d0.rb
@@ -14,28 +14,34 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 324279,
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x50", "{\"sh\", \"-c\", r12, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", rsp+0x40, environ)")
+OneGadget::Gadget.add(build_id, 324286,
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x50", "rcx == NULL || {rcx, \"-c\", r12, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", rsp+0x40, environ)")
OneGadget::Gadget.add(build_id, 324293,
- constraints: ["rsp & 0xf == 0", "rcx == NULL"],
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x50", "rcx == NULL || {rcx, rax, r12, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x40, environ)")
OneGadget::Gadget.add(build_id, 324386,
- constraints: ["[rsp+0x40] == NULL"],
+ constraints: ["[rsp+0x40] == NULL || {[rsp+0x40], [rsp+0x48], [rsp+0x50], [rsp+0x58], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x40, environ)")
OneGadget::Gadget.add(build_id, 939679,
- constraints: ["[r14] == NULL || r14 == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[r14] == NULL || r14 == NULL || r14 is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", r14, r12)")
OneGadget::Gadget.add(build_id, 940120,
- constraints: ["[[rbp-0x88]] == NULL || [rbp-0x88] == NULL", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL"],
+ constraints: ["[[rbp-0x88]] == NULL || [rbp-0x88] == NULL || [rbp-0x88] is a valid argv", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL || [rbp-0x70] is a valid envp"],
effect: "execve(\"/bin/sh\", [rbp-0x88], [rbp-0x70])")
OneGadget::Gadget.add(build_id, 940127,
- constraints: ["[r10] == NULL || r10 == NULL", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL"],
+ constraints: ["[r10] == NULL || r10 == NULL || r10 is a valid argv", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL || [rbp-0x70] is a valid envp"],
effect: "execve(\"/bin/sh\", r10, [rbp-0x70])")
OneGadget::Gadget.add(build_id, 940131,
- constraints: ["[r10] == NULL || r10 == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[r10] == NULL || r10 == NULL || r10 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", r10, rdx)")
OneGadget::Gadget.add(build_id, 1090444,
- constraints: ["[rsp+0x70] == NULL"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x70, environ)")
OneGadget::Gadget.add(build_id, 1090456,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rax])")
diff --git a/lib/one_gadget/builds/libc-2.27-ba63c4a5f5c2b51e6e7e5df94017dc98b20e397a.rb b/lib/one_gadget/builds/libc-2.27-ba63c4a5f5c2b51e6e7e5df94017dc98b20e397a.rb
index b465dfb..155ced5 100644
--- a/lib/one_gadget/builds/libc-2.27-ba63c4a5f5c2b51e6e7e5df94017dc98b20e397a.rb
+++ b/lib/one_gadget/builds/libc-2.27-ba63c4a5f5c2b51e6e7e5df94017dc98b20e397a.rb
@@ -15,22 +15,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 249322,
- constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 249324,
- constraints: ["esi is the GOT address of libc", "[esp+0x38] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x38, environ)")
OneGadget::Gadget.add(build_id, 249328,
- constraints: ["esi is the GOT address of libc", "[esp+0x3c] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x3c] == NULL || {[esp+0x3c], [esp+0x40], [esp+0x44], [esp+0x48], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x3c, environ)")
OneGadget::Gadget.add(build_id, 249335,
- constraints: ["esi is the GOT address of libc", "[esp+0x40] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x40] == NULL || {[esp+0x40], [esp+0x44], [esp+0x48], [esp+0x4c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x40, environ)")
OneGadget::Gadget.add(build_id, 249370,
- constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 249371,
- constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 423071,
constraints: ["esi is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.27-ce450eb01a5e5acc7ce7b8c2633b02cc1093339e.rb b/lib/one_gadget/builds/libc-2.27-ce450eb01a5e5acc7ce7b8c2633b02cc1093339e.rb
index 25916cd..fb3aa9a 100644
--- a/lib/one_gadget/builds/libc-2.27-ce450eb01a5e5acc7ce7b8c2633b02cc1093339e.rb
+++ b/lib/one_gadget/builds/libc-2.27-ce450eb01a5e5acc7ce7b8c2633b02cc1093339e.rb
@@ -14,31 +14,34 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 324551,
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x50", "{\"sh\", \"-c\", r12, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", rsp+0x40, environ)")
+OneGadget::Gadget.add(build_id, 324558,
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x50", "rcx == NULL || {rcx, \"-c\", r12, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", rsp+0x40, environ)")
OneGadget::Gadget.add(build_id, 324565,
- constraints: ["rsp & 0xf == 0", "rcx == NULL"],
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x50", "rcx == NULL || {rcx, rax, r12, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x40, environ)")
OneGadget::Gadget.add(build_id, 324658,
- constraints: ["[rsp+0x40] == NULL"],
+ constraints: ["[rsp+0x40] == NULL || {[rsp+0x40], [rsp+0x48], [rsp+0x50], [rsp+0x58], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x40, environ)")
OneGadget::Gadget.add(build_id, 939119,
- constraints: ["[r13] == NULL || r13 == NULL", "[rbx] == NULL || rbx == NULL"],
+ constraints: ["[r13] == NULL || r13 == NULL || r13 is a valid argv", "[rbx] == NULL || rbx == NULL || rbx is a valid envp"],
effect: "execve(\"/bin/sh\", r13, rbx)")
OneGadget::Gadget.add(build_id, 939543,
- constraints: ["[[rbp-0x88]] == NULL || [rbp-0x88] == NULL", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL"],
+ constraints: ["[[rbp-0x88]] == NULL || [rbp-0x88] == NULL || [rbp-0x88] is a valid argv", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL || [rbp-0x70] is a valid envp"],
effect: "execve(\"/bin/sh\", [rbp-0x88], [rbp-0x70])")
OneGadget::Gadget.add(build_id, 939550,
- constraints: ["[rcx] == NULL || rcx == NULL", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL"],
+ constraints: ["[rcx] == NULL || rcx == NULL || rcx is a valid argv", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL || [rbp-0x70] is a valid envp"],
effect: "execve(\"/bin/sh\", rcx, [rbp-0x70])")
OneGadget::Gadget.add(build_id, 939554,
- constraints: ["[rcx] == NULL || rcx == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[rcx] == NULL || rcx == NULL || rcx is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", rcx, rdx)")
-OneGadget::Gadget.add(build_id, 939613,
- constraints: ["writable: [rbp-0x78]+0x10", "writable: rbp-0x80", "[[rbp-0x78]] == NULL || [rbp-0x78] == NULL", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL"],
- effect: "execve(\"/bin/sh\", [rbp-0x78], [rbp-0x70])")
OneGadget::Gadget.add(build_id, 1090588,
- constraints: ["[rsp+0x70] == NULL"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x70, environ)")
OneGadget::Gadget.add(build_id, 1090600,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rax])")
diff --git a/lib/one_gadget/builds/libc-2.27-cf1599aa8b3cb35f79dcaea7a8b48704ecf42a19.rb b/lib/one_gadget/builds/libc-2.27-cf1599aa8b3cb35f79dcaea7a8b48704ecf42a19.rb
index 6b97ee9..f71f19d 100644
--- a/lib/one_gadget/builds/libc-2.27-cf1599aa8b3cb35f79dcaea7a8b48704ecf42a19.rb
+++ b/lib/one_gadget/builds/libc-2.27-cf1599aa8b3cb35f79dcaea7a8b48704ecf42a19.rb
@@ -15,22 +15,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 250147,
- constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 250149,
- constraints: ["esi is the GOT address of libc", "[esp+0x38] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x38, environ)")
OneGadget::Gadget.add(build_id, 250153,
- constraints: ["esi is the GOT address of libc", "[esp+0x3c] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x3c] == NULL || {[esp+0x3c], [esp+0x40], [esp+0x44], [esp+0x48], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x3c, environ)")
OneGadget::Gadget.add(build_id, 250160,
- constraints: ["esi is the GOT address of libc", "[esp+0x40] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x40] == NULL || {[esp+0x40], [esp+0x44], [esp+0x48], [esp+0x4c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x40, environ)")
OneGadget::Gadget.add(build_id, 250195,
- constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 250196,
- constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 424783,
constraints: ["esi is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.27-d1237c55f6778f53b369cf22ff81979b2fe340bb.rb b/lib/one_gadget/builds/libc-2.27-d1237c55f6778f53b369cf22ff81979b2fe340bb.rb
index 3aaedd1..fe2535b 100644
--- a/lib/one_gadget/builds/libc-2.27-d1237c55f6778f53b369cf22ff81979b2fe340bb.rb
+++ b/lib/one_gadget/builds/libc-2.27-d1237c55f6778f53b369cf22ff81979b2fe340bb.rb
@@ -14,22 +14,28 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 271431,
+ constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", r12, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 271438,
- constraints: ["rax == NULL"],
+ constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", r12, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 271522,
- constraints: ["[rsp+0x30] == NULL"],
+ constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 806895,
- constraints: ["[r13] == NULL || r13 == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[r13] == NULL || r13 == NULL || r13 is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", r13, r12)")
+OneGadget::Gadget.add(build_id, 806942,
+ constraints: ["writable: rbp-0x38", "rdi == NULL || {\"/bin/sh\", rdi, NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
+ effect: "execve(\"/bin/sh\", rbp-0x40, r12)")
OneGadget::Gadget.add(build_id, 806949,
- constraints: ["writable: rbp-0x38", "[rbp-0x40] == NULL || rbp-0x40 == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["writable: rbp-0x38", "rax == NULL || {rax, rdi, NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", rbp-0x40, r12)")
OneGadget::Gadget.add(build_id, 930462,
- constraints: ["[rsp+0x60] == NULL"],
+ constraints: ["[rsp+0x60] == NULL || {[rsp+0x60], [rsp+0x68], [rsp+0x70], [rsp+0x78], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x60, environ)")
OneGadget::Gadget.add(build_id, 930474,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rax])")
diff --git a/lib/one_gadget/builds/libc-2.27-d3cf764b2f97ac3efe366ddd07ad902fb6928fd7.rb b/lib/one_gadget/builds/libc-2.27-d3cf764b2f97ac3efe366ddd07ad902fb6928fd7.rb
index a141c8a..5d13c9e 100644
--- a/lib/one_gadget/builds/libc-2.27-d3cf764b2f97ac3efe366ddd07ad902fb6928fd7.rb
+++ b/lib/one_gadget/builds/libc-2.27-d3cf764b2f97ac3efe366ddd07ad902fb6928fd7.rb
@@ -14,28 +14,34 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 324439,
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x50", "{\"sh\", \"-c\", r12, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", rsp+0x40, environ)")
+OneGadget::Gadget.add(build_id, 324446,
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x50", "rcx == NULL || {rcx, \"-c\", r12, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", rsp+0x40, environ)")
OneGadget::Gadget.add(build_id, 324453,
- constraints: ["rsp & 0xf == 0", "rcx == NULL"],
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x50", "rcx == NULL || {rcx, rax, r12, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x40, environ)")
OneGadget::Gadget.add(build_id, 324546,
- constraints: ["[rsp+0x40] == NULL"],
+ constraints: ["[rsp+0x40] == NULL || {[rsp+0x40], [rsp+0x48], [rsp+0x50], [rsp+0x58], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x40, environ)")
OneGadget::Gadget.add(build_id, 939775,
- constraints: ["[r14] == NULL || r14 == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[r14] == NULL || r14 == NULL || r14 is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", r14, r12)")
OneGadget::Gadget.add(build_id, 940216,
- constraints: ["[[rbp-0x88]] == NULL || [rbp-0x88] == NULL", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL"],
+ constraints: ["[[rbp-0x88]] == NULL || [rbp-0x88] == NULL || [rbp-0x88] is a valid argv", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL || [rbp-0x70] is a valid envp"],
effect: "execve(\"/bin/sh\", [rbp-0x88], [rbp-0x70])")
OneGadget::Gadget.add(build_id, 940223,
- constraints: ["[r10] == NULL || r10 == NULL", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL"],
+ constraints: ["[r10] == NULL || r10 == NULL || r10 is a valid argv", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL || [rbp-0x70] is a valid envp"],
effect: "execve(\"/bin/sh\", r10, [rbp-0x70])")
OneGadget::Gadget.add(build_id, 940227,
- constraints: ["[r10] == NULL || r10 == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[r10] == NULL || r10 == NULL || r10 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", r10, rdx)")
OneGadget::Gadget.add(build_id, 1090652,
- constraints: ["[rsp+0x70] == NULL"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x70, environ)")
OneGadget::Gadget.add(build_id, 1090664,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rax])")
diff --git a/lib/one_gadget/builds/libc-2.27-d831493b564a8632d1da5cc0fe44af45713cfeb6.rb b/lib/one_gadget/builds/libc-2.27-d831493b564a8632d1da5cc0fe44af45713cfeb6.rb
index b710532..fd5c4dc 100644
--- a/lib/one_gadget/builds/libc-2.27-d831493b564a8632d1da5cc0fe44af45713cfeb6.rb
+++ b/lib/one_gadget/builds/libc-2.27-d831493b564a8632d1da5cc0fe44af45713cfeb6.rb
@@ -15,22 +15,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 250531,
- constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 250533,
- constraints: ["esi is the GOT address of libc", "[esp+0x38] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x38, environ)")
OneGadget::Gadget.add(build_id, 250537,
- constraints: ["esi is the GOT address of libc", "[esp+0x3c] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x3c] == NULL || {[esp+0x3c], [esp+0x40], [esp+0x44], [esp+0x48], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x3c, environ)")
OneGadget::Gadget.add(build_id, 250544,
- constraints: ["esi is the GOT address of libc", "[esp+0x40] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x40] == NULL || {[esp+0x40], [esp+0x44], [esp+0x48], [esp+0x4c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x40, environ)")
OneGadget::Gadget.add(build_id, 250579,
- constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 250580,
- constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 425167,
constraints: ["esi is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.27-f4929d2a8af4629477103af6f1cfb3bebce80883.rb b/lib/one_gadget/builds/libc-2.27-f4929d2a8af4629477103af6f1cfb3bebce80883.rb
index 64c5c52..256c8b2 100644
--- a/lib/one_gadget/builds/libc-2.27-f4929d2a8af4629477103af6f1cfb3bebce80883.rb
+++ b/lib/one_gadget/builds/libc-2.27-f4929d2a8af4629477103af6f1cfb3bebce80883.rb
@@ -15,22 +15,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 249066,
- constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 249068,
- constraints: ["esi is the GOT address of libc", "[esp+0x38] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x38, environ)")
OneGadget::Gadget.add(build_id, 249072,
- constraints: ["esi is the GOT address of libc", "[esp+0x3c] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x3c] == NULL || {[esp+0x3c], [esp+0x40], [esp+0x44], [esp+0x48], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x3c, environ)")
OneGadget::Gadget.add(build_id, 249079,
- constraints: ["esi is the GOT address of libc", "[esp+0x40] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x40] == NULL || {[esp+0x40], [esp+0x44], [esp+0x48], [esp+0x4c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x40, environ)")
OneGadget::Gadget.add(build_id, 249114,
- constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 249115,
- constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 422815,
constraints: ["esi is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.28-26b3c1a40c8a0bd026975a262774bf52aec55107.rb b/lib/one_gadget/builds/libc-2.28-26b3c1a40c8a0bd026975a262774bf52aec55107.rb
index 2bc0653..a4b573b 100644
--- a/lib/one_gadget/builds/libc-2.28-26b3c1a40c8a0bd026975a262774bf52aec55107.rb
+++ b/lib/one_gadget/builds/libc-2.28-26b3c1a40c8a0bd026975a262774bf52aec55107.rb
@@ -14,14 +14,23 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 258248,
+ constraints: ["writable: x20+0x360", "{\"sh\", \"-c\", x24, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", sp+0x70, environ)")
+OneGadget::Gadget.add(build_id, 258252,
+ constraints: ["writable: x20+0x360", "x4+0x430 == NULL || {x4+0x430, \"-c\", x24, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", sp+0x70, environ)")
OneGadget::Gadget.add(build_id, 258256,
- constraints: ["writable: x20+0x360", "x4+0x430 == NULL"],
+ constraints: ["writable: x20+0x360", "x4+0x430 == NULL || {x4+0x430, x3+0x438, x24, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", sp+0x70, environ)")
+OneGadget::Gadget.add(build_id, 258260,
+ constraints: ["writable: x20+0x360", "x4 == NULL || {x4, x3+0x438, x24, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", sp+0x70, environ)")
OneGadget::Gadget.add(build_id, 258264,
- constraints: ["writable: x20+0x360", "x4 == NULL"],
+ constraints: ["writable: x20+0x360", "x4 == NULL || {x4, x3, x24, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", sp+0x70, environ)")
OneGadget::Gadget.add(build_id, 258328,
- constraints: ["writable: x19+0x4", "writable: x20+0x360", "[x21] == NULL || x21 == NULL"],
+ constraints: ["writable: x19+0x4", "writable: x20+0x360", "[x21] == NULL || x21 == NULL || x21 is a valid argv"],
effect: "execve(\"/bin/sh\", x21, environ)")
OneGadget::Gadget.add(build_id, 409712,
constraints: ["x2+0x438 == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.28-44f5a3efb0e5733fa9d97e690cb36cd4c682bcdb.rb b/lib/one_gadget/builds/libc-2.28-44f5a3efb0e5733fa9d97e690cb36cd4c682bcdb.rb
index 08e221c..316e25f 100644
--- a/lib/one_gadget/builds/libc-2.28-44f5a3efb0e5733fa9d97e690cb36cd4c682bcdb.rb
+++ b/lib/one_gadget/builds/libc-2.28-44f5a3efb0e5733fa9d97e690cb36cd4c682bcdb.rb
@@ -15,22 +15,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 256230,
- constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 256232,
- constraints: ["esi is the GOT address of libc", "[esp+0x38] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x38, environ)")
OneGadget::Gadget.add(build_id, 256236,
- constraints: ["esi is the GOT address of libc", "[esp+0x3c] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x3c] == NULL || {[esp+0x3c], [esp+0x40], [esp+0x44], [esp+0x48], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x3c, environ)")
OneGadget::Gadget.add(build_id, 256243,
- constraints: ["esi is the GOT address of libc", "[esp+0x40] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x40] == NULL || {[esp+0x40], [esp+0x44], [esp+0x48], [esp+0x4c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x40, environ)")
OneGadget::Gadget.add(build_id, 256278,
- constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 256279,
- constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 429851,
constraints: ["esi is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.28-5784a31a1c26f6d2157e585205ebb63dd19ff90f.rb b/lib/one_gadget/builds/libc-2.28-5784a31a1c26f6d2157e585205ebb63dd19ff90f.rb
index 9011bf6..6e21f71 100644
--- a/lib/one_gadget/builds/libc-2.28-5784a31a1c26f6d2157e585205ebb63dd19ff90f.rb
+++ b/lib/one_gadget/builds/libc-2.28-5784a31a1c26f6d2157e585205ebb63dd19ff90f.rb
@@ -15,22 +15,22 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 257699,
- constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x34, environ)")
OneGadget::Gadget.add(build_id, 257701,
- constraints: ["esi is the GOT address of libc", "[esp+0x38] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x38, environ)")
OneGadget::Gadget.add(build_id, 257705,
- constraints: ["esi is the GOT address of libc", "[esp+0x3c] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x3c] == NULL || {[esp+0x3c], [esp+0x40], [esp+0x44], [esp+0x48], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x3c, environ)")
OneGadget::Gadget.add(build_id, 257712,
- constraints: ["esi is the GOT address of libc", "[esp+0x40] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[esp+0x40] == NULL || {[esp+0x40], [esp+0x44], [esp+0x48], [esp+0x4c], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", esp+0x40, environ)")
OneGadget::Gadget.add(build_id, 257747,
- constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"],
effect: "execve(\"/bin/sh\", eax, [esp])")
OneGadget::Gadget.add(build_id, 257748,
- constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"],
+ constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"],
effect: "execve(\"/bin/sh\", [esp], [esp+0x4])")
OneGadget::Gadget.add(build_id, 433019,
constraints: ["esi is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.28-5b157f49586a3ca84d55837f97ff466767dd3445.rb b/lib/one_gadget/builds/libc-2.28-5b157f49586a3ca84d55837f97ff466767dd3445.rb
index 96e1e24..6f0b315 100644
--- a/lib/one_gadget/builds/libc-2.28-5b157f49586a3ca84d55837f97ff466767dd3445.rb
+++ b/lib/one_gadget/builds/libc-2.28-5b157f49586a3ca84d55837f97ff466767dd3445.rb
@@ -14,43 +14,46 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 328056,
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x8", "{\"sh\", \"-c\", r12, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", rsp+0x40, environ)")
+OneGadget::Gadget.add(build_id, 328063,
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x8", "rcx == NULL || {rcx, \"-c\", r12, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", rsp+0x40, environ)")
OneGadget::Gadget.add(build_id, 328070,
- constraints: ["rsp & 0xf == 0", "rcx == NULL"],
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x8", "rcx == NULL || {rcx, rax, r12, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x40, environ)")
OneGadget::Gadget.add(build_id, 328163,
- constraints: ["[rsp+0x40] == NULL"],
+ constraints: ["[rsp+0x40] == NULL || {[rsp+0x40], [rsp+0x48], [rsp+0x50], [rsp+0x58], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x40, environ)")
OneGadget::Gadget.add(build_id, 328175,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rax])")
OneGadget::Gadget.add(build_id, 913902,
- constraints: ["[r15] == NULL || r15 == NULL", "[r13] == NULL || r13 == NULL"],
+ constraints: ["[r15] == NULL || r15 == NULL || r15 is a valid argv", "[r13] == NULL || r13 == NULL || r13 is a valid envp"],
effect: "execve(\"/bin/sh\", r15, r13)")
OneGadget::Gadget.add(build_id, 913905,
- constraints: ["[r15] == NULL || r15 == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[r15] == NULL || r15 == NULL || r15 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", r15, rdx)")
OneGadget::Gadget.add(build_id, 913908,
- constraints: ["[rsi] == NULL || rsi == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, rdx)")
OneGadget::Gadget.add(build_id, 914335,
- constraints: ["[rcx] == NULL || rcx == NULL", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL"],
+ constraints: ["[rcx] == NULL || rcx == NULL || rcx is a valid argv", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL || [rbp-0x70] is a valid envp"],
effect: "execve(\"/bin/sh\", rcx, [rbp-0x70])")
OneGadget::Gadget.add(build_id, 914339,
- constraints: ["[rcx] == NULL || rcx == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[rcx] == NULL || rcx == NULL || rcx is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", rcx, rdx)")
+OneGadget::Gadget.add(build_id, 914411,
+ constraints: ["writable: rbp-0x48", "rbx == NULL || {\"/bin/sh\", rbx, NULL} is a valid argv", "[r13] == NULL || r13 == NULL || r13 is a valid envp"],
+ effect: "execve(\"/bin/sh\", rbp-0x50, r13)")
OneGadget::Gadget.add(build_id, 914421,
- constraints: ["writable: rbp-0x48", "[rbp-0x50] == NULL || rbp-0x50 == NULL", "[r13] == NULL || r13 == NULL"],
+ constraints: ["writable: rbp-0x48", "rax == NULL || {rax, rbx, NULL} is a valid argv", "[r13] == NULL || r13 == NULL || r13 is a valid envp"],
effect: "execve(\"/bin/sh\", rbp-0x50, r13)")
OneGadget::Gadget.add(build_id, 914425,
- constraints: ["writable: rbp-0x50", "[rbp-0x50] == NULL || rbp-0x50 == NULL", "[r13] == NULL || r13 == NULL"],
+ constraints: ["writable: rbp-0x50", "rax == NULL || {rax, [rbp-0x48], NULL} is a valid argv", "[r13] == NULL || r13 == NULL || r13 is a valid envp"],
effect: "execve(\"/bin/sh\", rbp-0x50, r13)")
-OneGadget::Gadget.add(build_id, 914483,
- constraints: ["writable: [rbp-0x78]+0x10", "writable: rbp-0x80", "[[rbp-0x78]] == NULL || [rbp-0x78] == NULL", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL"],
- effect: "execve(\"/bin/sh\", [rbp-0x78], [rbp-0x70])")
-OneGadget::Gadget.add(build_id, 914487,
- constraints: ["writable: [rbp-0x78]+0x10", "writable: rbp-0x50", "[[rbp-0x78]] == NULL || [rbp-0x78] == NULL", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL"],
- effect: "execve(\"/bin/sh\", [rbp-0x78], [rbp-0x70])")
OneGadget::Gadget.add(build_id, 1064784,
- constraints: ["[rsp+0x70] == NULL"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x70, environ)")
diff --git a/lib/one_gadget/builds/libc-2.28-65ed813688b116fdce9e866ad2fef2e734167337.rb b/lib/one_gadget/builds/libc-2.28-65ed813688b116fdce9e866ad2fef2e734167337.rb
index 015105b..c66de83 100644
--- a/lib/one_gadget/builds/libc-2.28-65ed813688b116fdce9e866ad2fef2e734167337.rb
+++ b/lib/one_gadget/builds/libc-2.28-65ed813688b116fdce9e866ad2fef2e734167337.rb
@@ -14,31 +14,37 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 283129,
+ constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", r12, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 283136,
- constraints: ["rax == NULL"],
+ constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", r12, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 283220,
- constraints: ["[rsp+0x30] == NULL"],
+ constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 283232,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rax])")
OneGadget::Gadget.add(build_id, 823386,
- constraints: ["[r13] == NULL || r13 == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[r13] == NULL || r13 == NULL || r13 is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", r13, r12)")
OneGadget::Gadget.add(build_id, 823389,
- constraints: ["[r13] == NULL || r13 == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[r13] == NULL || r13 == NULL || r13 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", r13, rdx)")
OneGadget::Gadget.add(build_id, 823392,
- constraints: ["[rsi] == NULL || rsi == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, rdx)")
+OneGadget::Gadget.add(build_id, 823472,
+ constraints: ["writable: rbp-0x38", "rdi == NULL || {\"/bin/sh\", rdi, NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
+ effect: "execve(\"/bin/sh\", rbp-0x40, r12)")
OneGadget::Gadget.add(build_id, 823482,
- constraints: ["writable: rbp-0x38", "[rbp-0x40] == NULL || rbp-0x40 == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["writable: rbp-0x38", "rax == NULL || {rax, rdi, NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", rbp-0x40, r12)")
OneGadget::Gadget.add(build_id, 823486,
- constraints: ["writable: rbp-0x40", "[rbp-0x40] == NULL || rbp-0x40 == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["writable: rbp-0x40", "rax == NULL || {rax, [rbp-0x38], NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", rbp-0x40, r12)")
OneGadget::Gadget.add(build_id, 947760,
- constraints: ["[rsp+0x60] == NULL"],
+ constraints: ["[rsp+0x60] == NULL || {[rsp+0x60], [rsp+0x68], [rsp+0x70], [rsp+0x78], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x60, environ)")
diff --git a/lib/one_gadget/builds/libc-2.28-6ee9454b96efa9e343f9e8105f2fa4529265ea05.rb b/lib/one_gadget/builds/libc-2.28-6ee9454b96efa9e343f9e8105f2fa4529265ea05.rb
index 2c7e091..33b9a52 100644
--- a/lib/one_gadget/builds/libc-2.28-6ee9454b96efa9e343f9e8105f2fa4529265ea05.rb
+++ b/lib/one_gadget/builds/libc-2.28-6ee9454b96efa9e343f9e8105f2fa4529265ea05.rb
@@ -14,31 +14,37 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 281400,
+ constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", r12, NULL} is a valid argv"],
+ effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 281407,
- constraints: ["rax == NULL"],
+ constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", r12, NULL} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 281491,
- constraints: ["[rsp+0x30] == NULL"],
+ constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x30, environ)")
OneGadget::Gadget.add(build_id, 281503,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rax])")
OneGadget::Gadget.add(build_id, 816106,
- constraints: ["[r13] == NULL || r13 == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[r13] == NULL || r13 == NULL || r13 is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", r13, r12)")
OneGadget::Gadget.add(build_id, 816109,
- constraints: ["[r13] == NULL || r13 == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[r13] == NULL || r13 == NULL || r13 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", r13, rdx)")
OneGadget::Gadget.add(build_id, 816112,
- constraints: ["[rsi] == NULL || rsi == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, rdx)")
+OneGadget::Gadget.add(build_id, 816191,
+ constraints: ["writable: rbp-0x38", "rdi == NULL || {\"/bin/sh\", rdi, NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
+ effect: "execve(\"/bin/sh\", rbp-0x40, r12)")
OneGadget::Gadget.add(build_id, 816201,
- constraints: ["writable: rbp-0x38", "[rbp-0x40] == NULL || rbp-0x40 == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["writable: rbp-0x38", "rax == NULL || {rax, rdi, NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", rbp-0x40, r12)")
OneGadget::Gadget.add(build_id, 816205,
- constraints: ["writable: rbp-0x40", "[rbp-0x40] == NULL || rbp-0x40 == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["writable: rbp-0x40", "rax == NULL || {rax, [rbp-0x38], NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", rbp-0x40, r12)")
OneGadget::Gadget.add(build_id, 939838,
- constraints: ["[rsp+0x60] == NULL"],
+ constraints: ["[rsp+0x60] == NULL || {[rsp+0x60], [rsp+0x68], [rsp+0x70], [rsp+0x78], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x60, environ)")
diff --git a/lib/one_gadget/builds/libc-2.29-5b7203920d3d786ac40af8e0d5104683335f11be.rb b/lib/one_gadget/builds/libc-2.29-5b7203920d3d786ac40af8e0d5104683335f11be.rb
index 85aa65b..20b7dd0 100644
--- a/lib/one_gadget/builds/libc-2.29-5b7203920d3d786ac40af8e0d5104683335f11be.rb
+++ b/lib/one_gadget/builds/libc-2.29-5b7203920d3d786ac40af8e0d5104683335f11be.rb
@@ -14,37 +14,61 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 292108,
+ constraints: ["writable: rsp+0x60", "{\"sh\", \"-c\", rbx, NULL} is a valid argv", "r13 == NULL || (u16)[r13] == NULL"],
+ effect: "posix_spawn(rsp+0xc, \"/bin/sh\", 0, r13, rsp+0x50, environ)")
+OneGadget::Gadget.add(build_id, 292116,
+ constraints: ["writable: rsp+0x60", "{\"sh\", \"-c\", rbx, NULL} is a valid argv", "rdi == NULL || writable: rdi", "rcx == NULL || (u16)[rcx] == NULL"],
+ effect: "posix_spawn(rdi, \"/bin/sh\", 0, rcx, rsp+0x50, environ)")
OneGadget::Gadget.add(build_id, 292125,
- constraints: ["rax == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ constraints: ["writable: rsp+0x60", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, rsp+0x50, environ)")
+OneGadget::Gadget.add(build_id, 292130,
+ constraints: ["writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)")
+OneGadget::Gadget.add(build_id, 292135,
+ constraints: ["writable: rsp+0x50", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)")
OneGadget::Gadget.add(build_id, 292147,
- constraints: ["[r8] == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ constraints: ["writable: rsp+0x58", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)")
+OneGadget::Gadget.add(build_id, 477205,
+ constraints: ["writable: rsp+0x60", "{\"sh\", \"-c\", rbp, NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"],
+ effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", r12, 0, rsp+0x50, environ)")
OneGadget::Gadget.add(build_id, 477210,
- constraints: ["[r8] == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"],
+ constraints: ["writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"],
effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", r12, 0, r8, environ)")
+OneGadget::Gadget.add(build_id, 477215,
+ constraints: ["writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, rcx, r8, environ)")
OneGadget::Gadget.add(build_id, 477227,
- constraints: ["[r8] == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ constraints: ["writable: rsp+0x68", "[r8] == NULL || r8 is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, rcx, r8, environ)")
+OneGadget::Gadget.add(build_id, 477236,
+ constraints: ["writable: rsp+0x68", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)")
OneGadget::Gadget.add(build_id, 826170,
- constraints: ["[r12] == NULL || r12 == NULL", "[r13] == NULL || r13 == NULL"],
+ constraints: ["[r12] == NULL || r12 == NULL || r12 is a valid argv", "[r13] == NULL || r13 == NULL || r13 is a valid envp"],
effect: "execve(\"/bin/sh\", r12, r13)")
OneGadget::Gadget.add(build_id, 826173,
- constraints: ["[r12] == NULL || r12 == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[r12] == NULL || r12 == NULL || r12 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", r12, rdx)")
OneGadget::Gadget.add(build_id, 826176,
- constraints: ["[rsi] == NULL || rsi == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, rdx)")
+OneGadget::Gadget.add(build_id, 826259,
+ constraints: ["writable: rbp-0x38", "rdi == NULL || {\"/bin/sh\", rdi, NULL} is a valid argv", "[r13] == NULL || r13 == NULL || r13 is a valid envp"],
+ effect: "execve(\"/bin/sh\", rbp-0x40, r13)")
OneGadget::Gadget.add(build_id, 826266,
- constraints: ["writable: rbp-0x38", "[rbp-0x40] == NULL || rbp-0x40 == NULL", "[r13] == NULL || r13 == NULL"],
+ constraints: ["writable: rbp-0x38", "rax == NULL || {rax, rdi, NULL} is a valid argv", "[r13] == NULL || r13 == NULL || r13 is a valid envp"],
effect: "execve(\"/bin/sh\", rbp-0x40, r13)")
OneGadget::Gadget.add(build_id, 826273,
- constraints: ["writable: rbp-0x40", "[rbp-0x40] == NULL || rbp-0x40 == NULL", "[r13] == NULL || r13 == NULL"],
+ constraints: ["writable: rbp-0x40", "rax == NULL || {rax, [rbp-0x38], NULL} is a valid argv", "[r13] == NULL || r13 == NULL || r13 is a valid envp"],
effect: "execve(\"/bin/sh\", rbp-0x40, r13)")
OneGadget::Gadget.add(build_id, 949339,
- constraints: ["[rsp+0x60] == NULL"],
+ constraints: ["[rsp+0x60] == NULL || {[rsp+0x60], [rsp+0x68], [rsp+0x70], [rsp+0x78], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x60, environ)")
OneGadget::Gadget.add(build_id, 949351,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rax])")
diff --git a/lib/one_gadget/builds/libc-2.29-85d5020664b11fd2708859275de41d5ab9d104cf.rb b/lib/one_gadget/builds/libc-2.29-85d5020664b11fd2708859275de41d5ab9d104cf.rb
index 85ac035..5028af2 100644
--- a/lib/one_gadget/builds/libc-2.29-85d5020664b11fd2708859275de41d5ab9d104cf.rb
+++ b/lib/one_gadget/builds/libc-2.29-85d5020664b11fd2708859275de41d5ab9d104cf.rb
@@ -14,37 +14,61 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 291228,
+ constraints: ["writable: rsp+0x60", "{\"sh\", \"-c\", rbp, NULL} is a valid argv", "r13 == NULL || (u16)[r13] == NULL"],
+ effect: "posix_spawn(rsp+0xc, \"/bin/sh\", 0, r13, rsp+0x50, environ)")
+OneGadget::Gadget.add(build_id, 291236,
+ constraints: ["writable: rsp+0x60", "{\"sh\", \"-c\", rbp, NULL} is a valid argv", "rdi == NULL || writable: rdi", "rcx == NULL || (u16)[rcx] == NULL"],
+ effect: "posix_spawn(rdi, \"/bin/sh\", 0, rcx, rsp+0x50, environ)")
OneGadget::Gadget.add(build_id, 291245,
- constraints: ["rax == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ constraints: ["writable: rsp+0x60", "rax == NULL || {rax, \"-c\", rbp, NULL} is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, rsp+0x50, environ)")
+OneGadget::Gadget.add(build_id, 291250,
+ constraints: ["writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)")
+OneGadget::Gadget.add(build_id, 291255,
+ constraints: ["writable: rsp+0x50", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)")
OneGadget::Gadget.add(build_id, 291267,
- constraints: ["[r8] == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ constraints: ["writable: rsp+0x58", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)")
+OneGadget::Gadget.add(build_id, 474333,
+ constraints: ["writable: rsp+0x60", "{\"sh\", \"-c\", rbp, NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"],
+ effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", r12, 0, rsp+0x50, environ)")
OneGadget::Gadget.add(build_id, 474340,
- constraints: ["[r8] == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ constraints: ["writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", r12, rcx, r8, environ)")
+OneGadget::Gadget.add(build_id, 474343,
+ constraints: ["writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, rcx, r8, environ)")
OneGadget::Gadget.add(build_id, 474355,
- constraints: ["[r8] == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ constraints: ["writable: rsp+0x68", "[r8] == NULL || r8 is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, rcx, r8, environ)")
+OneGadget::Gadget.add(build_id, 474362,
+ constraints: ["writable: rsp+0x68", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)")
OneGadget::Gadget.add(build_id, 824730,
- constraints: ["[r13] == NULL || r13 == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[r13] == NULL || r13 == NULL || r13 is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", r13, r12)")
OneGadget::Gadget.add(build_id, 824733,
- constraints: ["[r13] == NULL || r13 == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[r13] == NULL || r13 == NULL || r13 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", r13, rdx)")
OneGadget::Gadget.add(build_id, 824736,
- constraints: ["[rsi] == NULL || rsi == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, rdx)")
+OneGadget::Gadget.add(build_id, 824815,
+ constraints: ["writable: rbp-0x38", "rdi == NULL || {\"/bin/sh\", rdi, NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
+ effect: "execve(\"/bin/sh\", rbp-0x40, r12)")
OneGadget::Gadget.add(build_id, 824825,
- constraints: ["writable: rbp-0x38", "[rbp-0x40] == NULL || rbp-0x40 == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["writable: rbp-0x38", "rax == NULL || {rax, rdi, NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", rbp-0x40, r12)")
OneGadget::Gadget.add(build_id, 824829,
- constraints: ["writable: rbp-0x40", "[rbp-0x40] == NULL || rbp-0x40 == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["writable: rbp-0x40", "rax == NULL || {rax, [rbp-0x38], NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", rbp-0x40, r12)")
OneGadget::Gadget.add(build_id, 948598,
- constraints: ["[rsp+0x60] == NULL"],
+ constraints: ["[rsp+0x60] == NULL || {[rsp+0x60], [rsp+0x68], [rsp+0x70], [rsp+0x78], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x60, environ)")
OneGadget::Gadget.add(build_id, 948610,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rax])")
diff --git a/lib/one_gadget/builds/libc-2.29-a8af6c81cb28a37bf3a546970bf64224402f8bd4.rb b/lib/one_gadget/builds/libc-2.29-a8af6c81cb28a37bf3a546970bf64224402f8bd4.rb
index 66b0d71..d9bf024 100644
--- a/lib/one_gadget/builds/libc-2.29-a8af6c81cb28a37bf3a546970bf64224402f8bd4.rb
+++ b/lib/one_gadget/builds/libc-2.29-a8af6c81cb28a37bf3a546970bf64224402f8bd4.rb
@@ -14,37 +14,61 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 292108,
+ constraints: ["writable: rsp+0x60", "{\"sh\", \"-c\", rbx, NULL} is a valid argv", "r13 == NULL || (u16)[r13] == NULL"],
+ effect: "posix_spawn(rsp+0xc, \"/bin/sh\", 0, r13, rsp+0x50, environ)")
+OneGadget::Gadget.add(build_id, 292116,
+ constraints: ["writable: rsp+0x60", "{\"sh\", \"-c\", rbx, NULL} is a valid argv", "rdi == NULL || writable: rdi", "rcx == NULL || (u16)[rcx] == NULL"],
+ effect: "posix_spawn(rdi, \"/bin/sh\", 0, rcx, rsp+0x50, environ)")
OneGadget::Gadget.add(build_id, 292125,
- constraints: ["rax == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ constraints: ["writable: rsp+0x60", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, rsp+0x50, environ)")
+OneGadget::Gadget.add(build_id, 292130,
+ constraints: ["writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)")
+OneGadget::Gadget.add(build_id, 292135,
+ constraints: ["writable: rsp+0x50", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)")
OneGadget::Gadget.add(build_id, 292147,
- constraints: ["[r8] == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ constraints: ["writable: rsp+0x58", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)")
+OneGadget::Gadget.add(build_id, 477205,
+ constraints: ["writable: rsp+0x60", "{\"sh\", \"-c\", rbp, NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"],
+ effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", r12, 0, rsp+0x50, environ)")
OneGadget::Gadget.add(build_id, 477210,
- constraints: ["[r8] == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"],
+ constraints: ["writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"],
effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", r12, 0, r8, environ)")
+OneGadget::Gadget.add(build_id, 477215,
+ constraints: ["writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, rcx, r8, environ)")
OneGadget::Gadget.add(build_id, 477227,
- constraints: ["[r8] == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ constraints: ["writable: rsp+0x68", "[r8] == NULL || r8 is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, rcx, r8, environ)")
+OneGadget::Gadget.add(build_id, 477236,
+ constraints: ["writable: rsp+0x68", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)")
OneGadget::Gadget.add(build_id, 826618,
- constraints: ["[r12] == NULL || r12 == NULL", "[r13] == NULL || r13 == NULL"],
+ constraints: ["[r12] == NULL || r12 == NULL || r12 is a valid argv", "[r13] == NULL || r13 == NULL || r13 is a valid envp"],
effect: "execve(\"/bin/sh\", r12, r13)")
OneGadget::Gadget.add(build_id, 826621,
- constraints: ["[r12] == NULL || r12 == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[r12] == NULL || r12 == NULL || r12 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", r12, rdx)")
OneGadget::Gadget.add(build_id, 826624,
- constraints: ["[rsi] == NULL || rsi == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, rdx)")
+OneGadget::Gadget.add(build_id, 826707,
+ constraints: ["writable: rbp-0x38", "rdi == NULL || {\"/bin/sh\", rdi, NULL} is a valid argv", "[r13] == NULL || r13 == NULL || r13 is a valid envp"],
+ effect: "execve(\"/bin/sh\", rbp-0x40, r13)")
OneGadget::Gadget.add(build_id, 826714,
- constraints: ["writable: rbp-0x38", "[rbp-0x40] == NULL || rbp-0x40 == NULL", "[r13] == NULL || r13 == NULL"],
+ constraints: ["writable: rbp-0x38", "rax == NULL || {rax, rdi, NULL} is a valid argv", "[r13] == NULL || r13 == NULL || r13 is a valid envp"],
effect: "execve(\"/bin/sh\", rbp-0x40, r13)")
OneGadget::Gadget.add(build_id, 826721,
- constraints: ["writable: rbp-0x40", "[rbp-0x40] == NULL || rbp-0x40 == NULL", "[r13] == NULL || r13 == NULL"],
+ constraints: ["writable: rbp-0x40", "rax == NULL || {rax, [rbp-0x38], NULL} is a valid argv", "[r13] == NULL || r13 == NULL || r13 is a valid envp"],
effect: "execve(\"/bin/sh\", rbp-0x40, r13)")
OneGadget::Gadget.add(build_id, 949803,
- constraints: ["[rsp+0x60] == NULL"],
+ constraints: ["[rsp+0x60] == NULL || {[rsp+0x60], [rsp+0x68], [rsp+0x70], [rsp+0x78], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x60, environ)")
OneGadget::Gadget.add(build_id, 949815,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rax])")
diff --git a/lib/one_gadget/builds/libc-2.29-c19c88c33b60742ca906e0f9f96fe31b8b79ea9c.rb b/lib/one_gadget/builds/libc-2.29-c19c88c33b60742ca906e0f9f96fe31b8b79ea9c.rb
index 7526fa6..d0ca3a3 100644
--- a/lib/one_gadget/builds/libc-2.29-c19c88c33b60742ca906e0f9f96fe31b8b79ea9c.rb
+++ b/lib/one_gadget/builds/libc-2.29-c19c88c33b60742ca906e0f9f96fe31b8b79ea9c.rb
@@ -14,37 +14,61 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 281228,
+ constraints: ["writable: rsp+0x60", "{\"sh\", \"-c\", rbp, NULL} is a valid argv", "r13 == NULL || (u16)[r13] == NULL"],
+ effect: "posix_spawn(rsp+0xc, \"/bin/sh\", 0, r13, rsp+0x50, environ)")
+OneGadget::Gadget.add(build_id, 281236,
+ constraints: ["writable: rsp+0x60", "{\"sh\", \"-c\", rbp, NULL} is a valid argv", "rdi == NULL || writable: rdi", "rcx == NULL || (u16)[rcx] == NULL"],
+ effect: "posix_spawn(rdi, \"/bin/sh\", 0, rcx, rsp+0x50, environ)")
OneGadget::Gadget.add(build_id, 281245,
- constraints: ["rax == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ constraints: ["writable: rsp+0x60", "rax == NULL || {rax, \"-c\", rbp, NULL} is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, rsp+0x50, environ)")
+OneGadget::Gadget.add(build_id, 281250,
+ constraints: ["writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)")
+OneGadget::Gadget.add(build_id, 281255,
+ constraints: ["writable: rsp+0x50", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)")
OneGadget::Gadget.add(build_id, 281267,
- constraints: ["[r8] == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ constraints: ["writable: rsp+0x58", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)")
+OneGadget::Gadget.add(build_id, 465965,
+ constraints: ["writable: rsp+0x60", "{\"sh\", \"-c\", rbp, NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"],
+ effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", r12, 0, rsp+0x50, environ)")
OneGadget::Gadget.add(build_id, 465972,
- constraints: ["[r8] == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ constraints: ["writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", r12, rcx, r8, environ)")
+OneGadget::Gadget.add(build_id, 465975,
+ constraints: ["writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, rcx, r8, environ)")
OneGadget::Gadget.add(build_id, 465987,
- constraints: ["[r8] == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ constraints: ["writable: rsp+0x68", "[r8] == NULL || r8 is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, rcx, r8, environ)")
+OneGadget::Gadget.add(build_id, 465994,
+ constraints: ["writable: rsp+0x68", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)")
OneGadget::Gadget.add(build_id, 819914,
- constraints: ["[r13] == NULL || r13 == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[r13] == NULL || r13 == NULL || r13 is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", r13, r12)")
OneGadget::Gadget.add(build_id, 819917,
- constraints: ["[r13] == NULL || r13 == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[r13] == NULL || r13 == NULL || r13 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", r13, rdx)")
OneGadget::Gadget.add(build_id, 819920,
- constraints: ["[rsi] == NULL || rsi == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, rdx)")
+OneGadget::Gadget.add(build_id, 820000,
+ constraints: ["writable: rbp-0x38", "rdi == NULL || {\"/bin/sh\", rdi, NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
+ effect: "execve(\"/bin/sh\", rbp-0x40, r12)")
OneGadget::Gadget.add(build_id, 820010,
- constraints: ["writable: rbp-0x38", "[rbp-0x40] == NULL || rbp-0x40 == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["writable: rbp-0x38", "rax == NULL || {rax, rdi, NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", rbp-0x40, r12)")
OneGadget::Gadget.add(build_id, 820014,
- constraints: ["writable: rbp-0x40", "[rbp-0x40] == NULL || rbp-0x40 == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["writable: rbp-0x40", "rax == NULL || {rax, [rbp-0x38], NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", rbp-0x40, r12)")
OneGadget::Gadget.add(build_id, 944400,
- constraints: ["[rsp+0x60] == NULL"],
+ constraints: ["[rsp+0x60] == NULL || {[rsp+0x60], [rsp+0x68], [rsp+0x70], [rsp+0x78], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x60, environ)")
OneGadget::Gadget.add(build_id, 944412,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rax])")
diff --git a/lib/one_gadget/builds/libc-2.29-d561ec515222887a1e004555981169199d841024.rb b/lib/one_gadget/builds/libc-2.29-d561ec515222887a1e004555981169199d841024.rb
index 5df62b7..002a53d 100644
--- a/lib/one_gadget/builds/libc-2.29-d561ec515222887a1e004555981169199d841024.rb
+++ b/lib/one_gadget/builds/libc-2.29-d561ec515222887a1e004555981169199d841024.rb
@@ -14,52 +14,70 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 339051,
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x70", "{\"sh\", \"-c\", r12, NULL} is a valid argv", "rbx == NULL || (u16)[rbx] == NULL"],
+ effect: "posix_spawn(rsp+0x1c, \"/bin/sh\", 0, rbx, rsp+0x60, environ)")
+OneGadget::Gadget.add(build_id, 339058,
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x70", "rax == NULL || {\"sh\", rax, r12, NULL} is a valid argv", "rbx == NULL || (u16)[rbx] == NULL"],
+ effect: "posix_spawn(rsp+0x1c, \"/bin/sh\", 0, rbx, rsp+0x60, environ)")
OneGadget::Gadget.add(build_id, 339072,
- constraints: ["rsp & 0xf == 0", "rcx == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rbx == NULL || (u16)[rbx] == NULL"],
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x70", "rcx == NULL || {rcx, rax, r12, NULL} is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rbx == NULL || (u16)[rbx] == NULL"],
effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rbx, rsp+0x60, environ)")
+OneGadget::Gadget.add(build_id, 339077,
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x70", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rbx == NULL || (u16)[rbx] == NULL"],
+ effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rbx, r8, environ)")
OneGadget::Gadget.add(build_id, 339093,
- constraints: ["rsp & 0xf == 0", "[r8] == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rbx == NULL || (u16)[rbx] == NULL"],
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x8", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rbx == NULL || (u16)[rbx] == NULL"],
effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rbx, r8, environ)")
OneGadget::Gadget.add(build_id, 339096,
- constraints: ["rsp & 0xf == 0", "[r8] == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x8", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)")
+OneGadget::Gadget.add(build_id, 539133,
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x70", "{\"sh\", \"-c\", rbp, NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"],
+ effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", r12, 0, rsp+0x60, environ)")
OneGadget::Gadget.add(build_id, 539140,
- constraints: ["rsp & 0xf == 0", "[r8] == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x70", "[r8] == NULL || r8 is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", r12, rcx, r8, environ)")
+OneGadget::Gadget.add(build_id, 539143,
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x70", "[r8] == NULL || r8 is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, rcx, r8, environ)")
+OneGadget::Gadget.add(build_id, 539162,
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x78", "[r8] == NULL || r8 is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, rcx, r8, environ)")
OneGadget::Gadget.add(build_id, 539182,
- constraints: ["rsp & 0xf == 0", "[r8] == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x28", "[r8] == NULL || r8 is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, rcx, r8, environ)")
+OneGadget::Gadget.add(build_id, 539189,
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x28", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)")
OneGadget::Gadget.add(build_id, 926158,
- constraints: ["[r15] == NULL || r15 == NULL", "[r13] == NULL || r13 == NULL"],
+ constraints: ["[r15] == NULL || r15 == NULL || r15 is a valid argv", "[r13] == NULL || r13 == NULL || r13 is a valid envp"],
effect: "execve(\"/bin/sh\", r15, r13)")
OneGadget::Gadget.add(build_id, 926161,
- constraints: ["[r15] == NULL || r15 == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[r15] == NULL || r15 == NULL || r15 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", r15, rdx)")
OneGadget::Gadget.add(build_id, 926164,
- constraints: ["[rsi] == NULL || rsi == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, rdx)")
OneGadget::Gadget.add(build_id, 926591,
- constraints: ["[rcx] == NULL || rcx == NULL", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL"],
+ constraints: ["[rcx] == NULL || rcx == NULL || rcx is a valid argv", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL || [rbp-0x70] is a valid envp"],
effect: "execve(\"/bin/sh\", rcx, [rbp-0x70])")
OneGadget::Gadget.add(build_id, 926595,
- constraints: ["[rcx] == NULL || rcx == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[rcx] == NULL || rcx == NULL || rcx is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", rcx, rdx)")
+OneGadget::Gadget.add(build_id, 926667,
+ constraints: ["writable: rbp-0x48", "rbx == NULL || {\"/bin/sh\", rbx, NULL} is a valid argv", "[r13] == NULL || r13 == NULL || r13 is a valid envp"],
+ effect: "execve(\"/bin/sh\", rbp-0x50, r13)")
OneGadget::Gadget.add(build_id, 926677,
- constraints: ["writable: rbp-0x48", "[rbp-0x50] == NULL || rbp-0x50 == NULL", "[r13] == NULL || r13 == NULL"],
+ constraints: ["writable: rbp-0x48", "rax == NULL || {rax, rbx, NULL} is a valid argv", "[r13] == NULL || r13 == NULL || r13 is a valid envp"],
effect: "execve(\"/bin/sh\", rbp-0x50, r13)")
OneGadget::Gadget.add(build_id, 926681,
- constraints: ["writable: rbp-0x50", "[rbp-0x50] == NULL || rbp-0x50 == NULL", "[r13] == NULL || r13 == NULL"],
+ constraints: ["writable: rbp-0x50", "rax == NULL || {rax, [rbp-0x48], NULL} is a valid argv", "[r13] == NULL || r13 == NULL || r13 is a valid envp"],
effect: "execve(\"/bin/sh\", rbp-0x50, r13)")
-OneGadget::Gadget.add(build_id, 926739,
- constraints: ["writable: [rbp-0x78]+0x10", "writable: rbp-0x80", "[[rbp-0x78]] == NULL || [rbp-0x78] == NULL", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL"],
- effect: "execve(\"/bin/sh\", [rbp-0x78], [rbp-0x70])")
-OneGadget::Gadget.add(build_id, 926743,
- constraints: ["writable: [rbp-0x78]+0x10", "writable: rbp-0x50", "[[rbp-0x78]] == NULL || [rbp-0x78] == NULL", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL"],
- effect: "execve(\"/bin/sh\", [rbp-0x78], [rbp-0x70])")
OneGadget::Gadget.add(build_id, 1076984,
- constraints: ["[rsp+0x70] == NULL"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x70, environ)")
OneGadget::Gadget.add(build_id, 1076996,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rax])")
diff --git a/lib/one_gadget/builds/libc-2.30-00854a16b9b4b73893627ccb730d97907837e320.rb b/lib/one_gadget/builds/libc-2.30-00854a16b9b4b73893627ccb730d97907837e320.rb
index 06dff3a..72cd5a6 100644
--- a/lib/one_gadget/builds/libc-2.30-00854a16b9b4b73893627ccb730d97907837e320.rb
+++ b/lib/one_gadget/builds/libc-2.30-00854a16b9b4b73893627ccb730d97907837e320.rb
@@ -15,7 +15,7 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 833099,
- constraints: ["ebx is the GOT address of libc", "writable: ebp-0x20", "[[ebp-0x2c]] == NULL || [ebp-0x2c] == NULL", "[esi] == NULL || esi == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: ebp-0x20", "[[ebp-0x2c]] == NULL || [ebp-0x2c] == NULL || [ebp-0x2c] is a valid argv", "[esi] == NULL || esi == NULL || esi is a valid envp"],
effect: "execve(\"/bin/sh\", [ebp-0x2c], esi)")
OneGadget::Gadget.add(build_id, 1331075,
constraints: ["ebp is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.30-2155f455ad56bd871c8225bcca85ee25c1c197c4.rb b/lib/one_gadget/builds/libc-2.30-2155f455ad56bd871c8225bcca85ee25c1c197c4.rb
index 001d180..4ec29c7 100644
--- a/lib/one_gadget/builds/libc-2.30-2155f455ad56bd871c8225bcca85ee25c1c197c4.rb
+++ b/lib/one_gadget/builds/libc-2.30-2155f455ad56bd871c8225bcca85ee25c1c197c4.rb
@@ -14,61 +14,94 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 348403,
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x60", "{\"sh\", \"-c\", rbx, NULL} is a valid argv", "r12 == NULL || (u16)[r12] == NULL"],
+ effect: "posix_spawn(rsp+0xc, \"/bin/sh\", 0, r12, rsp+0x50, environ)")
+OneGadget::Gadget.add(build_id, 348410,
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x60", "rax == NULL || {\"sh\", rax, rbx, NULL} is a valid argv", "r12 == NULL || (u16)[r12] == NULL"],
+ effect: "posix_spawn(rsp+0xc, \"/bin/sh\", 0, r12, rsp+0x50, environ)")
+OneGadget::Gadget.add(build_id, 348422,
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x60", "(u64)xmm1 == NULL || {\"sh\", (u64)xmm1, rbx, NULL} is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "r12 == NULL || (u16)[r12] == NULL"],
+ effect: "posix_spawn(rdi, \"/bin/sh\", rdx, r12, rsp+0x50, environ)")
OneGadget::Gadget.add(build_id, 348436,
- constraints: ["rsp & 0xf == 0", "rcx == NULL", "[[rax]] == NULL || [rax] == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "r12 == NULL || (u16)[r12] == NULL"],
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x60", "rcx == NULL || {rcx, (u64)xmm1, rbx, NULL} is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "r12 == NULL || (u16)[r12] == NULL"],
effect: "posix_spawn(rdi, \"/bin/sh\", rdx, r12, rsp+0x50, [rax])")
OneGadget::Gadget.add(build_id, 348446,
- constraints: ["rsp & 0xf == 0", "[r8] == NULL", "[[rax]] == NULL || [rax] == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "r12 == NULL || (u16)[r12] == NULL"],
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "r12 == NULL || (u16)[r12] == NULL"],
effect: "posix_spawn(rdi, \"/bin/sh\", rdx, r12, r8, [rax])")
+OneGadget::Gadget.add(build_id, 553381,
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x70", "{\"sh\", \"-c\", rbp, NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"],
+ effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", r12, 0, rsp+0x60, environ)")
+OneGadget::Gadget.add(build_id, 553388,
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x70", "rax == NULL || {\"sh\", rax, rbp, NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"],
+ effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", r12, 0, rsp+0x60, environ)")
OneGadget::Gadget.add(build_id, 553395,
- constraints: ["rsp & 0xf == 0", "rcx == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"],
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x70", "rcx == NULL || {rcx, rax, rbp, NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"],
effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", r12, 0, rsp+0x60, environ)")
+OneGadget::Gadget.add(build_id, 553398,
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x70", "rcx == NULL || {rcx, rax, rbp, NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
+ effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, 0, rsp+0x60, environ)")
+OneGadget::Gadget.add(build_id, 553403,
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x78", "rcx == NULL || {rcx, rax, [rsp+0x70], NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
+ effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, 0, rsp+0x60, environ)")
OneGadget::Gadget.add(build_id, 553408,
- constraints: ["rsp & 0xf == 0", "rcx == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x78", "rcx == NULL || {rcx, (u64)xmm1, [rsp+0x70], NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, 0, rsp+0x60, environ)")
OneGadget::Gadget.add(build_id, 553420,
- constraints: ["rsp & 0xf == 0", "(u64)xmm0 == NULL", "[[rax]] == NULL || [rax] == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x78", "(u64)xmm0 == NULL || {(u64)xmm0, (u64)xmm1, [rsp+0x70], NULL} is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, 0, rsp+0x60, [rax])")
+OneGadget::Gadget.add(build_id, 553426,
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x78", "(u64)xmm0 == NULL || {(u64)xmm0, (u64)(xmm0 >> 64), [rsp+0x70], NULL} is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, rcx, rsp+0x60, [rax])")
OneGadget::Gadget.add(build_id, 553433,
- constraints: ["rsp & 0xf == 0", "(u64)xmm0 == NULL", "[[rax]] == NULL || [rax] == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x78", "(u64)xmm0 == NULL || {(u64)xmm0, (u64)(xmm0 >> 64), [rsp+0x70], NULL} is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, rsp+0x60, [rax])")
OneGadget::Gadget.add(build_id, 553440,
- constraints: ["rsp & 0xf == 0", "[r8] == NULL", "[[rax]] == NULL || [rax] == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x78", "[r8] == NULL || r8 is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, [rax])")
OneGadget::Gadget.add(build_id, 553443,
- constraints: ["rsp & 0xf == 0", "[r8] == NULL", "[r9] == NULL || r9 == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x78", "[r8] == NULL || r8 is a valid argv", "[r9] == NULL || r9 == NULL || r9 is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, r9)")
OneGadget::Gadget.add(build_id, 944542,
- constraints: ["[r15] == NULL || r15 == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[r15] == NULL || r15 == NULL || r15 is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", r15, r12)")
OneGadget::Gadget.add(build_id, 944545,
- constraints: ["[r15] == NULL || r15 == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[r15] == NULL || r15 == NULL || r15 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", r15, rdx)")
OneGadget::Gadget.add(build_id, 944548,
- constraints: ["[rsi] == NULL || rsi == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, rdx)")
OneGadget::Gadget.add(build_id, 945043,
- constraints: ["writable: rbp-0x78", "[r10] == NULL || r10 == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["writable: rbp-0x78", "[r10] == NULL || r10 == NULL || r10 is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", r10, r12)")
OneGadget::Gadget.add(build_id, 945046,
- constraints: ["writable: rbp-0x78", "[r10] == NULL || r10 == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["writable: rbp-0x78", "[r10] == NULL || r10 == NULL || r10 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", r10, rdx)")
+OneGadget::Gadget.add(build_id, 945154,
+ constraints: ["writable: rbp-0x48", "r13 == NULL || {\"/bin/sh\", r13, NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
+ effect: "execve(\"/bin/sh\", rbp-0x50, r12)")
OneGadget::Gadget.add(build_id, 945161,
- constraints: ["writable: rbp-0x48", "[rbp-0x50] == NULL || rbp-0x50 == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["writable: rbp-0x48", "rax == NULL || {rax, r13, NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", rbp-0x50, r12)")
OneGadget::Gadget.add(build_id, 945168,
- constraints: ["writable: rbp-0x50", "[rbp-0x50] == NULL || rbp-0x50 == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["writable: rbp-0x50", "rax == NULL || {rax, [rbp-0x48], NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
+ effect: "execve(\"/bin/sh\", rbp-0x50, r12)")
+OneGadget::Gadget.add(build_id, 945223,
+ constraints: ["writable: rbp-0x50", "[rbp-0x68] == NULL || {\"/bin/sh\", [rbp-0x68], NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
+ effect: "execve(\"/bin/sh\", rbp-0x50, r12)")
+OneGadget::Gadget.add(build_id, 945233,
+ constraints: ["writable: rbp-0x50", "rax == NULL || {rax, [rbp-0x68], NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", rbp-0x50, r12)")
OneGadget::Gadget.add(build_id, 945237,
- constraints: ["writable: r10+0x10", "writable: rbp-0x50", "[r10] == NULL || r10 == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["writable: r10+0x10", "writable: rbp-0x50", "[r10] == NULL || r10 == NULL || r10 is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", r10, r12)")
OneGadget::Gadget.add(build_id, 945245,
- constraints: ["writable: r10+0x10", "writable: rbp-0x48", "[r10] == NULL || r10 == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["writable: r10+0x10", "writable: rbp-0x48", "[r10] == NULL || r10 == NULL || r10 is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", r10, r12)")
OneGadget::Gadget.add(build_id, 1093545,
- constraints: ["[rsp+0x70] == NULL"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x70, environ)")
OneGadget::Gadget.add(build_id, 1093557,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rax])")
diff --git a/lib/one_gadget/builds/libc-2.30-33d1f350f13728651d74dd2a56bad1e4e4648f5e.rb b/lib/one_gadget/builds/libc-2.30-33d1f350f13728651d74dd2a56bad1e4e4648f5e.rb
index 103bbc2..cf9c995 100644
--- a/lib/one_gadget/builds/libc-2.30-33d1f350f13728651d74dd2a56bad1e4e4648f5e.rb
+++ b/lib/one_gadget/builds/libc-2.30-33d1f350f13728651d74dd2a56bad1e4e4648f5e.rb
@@ -14,37 +14,61 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 298476,
+ constraints: ["writable: rsp+0x60", "{\"sh\", \"-c\", rbx, NULL} is a valid argv", "r13 == NULL || (u16)[r13] == NULL"],
+ effect: "posix_spawn(rsp+0xc, \"/bin/sh\", 0, r13, rsp+0x50, environ)")
+OneGadget::Gadget.add(build_id, 298484,
+ constraints: ["writable: rsp+0x60", "{\"sh\", \"-c\", rbx, NULL} is a valid argv", "rdi == NULL || writable: rdi", "rcx == NULL || (u16)[rcx] == NULL"],
+ effect: "posix_spawn(rdi, \"/bin/sh\", 0, rcx, rsp+0x50, environ)")
OneGadget::Gadget.add(build_id, 298493,
- constraints: ["rax == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ constraints: ["writable: rsp+0x60", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, rsp+0x50, environ)")
+OneGadget::Gadget.add(build_id, 298498,
+ constraints: ["writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)")
+OneGadget::Gadget.add(build_id, 298503,
+ constraints: ["writable: rsp+0x50", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)")
OneGadget::Gadget.add(build_id, 298515,
- constraints: ["[r8] == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ constraints: ["writable: rsp+0x58", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)")
+OneGadget::Gadget.add(build_id, 486805,
+ constraints: ["writable: rsp+0x60", "{\"sh\", \"-c\", rbp, NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"],
+ effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", r12, 0, rsp+0x50, environ)")
OneGadget::Gadget.add(build_id, 486810,
- constraints: ["[r8] == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"],
+ constraints: ["writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"],
effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", r12, 0, r8, environ)")
+OneGadget::Gadget.add(build_id, 486815,
+ constraints: ["writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, rcx, r8, environ)")
OneGadget::Gadget.add(build_id, 486827,
- constraints: ["[r8] == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ constraints: ["writable: rsp+0x68", "[r8] == NULL || r8 is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, rcx, r8, environ)")
+OneGadget::Gadget.add(build_id, 486836,
+ constraints: ["writable: rsp+0x68", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)")
OneGadget::Gadget.add(build_id, 840618,
- constraints: ["[r12] == NULL || r12 == NULL", "[r13] == NULL || r13 == NULL"],
+ constraints: ["[r12] == NULL || r12 == NULL || r12 is a valid argv", "[r13] == NULL || r13 == NULL || r13 is a valid envp"],
effect: "execve(\"/bin/sh\", r12, r13)")
OneGadget::Gadget.add(build_id, 840621,
- constraints: ["[r12] == NULL || r12 == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[r12] == NULL || r12 == NULL || r12 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", r12, rdx)")
OneGadget::Gadget.add(build_id, 840624,
- constraints: ["[rsi] == NULL || rsi == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, rdx)")
+OneGadget::Gadget.add(build_id, 840707,
+ constraints: ["writable: rbp-0x38", "rdi == NULL || {\"/bin/sh\", rdi, NULL} is a valid argv", "[r13] == NULL || r13 == NULL || r13 is a valid envp"],
+ effect: "execve(\"/bin/sh\", rbp-0x40, r13)")
OneGadget::Gadget.add(build_id, 840714,
- constraints: ["writable: rbp-0x38", "[rbp-0x40] == NULL || rbp-0x40 == NULL", "[r13] == NULL || r13 == NULL"],
+ constraints: ["writable: rbp-0x38", "rax == NULL || {rax, rdi, NULL} is a valid argv", "[r13] == NULL || r13 == NULL || r13 is a valid envp"],
effect: "execve(\"/bin/sh\", rbp-0x40, r13)")
OneGadget::Gadget.add(build_id, 840721,
- constraints: ["writable: rbp-0x40", "[rbp-0x40] == NULL || rbp-0x40 == NULL", "[r13] == NULL || r13 == NULL"],
+ constraints: ["writable: rbp-0x40", "rax == NULL || {rax, [rbp-0x38], NULL} is a valid argv", "[r13] == NULL || r13 == NULL || r13 is a valid envp"],
effect: "execve(\"/bin/sh\", rbp-0x40, r13)")
OneGadget::Gadget.add(build_id, 962475,
- constraints: ["[rsp+0x60] == NULL"],
+ constraints: ["[rsp+0x60] == NULL || {[rsp+0x60], [rsp+0x68], [rsp+0x70], [rsp+0x78], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x60, environ)")
OneGadget::Gadget.add(build_id, 962487,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rax])")
diff --git a/lib/one_gadget/builds/libc-2.30-7a1e2ae26cef50584af2c60a5ad3a7ae3e9b1446.rb b/lib/one_gadget/builds/libc-2.30-7a1e2ae26cef50584af2c60a5ad3a7ae3e9b1446.rb
index 3ad8c5a..2b25b99 100644
--- a/lib/one_gadget/builds/libc-2.30-7a1e2ae26cef50584af2c60a5ad3a7ae3e9b1446.rb
+++ b/lib/one_gadget/builds/libc-2.30-7a1e2ae26cef50584af2c60a5ad3a7ae3e9b1446.rb
@@ -14,37 +14,61 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 298476,
+ constraints: ["writable: rsp+0x60", "{\"sh\", \"-c\", rbx, NULL} is a valid argv", "r13 == NULL || (u16)[r13] == NULL"],
+ effect: "posix_spawn(rsp+0xc, \"/bin/sh\", 0, r13, rsp+0x50, environ)")
+OneGadget::Gadget.add(build_id, 298484,
+ constraints: ["writable: rsp+0x60", "{\"sh\", \"-c\", rbx, NULL} is a valid argv", "rdi == NULL || writable: rdi", "rcx == NULL || (u16)[rcx] == NULL"],
+ effect: "posix_spawn(rdi, \"/bin/sh\", 0, rcx, rsp+0x50, environ)")
OneGadget::Gadget.add(build_id, 298493,
- constraints: ["rax == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ constraints: ["writable: rsp+0x60", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, rsp+0x50, environ)")
+OneGadget::Gadget.add(build_id, 298498,
+ constraints: ["writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)")
+OneGadget::Gadget.add(build_id, 298503,
+ constraints: ["writable: rsp+0x50", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)")
OneGadget::Gadget.add(build_id, 298515,
- constraints: ["[r8] == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ constraints: ["writable: rsp+0x58", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)")
+OneGadget::Gadget.add(build_id, 486805,
+ constraints: ["writable: rsp+0x60", "{\"sh\", \"-c\", rbp, NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"],
+ effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", r12, 0, rsp+0x50, environ)")
OneGadget::Gadget.add(build_id, 486810,
- constraints: ["[r8] == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"],
+ constraints: ["writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"],
effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", r12, 0, r8, environ)")
+OneGadget::Gadget.add(build_id, 486815,
+ constraints: ["writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, rcx, r8, environ)")
OneGadget::Gadget.add(build_id, 486827,
- constraints: ["[r8] == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ constraints: ["writable: rsp+0x68", "[r8] == NULL || r8 is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, rcx, r8, environ)")
+OneGadget::Gadget.add(build_id, 486836,
+ constraints: ["writable: rsp+0x68", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)")
OneGadget::Gadget.add(build_id, 840618,
- constraints: ["[r12] == NULL || r12 == NULL", "[r13] == NULL || r13 == NULL"],
+ constraints: ["[r12] == NULL || r12 == NULL || r12 is a valid argv", "[r13] == NULL || r13 == NULL || r13 is a valid envp"],
effect: "execve(\"/bin/sh\", r12, r13)")
OneGadget::Gadget.add(build_id, 840621,
- constraints: ["[r12] == NULL || r12 == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[r12] == NULL || r12 == NULL || r12 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", r12, rdx)")
OneGadget::Gadget.add(build_id, 840624,
- constraints: ["[rsi] == NULL || rsi == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, rdx)")
+OneGadget::Gadget.add(build_id, 840707,
+ constraints: ["writable: rbp-0x38", "rdi == NULL || {\"/bin/sh\", rdi, NULL} is a valid argv", "[r13] == NULL || r13 == NULL || r13 is a valid envp"],
+ effect: "execve(\"/bin/sh\", rbp-0x40, r13)")
OneGadget::Gadget.add(build_id, 840714,
- constraints: ["writable: rbp-0x38", "[rbp-0x40] == NULL || rbp-0x40 == NULL", "[r13] == NULL || r13 == NULL"],
+ constraints: ["writable: rbp-0x38", "rax == NULL || {rax, rdi, NULL} is a valid argv", "[r13] == NULL || r13 == NULL || r13 is a valid envp"],
effect: "execve(\"/bin/sh\", rbp-0x40, r13)")
OneGadget::Gadget.add(build_id, 840721,
- constraints: ["writable: rbp-0x40", "[rbp-0x40] == NULL || rbp-0x40 == NULL", "[r13] == NULL || r13 == NULL"],
+ constraints: ["writable: rbp-0x40", "rax == NULL || {rax, [rbp-0x38], NULL} is a valid argv", "[r13] == NULL || r13 == NULL || r13 is a valid envp"],
effect: "execve(\"/bin/sh\", rbp-0x40, r13)")
OneGadget::Gadget.add(build_id, 962475,
- constraints: ["[rsp+0x60] == NULL"],
+ constraints: ["[rsp+0x60] == NULL || {[rsp+0x60], [rsp+0x68], [rsp+0x70], [rsp+0x78], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x60, environ)")
OneGadget::Gadget.add(build_id, 962487,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rax])")
diff --git a/lib/one_gadget/builds/libc-2.30-884362aa891ab565e4cf904cd60be984a7941acd.rb b/lib/one_gadget/builds/libc-2.30-884362aa891ab565e4cf904cd60be984a7941acd.rb
index b257354..5c9e954 100644
--- a/lib/one_gadget/builds/libc-2.30-884362aa891ab565e4cf904cd60be984a7941acd.rb
+++ b/lib/one_gadget/builds/libc-2.30-884362aa891ab565e4cf904cd60be984a7941acd.rb
@@ -15,7 +15,7 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 833099,
- constraints: ["ebx is the GOT address of libc", "writable: ebp-0x20", "[[ebp-0x2c]] == NULL || [ebp-0x2c] == NULL", "[esi] == NULL || esi == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: ebp-0x20", "[[ebp-0x2c]] == NULL || [ebp-0x2c] == NULL || [ebp-0x2c] is a valid argv", "[esi] == NULL || esi == NULL || esi is a valid envp"],
effect: "execve(\"/bin/sh\", [ebp-0x2c], esi)")
OneGadget::Gadget.add(build_id, 1331107,
constraints: ["ebp is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.30-c0a4471ee8f24f2ecc0ad1ccbd4633fa6fa36654.rb b/lib/one_gadget/builds/libc-2.30-c0a4471ee8f24f2ecc0ad1ccbd4633fa6fa36654.rb
index 6ed9601..a8cfd34 100644
--- a/lib/one_gadget/builds/libc-2.30-c0a4471ee8f24f2ecc0ad1ccbd4633fa6fa36654.rb
+++ b/lib/one_gadget/builds/libc-2.30-c0a4471ee8f24f2ecc0ad1ccbd4633fa6fa36654.rb
@@ -15,7 +15,7 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 840475,
- constraints: ["ebx is the GOT address of libc", "writable: ebp-0x20", "[[ebp-0x2c]] == NULL || [ebp-0x2c] == NULL", "[esi] == NULL || esi == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: ebp-0x20", "[[ebp-0x2c]] == NULL || [ebp-0x2c] == NULL || [ebp-0x2c] is a valid argv", "[esi] == NULL || esi == NULL || esi is a valid envp"],
effect: "execve(\"/bin/sh\", [ebp-0x2c], esi)")
OneGadget::Gadget.add(build_id, 1343435,
constraints: ["ebp is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.30-c60a7605ae87b9b40426e3123b12a91bfe2036f3.rb b/lib/one_gadget/builds/libc-2.30-c60a7605ae87b9b40426e3123b12a91bfe2036f3.rb
index 96c3b74..c73bdeb 100644
--- a/lib/one_gadget/builds/libc-2.30-c60a7605ae87b9b40426e3123b12a91bfe2036f3.rb
+++ b/lib/one_gadget/builds/libc-2.30-c60a7605ae87b9b40426e3123b12a91bfe2036f3.rb
@@ -15,7 +15,7 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 840475,
- constraints: ["ebx is the GOT address of libc", "writable: ebp-0x20", "[[ebp-0x2c]] == NULL || [ebp-0x2c] == NULL", "[esi] == NULL || esi == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: ebp-0x20", "[[ebp-0x2c]] == NULL || [ebp-0x2c] == NULL || [ebp-0x2c] is a valid argv", "[esi] == NULL || esi == NULL || esi is a valid envp"],
effect: "execve(\"/bin/sh\", [ebp-0x2c], esi)")
OneGadget::Gadget.add(build_id, 1343387,
constraints: ["ebp is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.30-cbe9cff3c43b979739af1681b61a3d585725577b.rb b/lib/one_gadget/builds/libc-2.30-cbe9cff3c43b979739af1681b61a3d585725577b.rb
index 1b981ca..024425f 100644
--- a/lib/one_gadget/builds/libc-2.30-cbe9cff3c43b979739af1681b61a3d585725577b.rb
+++ b/lib/one_gadget/builds/libc-2.30-cbe9cff3c43b979739af1681b61a3d585725577b.rb
@@ -14,61 +14,94 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 348403,
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x60", "{\"sh\", \"-c\", rbx, NULL} is a valid argv", "r12 == NULL || (u16)[r12] == NULL"],
+ effect: "posix_spawn(rsp+0xc, \"/bin/sh\", 0, r12, rsp+0x50, environ)")
+OneGadget::Gadget.add(build_id, 348410,
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x60", "rax == NULL || {\"sh\", rax, rbx, NULL} is a valid argv", "r12 == NULL || (u16)[r12] == NULL"],
+ effect: "posix_spawn(rsp+0xc, \"/bin/sh\", 0, r12, rsp+0x50, environ)")
+OneGadget::Gadget.add(build_id, 348422,
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x60", "(u64)xmm1 == NULL || {\"sh\", (u64)xmm1, rbx, NULL} is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "r12 == NULL || (u16)[r12] == NULL"],
+ effect: "posix_spawn(rdi, \"/bin/sh\", rdx, r12, rsp+0x50, environ)")
OneGadget::Gadget.add(build_id, 348436,
- constraints: ["rsp & 0xf == 0", "rcx == NULL", "[[rax]] == NULL || [rax] == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "r12 == NULL || (u16)[r12] == NULL"],
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x60", "rcx == NULL || {rcx, (u64)xmm1, rbx, NULL} is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "r12 == NULL || (u16)[r12] == NULL"],
effect: "posix_spawn(rdi, \"/bin/sh\", rdx, r12, rsp+0x50, [rax])")
OneGadget::Gadget.add(build_id, 348446,
- constraints: ["rsp & 0xf == 0", "[r8] == NULL", "[[rax]] == NULL || [rax] == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "r12 == NULL || (u16)[r12] == NULL"],
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "r12 == NULL || (u16)[r12] == NULL"],
effect: "posix_spawn(rdi, \"/bin/sh\", rdx, r12, r8, [rax])")
+OneGadget::Gadget.add(build_id, 553381,
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x70", "{\"sh\", \"-c\", rbp, NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"],
+ effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", r12, 0, rsp+0x60, environ)")
+OneGadget::Gadget.add(build_id, 553388,
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x70", "rax == NULL || {\"sh\", rax, rbp, NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"],
+ effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", r12, 0, rsp+0x60, environ)")
OneGadget::Gadget.add(build_id, 553395,
- constraints: ["rsp & 0xf == 0", "rcx == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"],
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x70", "rcx == NULL || {rcx, rax, rbp, NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"],
effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", r12, 0, rsp+0x60, environ)")
+OneGadget::Gadget.add(build_id, 553398,
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x70", "rcx == NULL || {rcx, rax, rbp, NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
+ effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, 0, rsp+0x60, environ)")
+OneGadget::Gadget.add(build_id, 553403,
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x78", "rcx == NULL || {rcx, rax, [rsp+0x70], NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
+ effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, 0, rsp+0x60, environ)")
OneGadget::Gadget.add(build_id, 553408,
- constraints: ["rsp & 0xf == 0", "rcx == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x78", "rcx == NULL || {rcx, (u64)xmm1, [rsp+0x70], NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, 0, rsp+0x60, environ)")
OneGadget::Gadget.add(build_id, 553420,
- constraints: ["rsp & 0xf == 0", "(u64)xmm0 == NULL", "[[rax]] == NULL || [rax] == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x78", "(u64)xmm0 == NULL || {(u64)xmm0, (u64)xmm1, [rsp+0x70], NULL} is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, 0, rsp+0x60, [rax])")
+OneGadget::Gadget.add(build_id, 553426,
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x78", "(u64)xmm0 == NULL || {(u64)xmm0, (u64)(xmm0 >> 64), [rsp+0x70], NULL} is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, rcx, rsp+0x60, [rax])")
OneGadget::Gadget.add(build_id, 553433,
- constraints: ["rsp & 0xf == 0", "(u64)xmm0 == NULL", "[[rax]] == NULL || [rax] == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x78", "(u64)xmm0 == NULL || {(u64)xmm0, (u64)(xmm0 >> 64), [rsp+0x70], NULL} is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, rsp+0x60, [rax])")
OneGadget::Gadget.add(build_id, 553440,
- constraints: ["rsp & 0xf == 0", "[r8] == NULL", "[[rax]] == NULL || [rax] == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x78", "[r8] == NULL || r8 is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, [rax])")
OneGadget::Gadget.add(build_id, 553443,
- constraints: ["rsp & 0xf == 0", "[r8] == NULL", "[r9] == NULL || r9 == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x78", "[r8] == NULL || r8 is a valid argv", "[r9] == NULL || r9 == NULL || r9 is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, r9)")
OneGadget::Gadget.add(build_id, 944542,
- constraints: ["[r15] == NULL || r15 == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[r15] == NULL || r15 == NULL || r15 is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", r15, r12)")
OneGadget::Gadget.add(build_id, 944545,
- constraints: ["[r15] == NULL || r15 == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[r15] == NULL || r15 == NULL || r15 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", r15, rdx)")
OneGadget::Gadget.add(build_id, 944548,
- constraints: ["[rsi] == NULL || rsi == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, rdx)")
OneGadget::Gadget.add(build_id, 945043,
- constraints: ["writable: rbp-0x78", "[r10] == NULL || r10 == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["writable: rbp-0x78", "[r10] == NULL || r10 == NULL || r10 is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", r10, r12)")
OneGadget::Gadget.add(build_id, 945046,
- constraints: ["writable: rbp-0x78", "[r10] == NULL || r10 == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["writable: rbp-0x78", "[r10] == NULL || r10 == NULL || r10 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", r10, rdx)")
+OneGadget::Gadget.add(build_id, 945154,
+ constraints: ["writable: rbp-0x48", "r13 == NULL || {\"/bin/sh\", r13, NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
+ effect: "execve(\"/bin/sh\", rbp-0x50, r12)")
OneGadget::Gadget.add(build_id, 945161,
- constraints: ["writable: rbp-0x48", "[rbp-0x50] == NULL || rbp-0x50 == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["writable: rbp-0x48", "rax == NULL || {rax, r13, NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", rbp-0x50, r12)")
OneGadget::Gadget.add(build_id, 945168,
- constraints: ["writable: rbp-0x50", "[rbp-0x50] == NULL || rbp-0x50 == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["writable: rbp-0x50", "rax == NULL || {rax, [rbp-0x48], NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
+ effect: "execve(\"/bin/sh\", rbp-0x50, r12)")
+OneGadget::Gadget.add(build_id, 945223,
+ constraints: ["writable: rbp-0x50", "[rbp-0x68] == NULL || {\"/bin/sh\", [rbp-0x68], NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
+ effect: "execve(\"/bin/sh\", rbp-0x50, r12)")
+OneGadget::Gadget.add(build_id, 945233,
+ constraints: ["writable: rbp-0x50", "rax == NULL || {rax, [rbp-0x68], NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", rbp-0x50, r12)")
OneGadget::Gadget.add(build_id, 945237,
- constraints: ["writable: r10+0x10", "writable: rbp-0x50", "[r10] == NULL || r10 == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["writable: r10+0x10", "writable: rbp-0x50", "[r10] == NULL || r10 == NULL || r10 is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", r10, r12)")
OneGadget::Gadget.add(build_id, 945245,
- constraints: ["writable: r10+0x10", "writable: rbp-0x48", "[r10] == NULL || r10 == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["writable: r10+0x10", "writable: rbp-0x48", "[r10] == NULL || r10 == NULL || r10 is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", r10, r12)")
OneGadget::Gadget.add(build_id, 1093433,
- constraints: ["[rsp+0x70] == NULL"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x70, environ)")
OneGadget::Gadget.add(build_id, 1093445,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rax])")
diff --git a/lib/one_gadget/builds/libc-2.30-f07144cc3d0ac50415f3a2e061be6da672c914ba.rb b/lib/one_gadget/builds/libc-2.30-f07144cc3d0ac50415f3a2e061be6da672c914ba.rb
index 75dbc5d..2b186f6 100644
--- a/lib/one_gadget/builds/libc-2.30-f07144cc3d0ac50415f3a2e061be6da672c914ba.rb
+++ b/lib/one_gadget/builds/libc-2.30-f07144cc3d0ac50415f3a2e061be6da672c914ba.rb
@@ -14,37 +14,61 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 300668,
+ constraints: ["writable: rsp+0x60", "{\"sh\", \"-c\", rbx, NULL} is a valid argv", "r13 == NULL || (u16)[r13] == NULL"],
+ effect: "posix_spawn(rsp+0xc, \"/bin/sh\", 0, r13, rsp+0x50, environ)")
+OneGadget::Gadget.add(build_id, 300676,
+ constraints: ["writable: rsp+0x60", "{\"sh\", \"-c\", rbx, NULL} is a valid argv", "rdi == NULL || writable: rdi", "rcx == NULL || (u16)[rcx] == NULL"],
+ effect: "posix_spawn(rdi, \"/bin/sh\", 0, rcx, rsp+0x50, environ)")
OneGadget::Gadget.add(build_id, 300685,
- constraints: ["rax == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ constraints: ["writable: rsp+0x60", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, rsp+0x50, environ)")
+OneGadget::Gadget.add(build_id, 300690,
+ constraints: ["writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)")
+OneGadget::Gadget.add(build_id, 300695,
+ constraints: ["writable: rsp+0x50", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)")
OneGadget::Gadget.add(build_id, 300707,
- constraints: ["[r8] == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ constraints: ["writable: rsp+0x58", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)")
+OneGadget::Gadget.add(build_id, 491573,
+ constraints: ["writable: rsp+0x60", "{\"sh\", \"-c\", rbp, NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"],
+ effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", r12, 0, rsp+0x50, environ)")
OneGadget::Gadget.add(build_id, 491578,
- constraints: ["[r8] == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"],
+ constraints: ["writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"],
effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", r12, 0, r8, environ)")
+OneGadget::Gadget.add(build_id, 491583,
+ constraints: ["writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, rcx, r8, environ)")
OneGadget::Gadget.add(build_id, 491595,
- constraints: ["[r8] == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ constraints: ["writable: rsp+0x68", "[r8] == NULL || r8 is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, rcx, r8, environ)")
+OneGadget::Gadget.add(build_id, 491604,
+ constraints: ["writable: rsp+0x68", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)")
OneGadget::Gadget.add(build_id, 846513,
- constraints: ["[r13] == NULL || r13 == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[r13] == NULL || r13 == NULL || r13 is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", r13, r12)")
OneGadget::Gadget.add(build_id, 846516,
- constraints: ["[r13] == NULL || r13 == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[r13] == NULL || r13 == NULL || r13 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", r13, rdx)")
OneGadget::Gadget.add(build_id, 846519,
- constraints: ["[rsi] == NULL || rsi == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, rdx)")
+OneGadget::Gadget.add(build_id, 846602,
+ constraints: ["writable: rbp-0x38", "rdi == NULL || {\"/bin/sh\", rdi, NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
+ effect: "execve(\"/bin/sh\", rbp-0x40, r12)")
OneGadget::Gadget.add(build_id, 846609,
- constraints: ["writable: rbp-0x38", "[rbp-0x40] == NULL || rbp-0x40 == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["writable: rbp-0x38", "rax == NULL || {rax, rdi, NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", rbp-0x40, r12)")
OneGadget::Gadget.add(build_id, 846616,
- constraints: ["writable: rbp-0x40", "[rbp-0x40] == NULL || rbp-0x40 == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["writable: rbp-0x40", "rax == NULL || {rax, [rbp-0x38], NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", rbp-0x40, r12)")
OneGadget::Gadget.add(build_id, 970123,
- constraints: ["[rsp+0x60] == NULL"],
+ constraints: ["[rsp+0x60] == NULL || {[rsp+0x60], [rsp+0x68], [rsp+0x70], [rsp+0x78], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x60, environ)")
OneGadget::Gadget.add(build_id, 970135,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rax])")
diff --git a/lib/one_gadget/builds/libc-2.30-f44469d65b4efd2e5951513ed7cbf773657f1283.rb b/lib/one_gadget/builds/libc-2.30-f44469d65b4efd2e5951513ed7cbf773657f1283.rb
index 542d566..9878ca5 100644
--- a/lib/one_gadget/builds/libc-2.30-f44469d65b4efd2e5951513ed7cbf773657f1283.rb
+++ b/lib/one_gadget/builds/libc-2.30-f44469d65b4efd2e5951513ed7cbf773657f1283.rb
@@ -14,37 +14,61 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 300668,
+ constraints: ["writable: rsp+0x60", "{\"sh\", \"-c\", rbx, NULL} is a valid argv", "r13 == NULL || (u16)[r13] == NULL"],
+ effect: "posix_spawn(rsp+0xc, \"/bin/sh\", 0, r13, rsp+0x50, environ)")
+OneGadget::Gadget.add(build_id, 300676,
+ constraints: ["writable: rsp+0x60", "{\"sh\", \"-c\", rbx, NULL} is a valid argv", "rdi == NULL || writable: rdi", "rcx == NULL || (u16)[rcx] == NULL"],
+ effect: "posix_spawn(rdi, \"/bin/sh\", 0, rcx, rsp+0x50, environ)")
OneGadget::Gadget.add(build_id, 300685,
- constraints: ["rax == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ constraints: ["writable: rsp+0x60", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, rsp+0x50, environ)")
+OneGadget::Gadget.add(build_id, 300690,
+ constraints: ["writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)")
+OneGadget::Gadget.add(build_id, 300695,
+ constraints: ["writable: rsp+0x50", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)")
OneGadget::Gadget.add(build_id, 300707,
- constraints: ["[r8] == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ constraints: ["writable: rsp+0x58", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)")
+OneGadget::Gadget.add(build_id, 491573,
+ constraints: ["writable: rsp+0x60", "{\"sh\", \"-c\", rbp, NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"],
+ effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", r12, 0, rsp+0x50, environ)")
OneGadget::Gadget.add(build_id, 491578,
- constraints: ["[r8] == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"],
+ constraints: ["writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"],
effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", r12, 0, r8, environ)")
+OneGadget::Gadget.add(build_id, 491583,
+ constraints: ["writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, rcx, r8, environ)")
OneGadget::Gadget.add(build_id, 491595,
- constraints: ["[r8] == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ constraints: ["writable: rsp+0x68", "[r8] == NULL || r8 is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, rcx, r8, environ)")
+OneGadget::Gadget.add(build_id, 491604,
+ constraints: ["writable: rsp+0x68", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)")
OneGadget::Gadget.add(build_id, 846513,
- constraints: ["[r13] == NULL || r13 == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[r13] == NULL || r13 == NULL || r13 is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", r13, r12)")
OneGadget::Gadget.add(build_id, 846516,
- constraints: ["[r13] == NULL || r13 == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[r13] == NULL || r13 == NULL || r13 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", r13, rdx)")
OneGadget::Gadget.add(build_id, 846519,
- constraints: ["[rsi] == NULL || rsi == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, rdx)")
+OneGadget::Gadget.add(build_id, 846602,
+ constraints: ["writable: rbp-0x38", "rdi == NULL || {\"/bin/sh\", rdi, NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
+ effect: "execve(\"/bin/sh\", rbp-0x40, r12)")
OneGadget::Gadget.add(build_id, 846609,
- constraints: ["writable: rbp-0x38", "[rbp-0x40] == NULL || rbp-0x40 == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["writable: rbp-0x38", "rax == NULL || {rax, rdi, NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", rbp-0x40, r12)")
OneGadget::Gadget.add(build_id, 846616,
- constraints: ["writable: rbp-0x40", "[rbp-0x40] == NULL || rbp-0x40 == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["writable: rbp-0x40", "rax == NULL || {rax, [rbp-0x38], NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", rbp-0x40, r12)")
OneGadget::Gadget.add(build_id, 970075,
- constraints: ["[rsp+0x60] == NULL"],
+ constraints: ["[rsp+0x60] == NULL || {[rsp+0x60], [rsp+0x68], [rsp+0x70], [rsp+0x78], ...} is a valid argv"],
effect: "execve(\"/bin/sh\", rsp+0x60, environ)")
OneGadget::Gadget.add(build_id, 970087,
- constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, [rax])")
diff --git a/lib/one_gadget/builds/libc-2.31-012f3f1e614cb9c829b8d1590d228cc6a9506a03.rb b/lib/one_gadget/builds/libc-2.31-012f3f1e614cb9c829b8d1590d228cc6a9506a03.rb
index e14e574..9ef441d 100644
--- a/lib/one_gadget/builds/libc-2.31-012f3f1e614cb9c829b8d1590d228cc6a9506a03.rb
+++ b/lib/one_gadget/builds/libc-2.31-012f3f1e614cb9c829b8d1590d228cc6a9506a03.rb
@@ -15,7 +15,7 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 826283,
- constraints: ["ebx is the GOT address of libc", "writable: ebp-0x20", "[[ebp-0x2c]] == NULL || [ebp-0x2c] == NULL", "[esi] == NULL || esi == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: ebp-0x20", "[[ebp-0x2c]] == NULL || [ebp-0x2c] == NULL || [ebp-0x2c] is a valid argv", "[esi] == NULL || esi == NULL || esi is a valid envp"],
effect: "execve(\"/bin/sh\", [ebp-0x2c], esi)")
OneGadget::Gadget.add(build_id, 1329163,
constraints: ["ebp is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.31-099b9225bcb0d019d9d60884be583eb31bb5f44e.rb b/lib/one_gadget/builds/libc-2.31-099b9225bcb0d019d9d60884be583eb31bb5f44e.rb
index 0051b55..853be6b 100644
--- a/lib/one_gadget/builds/libc-2.31-099b9225bcb0d019d9d60884be583eb31bb5f44e.rb
+++ b/lib/one_gadget/builds/libc-2.31-099b9225bcb0d019d9d60884be583eb31bb5f44e.rb
@@ -14,67 +14,109 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 348027,
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x60", "{\"sh\", \"-c\", rbx, NULL} is a valid argv", "rbp == NULL || (u16)[rbp] == NULL"],
+ effect: "posix_spawn(rsp+0xc, \"/bin/sh\", 0, rbp, rsp+0x50, environ)")
+OneGadget::Gadget.add(build_id, 348034,
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x60", "rax == NULL || {\"sh\", rax, rbx, NULL} is a valid argv", "rbp == NULL || (u16)[rbp] == NULL"],
+ effect: "posix_spawn(rsp+0xc, \"/bin/sh\", 0, rbp, rsp+0x50, environ)")
OneGadget::Gadget.add(build_id, 348041,
- constraints: ["rsp & 0xf == 0", "rcx == NULL", "rbp == NULL || (u16)[rbp] == NULL"],
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x60", "rcx == NULL || {rcx, rax, rbx, NULL} is a valid argv", "rbp == NULL || (u16)[rbp] == NULL"],
effect: "posix_spawn(rsp+0xc, \"/bin/sh\", 0, rbp, rsp+0x50, environ)")
+OneGadget::Gadget.add(build_id, 348048,
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x60", "rcx == NULL || {rcx, (u64)xmm1, rbx, NULL} is a valid argv", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rbp == NULL || (u16)[rbp] == NULL"],
+ effect: "posix_spawn(rsp+0xc, \"/bin/sh\", rdx, rbp, rsp+0x50, environ)")
OneGadget::Gadget.add(build_id, 348053,
- constraints: ["rsp & 0xf == 0", "(u64)xmm0 == NULL", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rbp == NULL || (u16)[rbp] == NULL"],
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x60", "(u64)xmm0 == NULL || {(u64)xmm0, (u64)xmm1, rbx, NULL} is a valid argv", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rbp == NULL || (u16)[rbp] == NULL"],
effect: "posix_spawn(rsp+0xc, \"/bin/sh\", rdx, rbp, rsp+0x50, environ)")
+OneGadget::Gadget.add(build_id, 348069,
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x60", "(u64)xmm0 == NULL || {(u64)xmm0, (u64)(xmm0 >> 64), rbx, NULL} is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rbp == NULL || (u16)[rbp] == NULL"],
+ effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rbp, rsp+0x50, [rax])")
OneGadget::Gadget.add(build_id, 348074,
- constraints: ["rsp & 0xf == 0", "[r8] == NULL", "[[rax]] == NULL || [rax] == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rbp == NULL || (u16)[rbp] == NULL"],
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rbp == NULL || (u16)[rbp] == NULL"],
effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rbp, r8, [rax])")
+OneGadget::Gadget.add(build_id, 348077,
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, [rax])")
OneGadget::Gadget.add(build_id, 348082,
- constraints: ["rsp & 0xf == 0", "[r8] == NULL", "[[rax]] == NULL || [rax] == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x68", "[r8] == NULL || r8 is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, [rax])")
+OneGadget::Gadget.add(build_id, 553653,
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x70", "{\"sh\", \"-c\", rbp, NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"],
+ effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", r12, 0, rsp+0x60, environ)")
+OneGadget::Gadget.add(build_id, 553660,
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x70", "rax == NULL || {\"sh\", rax, rbp, NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"],
+ effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", r12, 0, rsp+0x60, environ)")
OneGadget::Gadget.add(build_id, 553667,
- constraints: ["rsp & 0xf == 0", "rcx == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"],
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x70", "rcx == NULL || {rcx, rax, rbp, NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"],
effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", r12, 0, rsp+0x60, environ)")
+OneGadget::Gadget.add(build_id, 553670,
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x70", "rcx == NULL || {rcx, rax, rbp, NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
+ effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, 0, rsp+0x60, environ)")
+OneGadget::Gadget.add(build_id, 553675,
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x78", "rcx == NULL || {rcx, rax, [rsp+0x70], NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
+ effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, 0, rsp+0x60, environ)")
OneGadget::Gadget.add(build_id, 553680,
- constraints: ["rsp & 0xf == 0", "rcx == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x78", "rcx == NULL || {rcx, (u64)xmm1, [rsp+0x70], NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, 0, rsp+0x60, environ)")
OneGadget::Gadget.add(build_id, 553692,
- constraints: ["rsp & 0xf == 0", "(u64)xmm0 == NULL", "[[rax]] == NULL || [rax] == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x78", "(u64)xmm0 == NULL || {(u64)xmm0, (u64)xmm1, [rsp+0x70], NULL} is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, 0, rsp+0x60, [rax])")
+OneGadget::Gadget.add(build_id, 553698,
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x78", "(u64)xmm0 == NULL || {(u64)xmm0, (u64)(xmm0 >> 64), [rsp+0x70], NULL} is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, rcx, rsp+0x60, [rax])")
OneGadget::Gadget.add(build_id, 553705,
- constraints: ["rsp & 0xf == 0", "(u64)xmm0 == NULL", "[[rax]] == NULL || [rax] == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x78", "(u64)xmm0 == NULL || {(u64)xmm0, (u64)(xmm0 >> 64), [rsp+0x70], NULL} is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, rsp+0x60, [rax])")
+OneGadget::Gadget.add(build_id, 553712,
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x78", "[r8] == NULL || r8 is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, [rax])")
OneGadget::Gadget.add(build_id, 945278,
- constraints: ["[r15] == NULL || r15 == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[r15] == NULL || r15 == NULL || r15 is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", r15, r12)")
OneGadget::Gadget.add(build_id, 945281,
- constraints: ["[r15] == NULL || r15 == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[r15] == NULL || r15 == NULL || r15 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", r15, rdx)")
OneGadget::Gadget.add(build_id, 945284,
- constraints: ["[rsi] == NULL || rsi == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, rdx)")
OneGadget::Gadget.add(build_id, 945779,
- constraints: ["writable: rbp-0x78", "[r10] == NULL || r10 == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["writable: rbp-0x78", "[r10] == NULL || r10 == NULL || r10 is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", r10, r12)")
OneGadget::Gadget.add(build_id, 945782,
- constraints: ["writable: rbp-0x78", "[r10] == NULL || r10 == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["writable: rbp-0x78", "[r10] == NULL || r10 == NULL || r10 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", r10, rdx)")
+OneGadget::Gadget.add(build_id, 945890,
+ constraints: ["writable: rbp-0x48", "r13 == NULL || {\"/bin/sh\", r13, NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
+ effect: "execve(\"/bin/sh\", rbp-0x50, r12)")
OneGadget::Gadget.add(build_id, 945897,
- constraints: ["writable: rbp-0x48", "[rbp-0x50] == NULL || rbp-0x50 == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["writable: rbp-0x48", "rax == NULL || {rax, r13, NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", rbp-0x50, r12)")
OneGadget::Gadget.add(build_id, 945904,
- constraints: ["writable: rbp-0x50", "[rbp-0x50] == NULL || rbp-0x50 == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["writable: rbp-0x50", "rax == NULL || {rax, [rbp-0x48], NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
+ effect: "execve(\"/bin/sh\", rbp-0x50, r12)")
+OneGadget::Gadget.add(build_id, 945959,
+ constraints: ["writable: rbp-0x50", "[rbp-0x68] == NULL || {\"/bin/sh\", [rbp-0x68], NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
+ effect: "execve(\"/bin/sh\", rbp-0x50, r12)")
+OneGadget::Gadget.add(build_id, 945969,
+ constraints: ["writable: rbp-0x50", "rax == NULL || {rax, [rbp-0x68], NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", rbp-0x50, r12)")
OneGadget::Gadget.add(build_id, 945973,
- constraints: ["writable: r10+0x10", "writable: rbp-0x50", "[r10] == NULL || r10 == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["writable: r10+0x10", "writable: rbp-0x50", "[r10] == NULL || r10 == NULL || r10 is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", r10, r12)")
OneGadget::Gadget.add(build_id, 945981,
- constraints: ["writable: r10+0x10", "writable: rbp-0x48", "[r10] == NULL || r10 == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["writable: r10+0x10", "writable: rbp-0x48", "[r10] == NULL || r10 == NULL || r10 is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", r10, r12)")
OneGadget::Gadget.add(build_id, 1091370,
- constraints: ["[rsp+0x70] == NULL", "[[rsp+0xf0]] == NULL || [rsp+0xf0] == NULL", "[rsp+0x38] == NULL || (s32)[[rsp+0x38]+0x4] <= 0"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv", "[[rsp+0xf0]] == NULL || [rsp+0xf0] == NULL || [rsp+0xf0] is a valid envp", "[rsp+0x38] == NULL || (s32)[[rsp+0x38]+0x4] <= 0"],
effect: "posix_spawn(rsp+0x64, \"/bin/sh\", [rsp+0x38], 0, rsp+0x70, [rsp+0xf0])")
OneGadget::Gadget.add(build_id, 1091378,
- constraints: ["[rsp+0x70] == NULL", "[r9] == NULL || r9 == NULL", "[rsp+0x38] == NULL || (s32)[[rsp+0x38]+0x4] <= 0"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv", "[r9] == NULL || r9 == NULL || r9 is a valid envp", "[rsp+0x38] == NULL || (s32)[[rsp+0x38]+0x4] <= 0"],
effect: "posix_spawn(rsp+0x64, \"/bin/sh\", [rsp+0x38], 0, rsp+0x70, r9)")
OneGadget::Gadget.add(build_id, 1091383,
- constraints: ["[rsp+0x70] == NULL", "[r9] == NULL || r9 == NULL", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv", "[r9] == NULL || r9 == NULL || r9 is a valid envp", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
effect: "posix_spawn(rsp+0x64, \"/bin/sh\", rdx, 0, rsp+0x70, r9)")
OneGadget::Gadget.add(build_id, 1091393,
- constraints: ["[r8] == NULL", "[r9] == NULL || r9 == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
+ constraints: ["[r8] == NULL || r8 is a valid argv", "[r9] == NULL || r9 == NULL || r9 is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
effect: "posix_spawn(rdi, \"/bin/sh\", rdx, 0, r8, r9)")
diff --git a/lib/one_gadget/builds/libc-2.31-0d1b3211736c4ca528a32ea0d565d41a2ede3b58.rb b/lib/one_gadget/builds/libc-2.31-0d1b3211736c4ca528a32ea0d565d41a2ede3b58.rb
index 2d419de..ec47558 100644
--- a/lib/one_gadget/builds/libc-2.31-0d1b3211736c4ca528a32ea0d565d41a2ede3b58.rb
+++ b/lib/one_gadget/builds/libc-2.31-0d1b3211736c4ca528a32ea0d565d41a2ede3b58.rb
@@ -14,43 +14,67 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 299518,
+ constraints: ["writable: rsp+0x60", "{\"sh\", \"-c\", rbx, NULL} is a valid argv", "rbp == NULL || (u16)[rbp] == NULL"],
+ effect: "posix_spawn(rsp+0xc, \"/bin/sh\", 0, rbp, rsp+0x50, environ)")
+OneGadget::Gadget.add(build_id, 299528,
+ constraints: ["writable: rsp+0x60", "{\"sh\", \"-c\", rbx, NULL} is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, rsp+0x50, environ)")
OneGadget::Gadget.add(build_id, 299535,
- constraints: ["rax == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ constraints: ["writable: rsp+0x60", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, rsp+0x50, environ)")
+OneGadget::Gadget.add(build_id, 299540,
+ constraints: ["writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)")
+OneGadget::Gadget.add(build_id, 299545,
+ constraints: ["writable: rsp+0x50", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)")
OneGadget::Gadget.add(build_id, 299557,
- constraints: ["[r8] == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ constraints: ["writable: rsp+0x58", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)")
+OneGadget::Gadget.add(build_id, 487925,
+ constraints: ["writable: rsp+0x60", "{\"sh\", \"-c\", rbp, NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"],
+ effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", r12, 0, rsp+0x50, environ)")
OneGadget::Gadget.add(build_id, 487930,
- constraints: ["[r8] == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"],
+ constraints: ["writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"],
effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", r12, 0, r8, environ)")
+OneGadget::Gadget.add(build_id, 487935,
+ constraints: ["writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, rcx, r8, environ)")
OneGadget::Gadget.add(build_id, 487947,
- constraints: ["[r8] == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ constraints: ["writable: rsp+0x68", "[r8] == NULL || r8 is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, rcx, r8, environ)")
+OneGadget::Gadget.add(build_id, 487956,
+ constraints: ["writable: rsp+0x68", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)")
OneGadget::Gadget.add(build_id, 841530,
- constraints: ["[r12] == NULL || r12 == NULL", "[r13] == NULL || r13 == NULL"],
+ constraints: ["[r12] == NULL || r12 == NULL || r12 is a valid argv", "[r13] == NULL || r13 == NULL || r13 is a valid envp"],
effect: "execve(\"/bin/sh\", r12, r13)")
OneGadget::Gadget.add(build_id, 841533,
- constraints: ["[r12] == NULL || r12 == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[r12] == NULL || r12 == NULL || r12 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", r12, rdx)")
OneGadget::Gadget.add(build_id, 841536,
- constraints: ["[rsi] == NULL || rsi == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, rdx)")
+OneGadget::Gadget.add(build_id, 841619,
+ constraints: ["writable: rbp-0x38", "rdi == NULL || {\"/bin/sh\", rdi, NULL} is a valid argv", "[r13] == NULL || r13 == NULL || r13 is a valid envp"],
+ effect: "execve(\"/bin/sh\", rbp-0x40, r13)")
OneGadget::Gadget.add(build_id, 841626,
- constraints: ["writable: rbp-0x38", "[rbp-0x40] == NULL || rbp-0x40 == NULL", "[r13] == NULL || r13 == NULL"],
+ constraints: ["writable: rbp-0x38", "rax == NULL || {rax, rdi, NULL} is a valid argv", "[r13] == NULL || r13 == NULL || r13 is a valid envp"],
effect: "execve(\"/bin/sh\", rbp-0x40, r13)")
OneGadget::Gadget.add(build_id, 841633,
- constraints: ["writable: rbp-0x40", "[rbp-0x40] == NULL || rbp-0x40 == NULL", "[r13] == NULL || r13 == NULL"],
+ constraints: ["writable: rbp-0x40", "rax == NULL || {rax, [rbp-0x38], NULL} is a valid argv", "[r13] == NULL || r13 == NULL || r13 is a valid envp"],
effect: "execve(\"/bin/sh\", rbp-0x40, r13)")
OneGadget::Gadget.add(build_id, 962362,
- constraints: ["[rsp+0x70] == NULL", "[[rsp+0xf0]] == NULL || [rsp+0xf0] == NULL", "[rsp+0x40] == NULL || (s32)[[rsp+0x40]+0x4] <= 0"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv", "[[rsp+0xf0]] == NULL || [rsp+0xf0] == NULL || [rsp+0xf0] is a valid envp", "[rsp+0x40] == NULL || (s32)[[rsp+0x40]+0x4] <= 0"],
effect: "posix_spawn(rsp+0x64, \"/bin/sh\", [rsp+0x40], 0, rsp+0x70, [rsp+0xf0])")
OneGadget::Gadget.add(build_id, 962370,
- constraints: ["[rsp+0x70] == NULL", "[r9] == NULL || r9 == NULL", "[rsp+0x40] == NULL || (s32)[[rsp+0x40]+0x4] <= 0"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv", "[r9] == NULL || r9 == NULL || r9 is a valid envp", "[rsp+0x40] == NULL || (s32)[[rsp+0x40]+0x4] <= 0"],
effect: "posix_spawn(rsp+0x64, \"/bin/sh\", [rsp+0x40], 0, rsp+0x70, r9)")
OneGadget::Gadget.add(build_id, 962375,
- constraints: ["[rsp+0x70] == NULL", "[r9] == NULL || r9 == NULL", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv", "[r9] == NULL || r9 == NULL || r9 is a valid envp", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
effect: "posix_spawn(rsp+0x64, \"/bin/sh\", rdx, 0, rsp+0x70, r9)")
OneGadget::Gadget.add(build_id, 962385,
- constraints: ["[r8] == NULL", "[r9] == NULL || r9 == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
+ constraints: ["[r8] == NULL || r8 is a valid argv", "[r9] == NULL || r9 == NULL || r9 is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
effect: "posix_spawn(rdi, \"/bin/sh\", rdx, 0, r8, r9)")
diff --git a/lib/one_gadget/builds/libc-2.31-0df979b8b244294bbc29bbe8f7f6dd6bf89c6820.rb b/lib/one_gadget/builds/libc-2.31-0df979b8b244294bbc29bbe8f7f6dd6bf89c6820.rb
index 414520d..3b63d24 100644
--- a/lib/one_gadget/builds/libc-2.31-0df979b8b244294bbc29bbe8f7f6dd6bf89c6820.rb
+++ b/lib/one_gadget/builds/libc-2.31-0df979b8b244294bbc29bbe8f7f6dd6bf89c6820.rb
@@ -15,7 +15,7 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 837611,
- constraints: ["ebx is the GOT address of libc", "writable: ebp-0x20", "[[ebp-0x2c]] == NULL || [ebp-0x2c] == NULL", "[esi] == NULL || esi == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: ebp-0x20", "[[ebp-0x2c]] == NULL || [ebp-0x2c] == NULL || [ebp-0x2c] is a valid argv", "[esi] == NULL || esi == NULL || esi is a valid envp"],
effect: "execve(\"/bin/sh\", [ebp-0x2c], esi)")
OneGadget::Gadget.add(build_id, 1334659,
constraints: ["ebp is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.31-12e412d1938ec3ff79751f0e85f31bc52f7e3722.rb b/lib/one_gadget/builds/libc-2.31-12e412d1938ec3ff79751f0e85f31bc52f7e3722.rb
index b2bebac..db7ef44 100644
--- a/lib/one_gadget/builds/libc-2.31-12e412d1938ec3ff79751f0e85f31bc52f7e3722.rb
+++ b/lib/one_gadget/builds/libc-2.31-12e412d1938ec3ff79751f0e85f31bc52f7e3722.rb
@@ -14,43 +14,67 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 298140,
+ constraints: ["writable: rsp+0x60", "{\"sh\", \"-c\", rbx, NULL} is a valid argv", "r13 == NULL || (u16)[r13] == NULL"],
+ effect: "posix_spawn(rsp+0xc, \"/bin/sh\", 0, r13, rsp+0x50, environ)")
+OneGadget::Gadget.add(build_id, 298148,
+ constraints: ["writable: rsp+0x60", "{\"sh\", \"-c\", rbx, NULL} is a valid argv", "rdi == NULL || writable: rdi", "rcx == NULL || (u16)[rcx] == NULL"],
+ effect: "posix_spawn(rdi, \"/bin/sh\", 0, rcx, rsp+0x50, environ)")
OneGadget::Gadget.add(build_id, 298157,
- constraints: ["rax == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ constraints: ["writable: rsp+0x60", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, rsp+0x50, environ)")
+OneGadget::Gadget.add(build_id, 298162,
+ constraints: ["writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)")
+OneGadget::Gadget.add(build_id, 298167,
+ constraints: ["writable: rsp+0x50", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)")
OneGadget::Gadget.add(build_id, 298179,
- constraints: ["[r8] == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ constraints: ["writable: rsp+0x58", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)")
+OneGadget::Gadget.add(build_id, 487029,
+ constraints: ["writable: rsp+0x60", "{\"sh\", \"-c\", rbp, NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"],
+ effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", r12, 0, rsp+0x50, environ)")
OneGadget::Gadget.add(build_id, 487034,
- constraints: ["[r8] == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"],
+ constraints: ["writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"],
effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", r12, 0, r8, environ)")
+OneGadget::Gadget.add(build_id, 487039,
+ constraints: ["writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, rcx, r8, environ)")
OneGadget::Gadget.add(build_id, 487051,
- constraints: ["[r8] == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ constraints: ["writable: rsp+0x68", "[r8] == NULL || r8 is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, rcx, r8, environ)")
+OneGadget::Gadget.add(build_id, 487060,
+ constraints: ["writable: rsp+0x68", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)")
OneGadget::Gadget.add(build_id, 841002,
- constraints: ["[r12] == NULL || r12 == NULL", "[r13] == NULL || r13 == NULL"],
+ constraints: ["[r12] == NULL || r12 == NULL || r12 is a valid argv", "[r13] == NULL || r13 == NULL || r13 is a valid envp"],
effect: "execve(\"/bin/sh\", r12, r13)")
OneGadget::Gadget.add(build_id, 841005,
- constraints: ["[r12] == NULL || r12 == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[r12] == NULL || r12 == NULL || r12 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", r12, rdx)")
OneGadget::Gadget.add(build_id, 841008,
- constraints: ["[rsi] == NULL || rsi == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, rdx)")
+OneGadget::Gadget.add(build_id, 841091,
+ constraints: ["writable: rbp-0x38", "rdi == NULL || {\"/bin/sh\", rdi, NULL} is a valid argv", "[r13] == NULL || r13 == NULL || r13 is a valid envp"],
+ effect: "execve(\"/bin/sh\", rbp-0x40, r13)")
OneGadget::Gadget.add(build_id, 841098,
- constraints: ["writable: rbp-0x38", "[rbp-0x40] == NULL || rbp-0x40 == NULL", "[r13] == NULL || r13 == NULL"],
+ constraints: ["writable: rbp-0x38", "rax == NULL || {rax, rdi, NULL} is a valid argv", "[r13] == NULL || r13 == NULL || r13 is a valid envp"],
effect: "execve(\"/bin/sh\", rbp-0x40, r13)")
OneGadget::Gadget.add(build_id, 841105,
- constraints: ["writable: rbp-0x40", "[rbp-0x40] == NULL || rbp-0x40 == NULL", "[r13] == NULL || r13 == NULL"],
+ constraints: ["writable: rbp-0x40", "rax == NULL || {rax, [rbp-0x38], NULL} is a valid argv", "[r13] == NULL || r13 == NULL || r13 is a valid envp"],
effect: "execve(\"/bin/sh\", rbp-0x40, r13)")
OneGadget::Gadget.add(build_id, 963538,
- constraints: ["[rsp+0x70] == NULL", "[[rsp+0xf0]] == NULL || [rsp+0xf0] == NULL", "[rsp+0x40] == NULL || (s32)[[rsp+0x40]+0x4] <= 0"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv", "[[rsp+0xf0]] == NULL || [rsp+0xf0] == NULL || [rsp+0xf0] is a valid envp", "[rsp+0x40] == NULL || (s32)[[rsp+0x40]+0x4] <= 0"],
effect: "posix_spawn(rsp+0x64, \"/bin/sh\", [rsp+0x40], 0, rsp+0x70, [rsp+0xf0])")
OneGadget::Gadget.add(build_id, 963546,
- constraints: ["[rsp+0x70] == NULL", "[r9] == NULL || r9 == NULL", "[rsp+0x40] == NULL || (s32)[[rsp+0x40]+0x4] <= 0"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv", "[r9] == NULL || r9 == NULL || r9 is a valid envp", "[rsp+0x40] == NULL || (s32)[[rsp+0x40]+0x4] <= 0"],
effect: "posix_spawn(rsp+0x64, \"/bin/sh\", [rsp+0x40], 0, rsp+0x70, r9)")
OneGadget::Gadget.add(build_id, 963551,
- constraints: ["[rsp+0x70] == NULL", "[r9] == NULL || r9 == NULL", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv", "[r9] == NULL || r9 == NULL || r9 is a valid envp", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
effect: "posix_spawn(rsp+0x64, \"/bin/sh\", rdx, 0, rsp+0x70, r9)")
OneGadget::Gadget.add(build_id, 963561,
- constraints: ["[r8] == NULL", "[r9] == NULL || r9 == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
+ constraints: ["[r8] == NULL || r8 is a valid argv", "[r9] == NULL || r9 == NULL || r9 is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
effect: "posix_spawn(rdi, \"/bin/sh\", rdx, 0, r8, r9)")
diff --git a/lib/one_gadget/builds/libc-2.31-2886817dc06a87bdeef50544c0d6c12de13a8148.rb b/lib/one_gadget/builds/libc-2.31-2886817dc06a87bdeef50544c0d6c12de13a8148.rb
index 2965e5e..1d8856c 100644
--- a/lib/one_gadget/builds/libc-2.31-2886817dc06a87bdeef50544c0d6c12de13a8148.rb
+++ b/lib/one_gadget/builds/libc-2.31-2886817dc06a87bdeef50544c0d6c12de13a8148.rb
@@ -14,43 +14,67 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 287412,
+ constraints: ["writable: rsp+0x60", "{\"sh\", \"-c\", rbx, NULL} is a valid argv", "r13 == NULL || (u16)[r13] == NULL"],
+ effect: "posix_spawn(rsp+0xc, \"/bin/sh\", 0, r13, rsp+0x50, environ)")
+OneGadget::Gadget.add(build_id, 287422,
+ constraints: ["writable: rsp+0x60", "{\"sh\", \"-c\", rbx, NULL} is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, rsp+0x50, environ)")
OneGadget::Gadget.add(build_id, 287429,
- constraints: ["rax == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ constraints: ["writable: rsp+0x60", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, rsp+0x50, environ)")
+OneGadget::Gadget.add(build_id, 287434,
+ constraints: ["writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)")
+OneGadget::Gadget.add(build_id, 287439,
+ constraints: ["writable: rsp+0x50", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)")
OneGadget::Gadget.add(build_id, 287451,
- constraints: ["[r8] == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ constraints: ["writable: rsp+0x58", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)")
+OneGadget::Gadget.add(build_id, 478821,
+ constraints: ["writable: rsp+0x60", "{\"sh\", \"-c\", rbp, NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"],
+ effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", r12, 0, rsp+0x50, environ)")
OneGadget::Gadget.add(build_id, 478826,
- constraints: ["[r8] == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"],
+ constraints: ["writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"],
effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", r12, 0, r8, environ)")
+OneGadget::Gadget.add(build_id, 478831,
+ constraints: ["writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, rcx, r8, environ)")
OneGadget::Gadget.add(build_id, 478843,
- constraints: ["[r8] == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ constraints: ["writable: rsp+0x68", "[r8] == NULL || r8 is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, rcx, r8, environ)")
+OneGadget::Gadget.add(build_id, 478852,
+ constraints: ["writable: rsp+0x68", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)")
OneGadget::Gadget.add(build_id, 834305,
- constraints: ["[r13] == NULL || r13 == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[r13] == NULL || r13 == NULL || r13 is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", r13, r12)")
OneGadget::Gadget.add(build_id, 834308,
- constraints: ["[r13] == NULL || r13 == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[r13] == NULL || r13 == NULL || r13 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", r13, rdx)")
OneGadget::Gadget.add(build_id, 834311,
- constraints: ["[rsi] == NULL || rsi == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, rdx)")
+OneGadget::Gadget.add(build_id, 834394,
+ constraints: ["writable: rbp-0x38", "rdi == NULL || {\"/bin/sh\", rdi, NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
+ effect: "execve(\"/bin/sh\", rbp-0x40, r12)")
OneGadget::Gadget.add(build_id, 834401,
- constraints: ["writable: rbp-0x38", "[rbp-0x40] == NULL || rbp-0x40 == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["writable: rbp-0x38", "rax == NULL || {rax, rdi, NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", rbp-0x40, r12)")
OneGadget::Gadget.add(build_id, 834408,
- constraints: ["writable: rbp-0x40", "[rbp-0x40] == NULL || rbp-0x40 == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["writable: rbp-0x40", "rax == NULL || {rax, [rbp-0x38], NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", rbp-0x40, r12)")
OneGadget::Gadget.add(build_id, 958594,
- constraints: ["[rsp+0x70] == NULL", "[[rsp+0xf0]] == NULL || [rsp+0xf0] == NULL", "[rsp+0x40] == NULL || (s32)[[rsp+0x40]+0x4] <= 0"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv", "[[rsp+0xf0]] == NULL || [rsp+0xf0] == NULL || [rsp+0xf0] is a valid envp", "[rsp+0x40] == NULL || (s32)[[rsp+0x40]+0x4] <= 0"],
effect: "posix_spawn(rsp+0x64, \"/bin/sh\", [rsp+0x40], 0, rsp+0x70, [rsp+0xf0])")
OneGadget::Gadget.add(build_id, 958602,
- constraints: ["[rsp+0x70] == NULL", "[r9] == NULL || r9 == NULL", "[rsp+0x40] == NULL || (s32)[[rsp+0x40]+0x4] <= 0"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv", "[r9] == NULL || r9 == NULL || r9 is a valid envp", "[rsp+0x40] == NULL || (s32)[[rsp+0x40]+0x4] <= 0"],
effect: "posix_spawn(rsp+0x64, \"/bin/sh\", [rsp+0x40], 0, rsp+0x70, r9)")
OneGadget::Gadget.add(build_id, 958607,
- constraints: ["[rsp+0x70] == NULL", "[r9] == NULL || r9 == NULL", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv", "[r9] == NULL || r9 == NULL || r9 is a valid envp", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
effect: "posix_spawn(rsp+0x64, \"/bin/sh\", rdx, 0, rsp+0x70, r9)")
OneGadget::Gadget.add(build_id, 958617,
- constraints: ["[r8] == NULL", "[r9] == NULL || r9 == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
+ constraints: ["[r8] == NULL || r8 is a valid argv", "[r9] == NULL || r9 == NULL || r9 is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
effect: "posix_spawn(rdi, \"/bin/sh\", rdx, 0, r8, r9)")
diff --git a/lib/one_gadget/builds/libc-2.31-4d4d0853eb075b8b0cfaee0aee7cdf4254a3e877.rb b/lib/one_gadget/builds/libc-2.31-4d4d0853eb075b8b0cfaee0aee7cdf4254a3e877.rb
index 16a3b5b..6971184 100644
--- a/lib/one_gadget/builds/libc-2.31-4d4d0853eb075b8b0cfaee0aee7cdf4254a3e877.rb
+++ b/lib/one_gadget/builds/libc-2.31-4d4d0853eb075b8b0cfaee0aee7cdf4254a3e877.rb
@@ -14,43 +14,67 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 300292,
+ constraints: ["writable: rsp+0x60", "{\"sh\", \"-c\", rbx, NULL} is a valid argv", "r13 == NULL || (u16)[r13] == NULL"],
+ effect: "posix_spawn(rsp+0xc, \"/bin/sh\", 0, r13, rsp+0x50, environ)")
+OneGadget::Gadget.add(build_id, 300302,
+ constraints: ["writable: rsp+0x60", "{\"sh\", \"-c\", rbx, NULL} is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, rsp+0x50, environ)")
OneGadget::Gadget.add(build_id, 300309,
- constraints: ["rax == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ constraints: ["writable: rsp+0x60", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, rsp+0x50, environ)")
+OneGadget::Gadget.add(build_id, 300314,
+ constraints: ["writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)")
+OneGadget::Gadget.add(build_id, 300319,
+ constraints: ["writable: rsp+0x50", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)")
OneGadget::Gadget.add(build_id, 300331,
- constraints: ["[r8] == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ constraints: ["writable: rsp+0x58", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)")
+OneGadget::Gadget.add(build_id, 491701,
+ constraints: ["writable: rsp+0x60", "{\"sh\", \"-c\", rbp, NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"],
+ effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", r12, 0, rsp+0x50, environ)")
OneGadget::Gadget.add(build_id, 491706,
- constraints: ["[r8] == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"],
+ constraints: ["writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"],
effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", r12, 0, r8, environ)")
+OneGadget::Gadget.add(build_id, 491711,
+ constraints: ["writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, rcx, r8, environ)")
OneGadget::Gadget.add(build_id, 491723,
- constraints: ["[r8] == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ constraints: ["writable: rsp+0x68", "[r8] == NULL || r8 is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, rcx, r8, environ)")
+OneGadget::Gadget.add(build_id, 491732,
+ constraints: ["writable: rsp+0x68", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)")
OneGadget::Gadget.add(build_id, 847169,
- constraints: ["[r13] == NULL || r13 == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[r13] == NULL || r13 == NULL || r13 is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", r13, r12)")
OneGadget::Gadget.add(build_id, 847172,
- constraints: ["[r13] == NULL || r13 == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[r13] == NULL || r13 == NULL || r13 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", r13, rdx)")
OneGadget::Gadget.add(build_id, 847175,
- constraints: ["[rsi] == NULL || rsi == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, rdx)")
+OneGadget::Gadget.add(build_id, 847258,
+ constraints: ["writable: rbp-0x38", "rdi == NULL || {\"/bin/sh\", rdi, NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
+ effect: "execve(\"/bin/sh\", rbp-0x40, r12)")
OneGadget::Gadget.add(build_id, 847265,
- constraints: ["writable: rbp-0x38", "[rbp-0x40] == NULL || rbp-0x40 == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["writable: rbp-0x38", "rax == NULL || {rax, rdi, NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", rbp-0x40, r12)")
OneGadget::Gadget.add(build_id, 847272,
- constraints: ["writable: rbp-0x40", "[rbp-0x40] == NULL || rbp-0x40 == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["writable: rbp-0x40", "rax == NULL || {rax, [rbp-0x38], NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", rbp-0x40, r12)")
OneGadget::Gadget.add(build_id, 971458,
- constraints: ["[rsp+0x70] == NULL", "[[rsp+0xf0]] == NULL || [rsp+0xf0] == NULL", "[rsp+0x40] == NULL || (s32)[[rsp+0x40]+0x4] <= 0"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv", "[[rsp+0xf0]] == NULL || [rsp+0xf0] == NULL || [rsp+0xf0] is a valid envp", "[rsp+0x40] == NULL || (s32)[[rsp+0x40]+0x4] <= 0"],
effect: "posix_spawn(rsp+0x64, \"/bin/sh\", [rsp+0x40], 0, rsp+0x70, [rsp+0xf0])")
OneGadget::Gadget.add(build_id, 971466,
- constraints: ["[rsp+0x70] == NULL", "[r9] == NULL || r9 == NULL", "[rsp+0x40] == NULL || (s32)[[rsp+0x40]+0x4] <= 0"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv", "[r9] == NULL || r9 == NULL || r9 is a valid envp", "[rsp+0x40] == NULL || (s32)[[rsp+0x40]+0x4] <= 0"],
effect: "posix_spawn(rsp+0x64, \"/bin/sh\", [rsp+0x40], 0, rsp+0x70, r9)")
OneGadget::Gadget.add(build_id, 971471,
- constraints: ["[rsp+0x70] == NULL", "[r9] == NULL || r9 == NULL", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv", "[r9] == NULL || r9 == NULL || r9 is a valid envp", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
effect: "posix_spawn(rsp+0x64, \"/bin/sh\", rdx, 0, rsp+0x70, r9)")
OneGadget::Gadget.add(build_id, 971481,
- constraints: ["[r8] == NULL", "[r9] == NULL || r9 == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
+ constraints: ["[r8] == NULL || r8 is a valid argv", "[r9] == NULL || r9 == NULL || r9 is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
effect: "posix_spawn(rdi, \"/bin/sh\", rdx, 0, r8, r9)")
diff --git a/lib/one_gadget/builds/libc-2.31-58a58f2fcdafddacb4a08439ea2ee163ff645d1d.rb b/lib/one_gadget/builds/libc-2.31-58a58f2fcdafddacb4a08439ea2ee163ff645d1d.rb
index 75d4c4b..3f6e172 100644
--- a/lib/one_gadget/builds/libc-2.31-58a58f2fcdafddacb4a08439ea2ee163ff645d1d.rb
+++ b/lib/one_gadget/builds/libc-2.31-58a58f2fcdafddacb4a08439ea2ee163ff645d1d.rb
@@ -15,7 +15,7 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 821515,
- constraints: ["ebx is the GOT address of libc", "writable: ebp-0x20", "[[ebp-0x2c]] == NULL || [ebp-0x2c] == NULL", "[esi] == NULL || esi == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: ebp-0x20", "[[ebp-0x2c]] == NULL || [ebp-0x2c] == NULL || [ebp-0x2c] is a valid argv", "[esi] == NULL || esi == NULL || esi is a valid envp"],
effect: "execve(\"/bin/sh\", [ebp-0x2c], esi)")
OneGadget::Gadget.add(build_id, 1318755,
constraints: ["ebp is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.31-634252e0c5f8b03957a2e529719d4101699a894a.rb b/lib/one_gadget/builds/libc-2.31-634252e0c5f8b03957a2e529719d4101699a894a.rb
index 9c7d2ca..fd36be1 100644
--- a/lib/one_gadget/builds/libc-2.31-634252e0c5f8b03957a2e529719d4101699a894a.rb
+++ b/lib/one_gadget/builds/libc-2.31-634252e0c5f8b03957a2e529719d4101699a894a.rb
@@ -14,67 +14,109 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 348027,
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x60", "{\"sh\", \"-c\", rbx, NULL} is a valid argv", "rbp == NULL || (u16)[rbp] == NULL"],
+ effect: "posix_spawn(rsp+0xc, \"/bin/sh\", 0, rbp, rsp+0x50, environ)")
+OneGadget::Gadget.add(build_id, 348034,
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x60", "rax == NULL || {\"sh\", rax, rbx, NULL} is a valid argv", "rbp == NULL || (u16)[rbp] == NULL"],
+ effect: "posix_spawn(rsp+0xc, \"/bin/sh\", 0, rbp, rsp+0x50, environ)")
OneGadget::Gadget.add(build_id, 348041,
- constraints: ["rsp & 0xf == 0", "rcx == NULL", "rbp == NULL || (u16)[rbp] == NULL"],
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x60", "rcx == NULL || {rcx, rax, rbx, NULL} is a valid argv", "rbp == NULL || (u16)[rbp] == NULL"],
effect: "posix_spawn(rsp+0xc, \"/bin/sh\", 0, rbp, rsp+0x50, environ)")
+OneGadget::Gadget.add(build_id, 348048,
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x60", "rcx == NULL || {rcx, (u64)xmm1, rbx, NULL} is a valid argv", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rbp == NULL || (u16)[rbp] == NULL"],
+ effect: "posix_spawn(rsp+0xc, \"/bin/sh\", rdx, rbp, rsp+0x50, environ)")
OneGadget::Gadget.add(build_id, 348053,
- constraints: ["rsp & 0xf == 0", "(u64)xmm0 == NULL", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rbp == NULL || (u16)[rbp] == NULL"],
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x60", "(u64)xmm0 == NULL || {(u64)xmm0, (u64)xmm1, rbx, NULL} is a valid argv", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rbp == NULL || (u16)[rbp] == NULL"],
effect: "posix_spawn(rsp+0xc, \"/bin/sh\", rdx, rbp, rsp+0x50, environ)")
+OneGadget::Gadget.add(build_id, 348069,
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x60", "(u64)xmm0 == NULL || {(u64)xmm0, (u64)(xmm0 >> 64), rbx, NULL} is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rbp == NULL || (u16)[rbp] == NULL"],
+ effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rbp, rsp+0x50, [rax])")
OneGadget::Gadget.add(build_id, 348074,
- constraints: ["rsp & 0xf == 0", "[r8] == NULL", "[[rax]] == NULL || [rax] == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rbp == NULL || (u16)[rbp] == NULL"],
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rbp == NULL || (u16)[rbp] == NULL"],
effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rbp, r8, [rax])")
+OneGadget::Gadget.add(build_id, 348077,
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, [rax])")
OneGadget::Gadget.add(build_id, 348082,
- constraints: ["rsp & 0xf == 0", "[r8] == NULL", "[[rax]] == NULL || [rax] == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x68", "[r8] == NULL || r8 is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, [rax])")
+OneGadget::Gadget.add(build_id, 553653,
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x70", "{\"sh\", \"-c\", rbp, NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"],
+ effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", r12, 0, rsp+0x60, environ)")
+OneGadget::Gadget.add(build_id, 553660,
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x70", "rax == NULL || {\"sh\", rax, rbp, NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"],
+ effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", r12, 0, rsp+0x60, environ)")
OneGadget::Gadget.add(build_id, 553667,
- constraints: ["rsp & 0xf == 0", "rcx == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"],
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x70", "rcx == NULL || {rcx, rax, rbp, NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"],
effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", r12, 0, rsp+0x60, environ)")
+OneGadget::Gadget.add(build_id, 553670,
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x70", "rcx == NULL || {rcx, rax, rbp, NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
+ effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, 0, rsp+0x60, environ)")
+OneGadget::Gadget.add(build_id, 553675,
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x78", "rcx == NULL || {rcx, rax, [rsp+0x70], NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
+ effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, 0, rsp+0x60, environ)")
OneGadget::Gadget.add(build_id, 553680,
- constraints: ["rsp & 0xf == 0", "rcx == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x78", "rcx == NULL || {rcx, (u64)xmm1, [rsp+0x70], NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, 0, rsp+0x60, environ)")
OneGadget::Gadget.add(build_id, 553692,
- constraints: ["rsp & 0xf == 0", "(u64)xmm0 == NULL", "[[rax]] == NULL || [rax] == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x78", "(u64)xmm0 == NULL || {(u64)xmm0, (u64)xmm1, [rsp+0x70], NULL} is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, 0, rsp+0x60, [rax])")
+OneGadget::Gadget.add(build_id, 553698,
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x78", "(u64)xmm0 == NULL || {(u64)xmm0, (u64)(xmm0 >> 64), [rsp+0x70], NULL} is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, rcx, rsp+0x60, [rax])")
OneGadget::Gadget.add(build_id, 553705,
- constraints: ["rsp & 0xf == 0", "(u64)xmm0 == NULL", "[[rax]] == NULL || [rax] == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x78", "(u64)xmm0 == NULL || {(u64)xmm0, (u64)(xmm0 >> 64), [rsp+0x70], NULL} is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, rsp+0x60, [rax])")
+OneGadget::Gadget.add(build_id, 553712,
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x78", "[r8] == NULL || r8 is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, [rax])")
OneGadget::Gadget.add(build_id, 944878,
- constraints: ["[r15] == NULL || r15 == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[r15] == NULL || r15 == NULL || r15 is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", r15, r12)")
OneGadget::Gadget.add(build_id, 944881,
- constraints: ["[r15] == NULL || r15 == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[r15] == NULL || r15 == NULL || r15 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", r15, rdx)")
OneGadget::Gadget.add(build_id, 944884,
- constraints: ["[rsi] == NULL || rsi == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, rdx)")
OneGadget::Gadget.add(build_id, 945379,
- constraints: ["writable: rbp-0x78", "[r10] == NULL || r10 == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["writable: rbp-0x78", "[r10] == NULL || r10 == NULL || r10 is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", r10, r12)")
OneGadget::Gadget.add(build_id, 945382,
- constraints: ["writable: rbp-0x78", "[r10] == NULL || r10 == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["writable: rbp-0x78", "[r10] == NULL || r10 == NULL || r10 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", r10, rdx)")
+OneGadget::Gadget.add(build_id, 945490,
+ constraints: ["writable: rbp-0x48", "r13 == NULL || {\"/bin/sh\", r13, NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
+ effect: "execve(\"/bin/sh\", rbp-0x50, r12)")
OneGadget::Gadget.add(build_id, 945497,
- constraints: ["writable: rbp-0x48", "[rbp-0x50] == NULL || rbp-0x50 == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["writable: rbp-0x48", "rax == NULL || {rax, r13, NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", rbp-0x50, r12)")
OneGadget::Gadget.add(build_id, 945504,
- constraints: ["writable: rbp-0x50", "[rbp-0x50] == NULL || rbp-0x50 == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["writable: rbp-0x50", "rax == NULL || {rax, [rbp-0x48], NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
+ effect: "execve(\"/bin/sh\", rbp-0x50, r12)")
+OneGadget::Gadget.add(build_id, 945559,
+ constraints: ["writable: rbp-0x50", "[rbp-0x68] == NULL || {\"/bin/sh\", [rbp-0x68], NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
+ effect: "execve(\"/bin/sh\", rbp-0x50, r12)")
+OneGadget::Gadget.add(build_id, 945569,
+ constraints: ["writable: rbp-0x50", "rax == NULL || {rax, [rbp-0x68], NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", rbp-0x50, r12)")
OneGadget::Gadget.add(build_id, 945573,
- constraints: ["writable: r10+0x10", "writable: rbp-0x50", "[r10] == NULL || r10 == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["writable: r10+0x10", "writable: rbp-0x50", "[r10] == NULL || r10 == NULL || r10 is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", r10, r12)")
OneGadget::Gadget.add(build_id, 945581,
- constraints: ["writable: r10+0x10", "writable: rbp-0x48", "[r10] == NULL || r10 == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["writable: r10+0x10", "writable: rbp-0x48", "[r10] == NULL || r10 == NULL || r10 is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", r10, r12)")
OneGadget::Gadget.add(build_id, 1090970,
- constraints: ["[rsp+0x70] == NULL", "[[rsp+0xf0]] == NULL || [rsp+0xf0] == NULL", "[rsp+0x38] == NULL || (s32)[[rsp+0x38]+0x4] <= 0"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv", "[[rsp+0xf0]] == NULL || [rsp+0xf0] == NULL || [rsp+0xf0] is a valid envp", "[rsp+0x38] == NULL || (s32)[[rsp+0x38]+0x4] <= 0"],
effect: "posix_spawn(rsp+0x64, \"/bin/sh\", [rsp+0x38], 0, rsp+0x70, [rsp+0xf0])")
OneGadget::Gadget.add(build_id, 1090978,
- constraints: ["[rsp+0x70] == NULL", "[r9] == NULL || r9 == NULL", "[rsp+0x38] == NULL || (s32)[[rsp+0x38]+0x4] <= 0"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv", "[r9] == NULL || r9 == NULL || r9 is a valid envp", "[rsp+0x38] == NULL || (s32)[[rsp+0x38]+0x4] <= 0"],
effect: "posix_spawn(rsp+0x64, \"/bin/sh\", [rsp+0x38], 0, rsp+0x70, r9)")
OneGadget::Gadget.add(build_id, 1090983,
- constraints: ["[rsp+0x70] == NULL", "[r9] == NULL || r9 == NULL", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv", "[r9] == NULL || r9 == NULL || r9 is a valid envp", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
effect: "posix_spawn(rsp+0x64, \"/bin/sh\", rdx, 0, rsp+0x70, r9)")
OneGadget::Gadget.add(build_id, 1090993,
- constraints: ["[r8] == NULL", "[r9] == NULL || r9 == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
+ constraints: ["[r8] == NULL || r8 is a valid argv", "[r9] == NULL || r9 == NULL || r9 is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
effect: "posix_spawn(rdi, \"/bin/sh\", rdx, 0, r8, r9)")
diff --git a/lib/one_gadget/builds/libc-2.31-6b143503744b9d6c22e479941488d6a9e6e3f1c5.rb b/lib/one_gadget/builds/libc-2.31-6b143503744b9d6c22e479941488d6a9e6e3f1c5.rb
index ff633e8..446ee76 100644
--- a/lib/one_gadget/builds/libc-2.31-6b143503744b9d6c22e479941488d6a9e6e3f1c5.rb
+++ b/lib/one_gadget/builds/libc-2.31-6b143503744b9d6c22e479941488d6a9e6e3f1c5.rb
@@ -15,7 +15,7 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 826299,
- constraints: ["ebx is the GOT address of libc", "writable: ebp-0x20", "[[ebp-0x2c]] == NULL || [ebp-0x2c] == NULL", "[esi] == NULL || esi == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: ebp-0x20", "[[ebp-0x2c]] == NULL || [ebp-0x2c] == NULL || [ebp-0x2c] is a valid argv", "[esi] == NULL || esi == NULL || esi is a valid envp"],
effect: "execve(\"/bin/sh\", [ebp-0x2c], esi)")
OneGadget::Gadget.add(build_id, 1329195,
constraints: ["ebp is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.31-6c6ea8a57519f219a10c9d6a6d199dd813680226.rb b/lib/one_gadget/builds/libc-2.31-6c6ea8a57519f219a10c9d6a6d199dd813680226.rb
index 5b642ae..25b958d 100644
--- a/lib/one_gadget/builds/libc-2.31-6c6ea8a57519f219a10c9d6a6d199dd813680226.rb
+++ b/lib/one_gadget/builds/libc-2.31-6c6ea8a57519f219a10c9d6a6d199dd813680226.rb
@@ -15,7 +15,7 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 842379,
- constraints: ["ebx is the GOT address of libc", "writable: ebp-0x20", "[[ebp-0x2c]] == NULL || [ebp-0x2c] == NULL", "[esi] == NULL || esi == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: ebp-0x20", "[[ebp-0x2c]] == NULL || [ebp-0x2c] == NULL || [ebp-0x2c] is a valid argv", "[esi] == NULL || esi == NULL || esi is a valid envp"],
effect: "execve(\"/bin/sh\", [ebp-0x2c], esi)")
OneGadget::Gadget.add(build_id, 1345083,
constraints: ["ebp is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.31-6dbad1709854c527793f6401666e45a791b7c793.rb b/lib/one_gadget/builds/libc-2.31-6dbad1709854c527793f6401666e45a791b7c793.rb
index 9a726e6..a3c8232 100644
--- a/lib/one_gadget/builds/libc-2.31-6dbad1709854c527793f6401666e45a791b7c793.rb
+++ b/lib/one_gadget/builds/libc-2.31-6dbad1709854c527793f6401666e45a791b7c793.rb
@@ -14,43 +14,67 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 298140,
+ constraints: ["writable: rsp+0x60", "{\"sh\", \"-c\", rbx, NULL} is a valid argv", "r13 == NULL || (u16)[r13] == NULL"],
+ effect: "posix_spawn(rsp+0xc, \"/bin/sh\", 0, r13, rsp+0x50, environ)")
+OneGadget::Gadget.add(build_id, 298148,
+ constraints: ["writable: rsp+0x60", "{\"sh\", \"-c\", rbx, NULL} is a valid argv", "rdi == NULL || writable: rdi", "rcx == NULL || (u16)[rcx] == NULL"],
+ effect: "posix_spawn(rdi, \"/bin/sh\", 0, rcx, rsp+0x50, environ)")
OneGadget::Gadget.add(build_id, 298157,
- constraints: ["rax == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ constraints: ["writable: rsp+0x60", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, rsp+0x50, environ)")
+OneGadget::Gadget.add(build_id, 298162,
+ constraints: ["writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)")
+OneGadget::Gadget.add(build_id, 298167,
+ constraints: ["writable: rsp+0x50", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)")
OneGadget::Gadget.add(build_id, 298179,
- constraints: ["[r8] == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ constraints: ["writable: rsp+0x58", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)")
+OneGadget::Gadget.add(build_id, 487029,
+ constraints: ["writable: rsp+0x60", "{\"sh\", \"-c\", rbp, NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"],
+ effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", r12, 0, rsp+0x50, environ)")
OneGadget::Gadget.add(build_id, 487034,
- constraints: ["[r8] == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"],
+ constraints: ["writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"],
effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", r12, 0, r8, environ)")
+OneGadget::Gadget.add(build_id, 487039,
+ constraints: ["writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, rcx, r8, environ)")
OneGadget::Gadget.add(build_id, 487051,
- constraints: ["[r8] == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ constraints: ["writable: rsp+0x68", "[r8] == NULL || r8 is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, rcx, r8, environ)")
+OneGadget::Gadget.add(build_id, 487060,
+ constraints: ["writable: rsp+0x68", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)")
OneGadget::Gadget.add(build_id, 841002,
- constraints: ["[r12] == NULL || r12 == NULL", "[r13] == NULL || r13 == NULL"],
+ constraints: ["[r12] == NULL || r12 == NULL || r12 is a valid argv", "[r13] == NULL || r13 == NULL || r13 is a valid envp"],
effect: "execve(\"/bin/sh\", r12, r13)")
OneGadget::Gadget.add(build_id, 841005,
- constraints: ["[r12] == NULL || r12 == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[r12] == NULL || r12 == NULL || r12 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", r12, rdx)")
OneGadget::Gadget.add(build_id, 841008,
- constraints: ["[rsi] == NULL || rsi == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, rdx)")
+OneGadget::Gadget.add(build_id, 841091,
+ constraints: ["writable: rbp-0x38", "rdi == NULL || {\"/bin/sh\", rdi, NULL} is a valid argv", "[r13] == NULL || r13 == NULL || r13 is a valid envp"],
+ effect: "execve(\"/bin/sh\", rbp-0x40, r13)")
OneGadget::Gadget.add(build_id, 841098,
- constraints: ["writable: rbp-0x38", "[rbp-0x40] == NULL || rbp-0x40 == NULL", "[r13] == NULL || r13 == NULL"],
+ constraints: ["writable: rbp-0x38", "rax == NULL || {rax, rdi, NULL} is a valid argv", "[r13] == NULL || r13 == NULL || r13 is a valid envp"],
effect: "execve(\"/bin/sh\", rbp-0x40, r13)")
OneGadget::Gadget.add(build_id, 841105,
- constraints: ["writable: rbp-0x40", "[rbp-0x40] == NULL || rbp-0x40 == NULL", "[r13] == NULL || r13 == NULL"],
+ constraints: ["writable: rbp-0x40", "rax == NULL || {rax, [rbp-0x38], NULL} is a valid argv", "[r13] == NULL || r13 == NULL || r13 is a valid envp"],
effect: "execve(\"/bin/sh\", rbp-0x40, r13)")
OneGadget::Gadget.add(build_id, 963538,
- constraints: ["[rsp+0x70] == NULL", "[[rsp+0xf0]] == NULL || [rsp+0xf0] == NULL", "[rsp+0x40] == NULL || (s32)[[rsp+0x40]+0x4] <= 0"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv", "[[rsp+0xf0]] == NULL || [rsp+0xf0] == NULL || [rsp+0xf0] is a valid envp", "[rsp+0x40] == NULL || (s32)[[rsp+0x40]+0x4] <= 0"],
effect: "posix_spawn(rsp+0x64, \"/bin/sh\", [rsp+0x40], 0, rsp+0x70, [rsp+0xf0])")
OneGadget::Gadget.add(build_id, 963546,
- constraints: ["[rsp+0x70] == NULL", "[r9] == NULL || r9 == NULL", "[rsp+0x40] == NULL || (s32)[[rsp+0x40]+0x4] <= 0"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv", "[r9] == NULL || r9 == NULL || r9 is a valid envp", "[rsp+0x40] == NULL || (s32)[[rsp+0x40]+0x4] <= 0"],
effect: "posix_spawn(rsp+0x64, \"/bin/sh\", [rsp+0x40], 0, rsp+0x70, r9)")
OneGadget::Gadget.add(build_id, 963551,
- constraints: ["[rsp+0x70] == NULL", "[r9] == NULL || r9 == NULL", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv", "[r9] == NULL || r9 == NULL || r9 is a valid envp", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
effect: "posix_spawn(rsp+0x64, \"/bin/sh\", rdx, 0, rsp+0x70, r9)")
OneGadget::Gadget.add(build_id, 963561,
- constraints: ["[r8] == NULL", "[r9] == NULL || r9 == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
+ constraints: ["[r8] == NULL || r8 is a valid argv", "[r9] == NULL || r9 == NULL || r9 is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
effect: "posix_spawn(rdi, \"/bin/sh\", rdx, 0, r8, r9)")
diff --git a/lib/one_gadget/builds/libc-2.31-85d7bb2dad0f8172d1c02c0311a00c4695933beb.rb b/lib/one_gadget/builds/libc-2.31-85d7bb2dad0f8172d1c02c0311a00c4695933beb.rb
index 1159f00..29f8278 100644
--- a/lib/one_gadget/builds/libc-2.31-85d7bb2dad0f8172d1c02c0311a00c4695933beb.rb
+++ b/lib/one_gadget/builds/libc-2.31-85d7bb2dad0f8172d1c02c0311a00c4695933beb.rb
@@ -15,7 +15,7 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 838059,
- constraints: ["ebx is the GOT address of libc", "writable: ebp-0x20", "[[ebp-0x2c]] == NULL || [ebp-0x2c] == NULL", "[esi] == NULL || esi == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: ebp-0x20", "[[ebp-0x2c]] == NULL || [ebp-0x2c] == NULL || [ebp-0x2c] is a valid argv", "[esi] == NULL || esi == NULL || esi is a valid envp"],
effect: "execve(\"/bin/sh\", [ebp-0x2c], esi)")
OneGadget::Gadget.add(build_id, 1335107,
constraints: ["ebp is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.31-8629fa2eea681f639a0c18305d4548850dde3450.rb b/lib/one_gadget/builds/libc-2.31-8629fa2eea681f639a0c18305d4548850dde3450.rb
index 075f47e..469d50f 100644
--- a/lib/one_gadget/builds/libc-2.31-8629fa2eea681f639a0c18305d4548850dde3450.rb
+++ b/lib/one_gadget/builds/libc-2.31-8629fa2eea681f639a0c18305d4548850dde3450.rb
@@ -15,7 +15,7 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 821515,
- constraints: ["ebx is the GOT address of libc", "writable: ebp-0x20", "[[ebp-0x2c]] == NULL || [ebp-0x2c] == NULL", "[esi] == NULL || esi == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: ebp-0x20", "[[ebp-0x2c]] == NULL || [ebp-0x2c] == NULL || [ebp-0x2c] is a valid argv", "[esi] == NULL || esi == NULL || esi is a valid envp"],
effect: "execve(\"/bin/sh\", [ebp-0x2c], esi)")
OneGadget::Gadget.add(build_id, 1318771,
constraints: ["ebp is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.31-94761ae31db09ce9140ca55cb6986a5ea9110abc.rb b/lib/one_gadget/builds/libc-2.31-94761ae31db09ce9140ca55cb6986a5ea9110abc.rb
index 49e4027..8ba0999 100644
--- a/lib/one_gadget/builds/libc-2.31-94761ae31db09ce9140ca55cb6986a5ea9110abc.rb
+++ b/lib/one_gadget/builds/libc-2.31-94761ae31db09ce9140ca55cb6986a5ea9110abc.rb
@@ -14,43 +14,67 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 287364,
+ constraints: ["writable: rsp+0x60", "{\"sh\", \"-c\", rbx, NULL} is a valid argv", "r13 == NULL || (u16)[r13] == NULL"],
+ effect: "posix_spawn(rsp+0xc, \"/bin/sh\", 0, r13, rsp+0x50, environ)")
+OneGadget::Gadget.add(build_id, 287374,
+ constraints: ["writable: rsp+0x60", "{\"sh\", \"-c\", rbx, NULL} is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, rsp+0x50, environ)")
OneGadget::Gadget.add(build_id, 287381,
- constraints: ["rax == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ constraints: ["writable: rsp+0x60", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, rsp+0x50, environ)")
+OneGadget::Gadget.add(build_id, 287386,
+ constraints: ["writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)")
+OneGadget::Gadget.add(build_id, 287391,
+ constraints: ["writable: rsp+0x50", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)")
OneGadget::Gadget.add(build_id, 287403,
- constraints: ["[r8] == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ constraints: ["writable: rsp+0x58", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)")
+OneGadget::Gadget.add(build_id, 478725,
+ constraints: ["writable: rsp+0x60", "{\"sh\", \"-c\", rbp, NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"],
+ effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", r12, 0, rsp+0x50, environ)")
OneGadget::Gadget.add(build_id, 478730,
- constraints: ["[r8] == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"],
+ constraints: ["writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"],
effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", r12, 0, r8, environ)")
+OneGadget::Gadget.add(build_id, 478735,
+ constraints: ["writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, rcx, r8, environ)")
OneGadget::Gadget.add(build_id, 478747,
- constraints: ["[r8] == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ constraints: ["writable: rsp+0x68", "[r8] == NULL || r8 is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, rcx, r8, environ)")
+OneGadget::Gadget.add(build_id, 478756,
+ constraints: ["writable: rsp+0x68", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)")
OneGadget::Gadget.add(build_id, 834193,
- constraints: ["[r13] == NULL || r13 == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[r13] == NULL || r13 == NULL || r13 is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", r13, r12)")
OneGadget::Gadget.add(build_id, 834196,
- constraints: ["[r13] == NULL || r13 == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[r13] == NULL || r13 == NULL || r13 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", r13, rdx)")
OneGadget::Gadget.add(build_id, 834199,
- constraints: ["[rsi] == NULL || rsi == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, rdx)")
+OneGadget::Gadget.add(build_id, 834282,
+ constraints: ["writable: rbp-0x38", "rdi == NULL || {\"/bin/sh\", rdi, NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
+ effect: "execve(\"/bin/sh\", rbp-0x40, r12)")
OneGadget::Gadget.add(build_id, 834289,
- constraints: ["writable: rbp-0x38", "[rbp-0x40] == NULL || rbp-0x40 == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["writable: rbp-0x38", "rax == NULL || {rax, rdi, NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", rbp-0x40, r12)")
OneGadget::Gadget.add(build_id, 834296,
- constraints: ["writable: rbp-0x40", "[rbp-0x40] == NULL || rbp-0x40 == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["writable: rbp-0x40", "rax == NULL || {rax, [rbp-0x38], NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", rbp-0x40, r12)")
OneGadget::Gadget.add(build_id, 958482,
- constraints: ["[rsp+0x70] == NULL", "[[rsp+0xf0]] == NULL || [rsp+0xf0] == NULL", "[rsp+0x40] == NULL || (s32)[[rsp+0x40]+0x4] <= 0"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv", "[[rsp+0xf0]] == NULL || [rsp+0xf0] == NULL || [rsp+0xf0] is a valid envp", "[rsp+0x40] == NULL || (s32)[[rsp+0x40]+0x4] <= 0"],
effect: "posix_spawn(rsp+0x64, \"/bin/sh\", [rsp+0x40], 0, rsp+0x70, [rsp+0xf0])")
OneGadget::Gadget.add(build_id, 958490,
- constraints: ["[rsp+0x70] == NULL", "[r9] == NULL || r9 == NULL", "[rsp+0x40] == NULL || (s32)[[rsp+0x40]+0x4] <= 0"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv", "[r9] == NULL || r9 == NULL || r9 is a valid envp", "[rsp+0x40] == NULL || (s32)[[rsp+0x40]+0x4] <= 0"],
effect: "posix_spawn(rsp+0x64, \"/bin/sh\", [rsp+0x40], 0, rsp+0x70, r9)")
OneGadget::Gadget.add(build_id, 958495,
- constraints: ["[rsp+0x70] == NULL", "[r9] == NULL || r9 == NULL", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv", "[r9] == NULL || r9 == NULL || r9 is a valid envp", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
effect: "posix_spawn(rsp+0x64, \"/bin/sh\", rdx, 0, rsp+0x70, r9)")
OneGadget::Gadget.add(build_id, 958505,
- constraints: ["[r8] == NULL", "[r9] == NULL || r9 == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
+ constraints: ["[r8] == NULL || r8 is a valid argv", "[r9] == NULL || r9 == NULL || r9 is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
effect: "posix_spawn(rdi, \"/bin/sh\", rdx, 0, r8, r9)")
diff --git a/lib/one_gadget/builds/libc-2.31-9fdb74e7b217d06c93172a8243f8547f947ee6d1.rb b/lib/one_gadget/builds/libc-2.31-9fdb74e7b217d06c93172a8243f8547f947ee6d1.rb
index 1633e3a..88f377a 100644
--- a/lib/one_gadget/builds/libc-2.31-9fdb74e7b217d06c93172a8243f8547f947ee6d1.rb
+++ b/lib/one_gadget/builds/libc-2.31-9fdb74e7b217d06c93172a8243f8547f947ee6d1.rb
@@ -14,67 +14,109 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 335403,
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x60", "{\"sh\", \"-c\", rbx, NULL} is a valid argv", "rbp == NULL || (u16)[rbp] == NULL"],
+ effect: "posix_spawn(rsp+0xc, \"/bin/sh\", 0, rbp, rsp+0x50, environ)")
+OneGadget::Gadget.add(build_id, 335410,
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x60", "rax == NULL || {\"sh\", rax, rbx, NULL} is a valid argv", "rbp == NULL || (u16)[rbp] == NULL"],
+ effect: "posix_spawn(rsp+0xc, \"/bin/sh\", 0, rbp, rsp+0x50, environ)")
OneGadget::Gadget.add(build_id, 335417,
- constraints: ["rsp & 0xf == 0", "rcx == NULL", "rbp == NULL || (u16)[rbp] == NULL"],
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x60", "rcx == NULL || {rcx, rax, rbx, NULL} is a valid argv", "rbp == NULL || (u16)[rbp] == NULL"],
effect: "posix_spawn(rsp+0xc, \"/bin/sh\", 0, rbp, rsp+0x50, environ)")
+OneGadget::Gadget.add(build_id, 335424,
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x60", "rcx == NULL || {rcx, (u64)xmm1, rbx, NULL} is a valid argv", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rbp == NULL || (u16)[rbp] == NULL"],
+ effect: "posix_spawn(rsp+0xc, \"/bin/sh\", rdx, rbp, rsp+0x50, environ)")
OneGadget::Gadget.add(build_id, 335429,
- constraints: ["rsp & 0xf == 0", "(u64)xmm0 == NULL", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rbp == NULL || (u16)[rbp] == NULL"],
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x60", "(u64)xmm0 == NULL || {(u64)xmm0, (u64)xmm1, rbx, NULL} is a valid argv", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rbp == NULL || (u16)[rbp] == NULL"],
effect: "posix_spawn(rsp+0xc, \"/bin/sh\", rdx, rbp, rsp+0x50, environ)")
+OneGadget::Gadget.add(build_id, 335445,
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x60", "(u64)xmm0 == NULL || {(u64)xmm0, (u64)(xmm0 >> 64), rbx, NULL} is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rbp == NULL || (u16)[rbp] == NULL"],
+ effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rbp, rsp+0x50, [rax])")
OneGadget::Gadget.add(build_id, 335450,
- constraints: ["rsp & 0xf == 0", "[r8] == NULL", "[[rax]] == NULL || [rax] == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rbp == NULL || (u16)[rbp] == NULL"],
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rbp == NULL || (u16)[rbp] == NULL"],
effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rbp, r8, [rax])")
+OneGadget::Gadget.add(build_id, 335453,
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, [rax])")
OneGadget::Gadget.add(build_id, 335458,
- constraints: ["rsp & 0xf == 0", "[r8] == NULL", "[[rax]] == NULL || [rax] == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x68", "[r8] == NULL || r8 is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, [rax])")
+OneGadget::Gadget.add(build_id, 541029,
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x70", "{\"sh\", \"-c\", rbp, NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"],
+ effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", r12, 0, rsp+0x60, environ)")
+OneGadget::Gadget.add(build_id, 541036,
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x70", "rax == NULL || {\"sh\", rax, rbp, NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"],
+ effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", r12, 0, rsp+0x60, environ)")
OneGadget::Gadget.add(build_id, 541043,
- constraints: ["rsp & 0xf == 0", "rcx == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"],
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x70", "rcx == NULL || {rcx, rax, rbp, NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"],
effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", r12, 0, rsp+0x60, environ)")
+OneGadget::Gadget.add(build_id, 541046,
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x70", "rcx == NULL || {rcx, rax, rbp, NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
+ effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, 0, rsp+0x60, environ)")
+OneGadget::Gadget.add(build_id, 541051,
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x78", "rcx == NULL || {rcx, rax, [rsp+0x70], NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
+ effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, 0, rsp+0x60, environ)")
OneGadget::Gadget.add(build_id, 541056,
- constraints: ["rsp & 0xf == 0", "rcx == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x78", "rcx == NULL || {rcx, (u64)xmm1, [rsp+0x70], NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, 0, rsp+0x60, environ)")
OneGadget::Gadget.add(build_id, 541068,
- constraints: ["rsp & 0xf == 0", "(u64)xmm0 == NULL", "[[rax]] == NULL || [rax] == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x78", "(u64)xmm0 == NULL || {(u64)xmm0, (u64)xmm1, [rsp+0x70], NULL} is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, 0, rsp+0x60, [rax])")
+OneGadget::Gadget.add(build_id, 541074,
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x78", "(u64)xmm0 == NULL || {(u64)xmm0, (u64)(xmm0 >> 64), [rsp+0x70], NULL} is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, rcx, rsp+0x60, [rax])")
OneGadget::Gadget.add(build_id, 541081,
- constraints: ["rsp & 0xf == 0", "(u64)xmm0 == NULL", "[[rax]] == NULL || [rax] == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x78", "(u64)xmm0 == NULL || {(u64)xmm0, (u64)(xmm0 >> 64), [rsp+0x70], NULL} is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, rsp+0x60, [rax])")
+OneGadget::Gadget.add(build_id, 541088,
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x78", "[r8] == NULL || r8 is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, [rax])")
OneGadget::Gadget.add(build_id, 932654,
- constraints: ["[r15] == NULL || r15 == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[r15] == NULL || r15 == NULL || r15 is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", r15, r12)")
OneGadget::Gadget.add(build_id, 932657,
- constraints: ["[r15] == NULL || r15 == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[r15] == NULL || r15 == NULL || r15 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", r15, rdx)")
OneGadget::Gadget.add(build_id, 932660,
- constraints: ["[rsi] == NULL || rsi == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, rdx)")
OneGadget::Gadget.add(build_id, 933155,
- constraints: ["writable: rbp-0x78", "[r10] == NULL || r10 == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["writable: rbp-0x78", "[r10] == NULL || r10 == NULL || r10 is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", r10, r12)")
OneGadget::Gadget.add(build_id, 933158,
- constraints: ["writable: rbp-0x78", "[r10] == NULL || r10 == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["writable: rbp-0x78", "[r10] == NULL || r10 == NULL || r10 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", r10, rdx)")
+OneGadget::Gadget.add(build_id, 933266,
+ constraints: ["writable: rbp-0x48", "r13 == NULL || {\"/bin/sh\", r13, NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
+ effect: "execve(\"/bin/sh\", rbp-0x50, r12)")
OneGadget::Gadget.add(build_id, 933273,
- constraints: ["writable: rbp-0x48", "[rbp-0x50] == NULL || rbp-0x50 == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["writable: rbp-0x48", "rax == NULL || {rax, r13, NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", rbp-0x50, r12)")
OneGadget::Gadget.add(build_id, 933280,
- constraints: ["writable: rbp-0x50", "[rbp-0x50] == NULL || rbp-0x50 == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["writable: rbp-0x50", "rax == NULL || {rax, [rbp-0x48], NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
+ effect: "execve(\"/bin/sh\", rbp-0x50, r12)")
+OneGadget::Gadget.add(build_id, 933335,
+ constraints: ["writable: rbp-0x50", "[rbp-0x68] == NULL || {\"/bin/sh\", [rbp-0x68], NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
+ effect: "execve(\"/bin/sh\", rbp-0x50, r12)")
+OneGadget::Gadget.add(build_id, 933345,
+ constraints: ["writable: rbp-0x50", "rax == NULL || {rax, [rbp-0x68], NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", rbp-0x50, r12)")
OneGadget::Gadget.add(build_id, 933349,
- constraints: ["writable: r10+0x10", "writable: rbp-0x50", "[r10] == NULL || r10 == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["writable: r10+0x10", "writable: rbp-0x50", "[r10] == NULL || r10 == NULL || r10 is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", r10, r12)")
OneGadget::Gadget.add(build_id, 933357,
- constraints: ["writable: r10+0x10", "writable: rbp-0x48", "[r10] == NULL || r10 == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["writable: r10+0x10", "writable: rbp-0x48", "[r10] == NULL || r10 == NULL || r10 is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", r10, r12)")
OneGadget::Gadget.add(build_id, 1078746,
- constraints: ["[rsp+0x70] == NULL", "[[rsp+0xf0]] == NULL || [rsp+0xf0] == NULL", "[rsp+0x38] == NULL || (s32)[[rsp+0x38]+0x4] <= 0"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv", "[[rsp+0xf0]] == NULL || [rsp+0xf0] == NULL || [rsp+0xf0] is a valid envp", "[rsp+0x38] == NULL || (s32)[[rsp+0x38]+0x4] <= 0"],
effect: "posix_spawn(rsp+0x64, \"/bin/sh\", [rsp+0x38], 0, rsp+0x70, [rsp+0xf0])")
OneGadget::Gadget.add(build_id, 1078754,
- constraints: ["[rsp+0x70] == NULL", "[r9] == NULL || r9 == NULL", "[rsp+0x38] == NULL || (s32)[[rsp+0x38]+0x4] <= 0"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv", "[r9] == NULL || r9 == NULL || r9 is a valid envp", "[rsp+0x38] == NULL || (s32)[[rsp+0x38]+0x4] <= 0"],
effect: "posix_spawn(rsp+0x64, \"/bin/sh\", [rsp+0x38], 0, rsp+0x70, r9)")
OneGadget::Gadget.add(build_id, 1078759,
- constraints: ["[rsp+0x70] == NULL", "[r9] == NULL || r9 == NULL", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv", "[r9] == NULL || r9 == NULL || r9 is a valid envp", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
effect: "posix_spawn(rsp+0x64, \"/bin/sh\", rdx, 0, rsp+0x70, r9)")
OneGadget::Gadget.add(build_id, 1078769,
- constraints: ["[r8] == NULL", "[r9] == NULL || r9 == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
+ constraints: ["[r8] == NULL || r8 is a valid argv", "[r9] == NULL || r9 == NULL || r9 is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
effect: "posix_spawn(rdi, \"/bin/sh\", rdx, 0, r8, r9)")
diff --git a/lib/one_gadget/builds/libc-2.31-c9d56de82ddd00d822d6100034f3075ef1709cd2.rb b/lib/one_gadget/builds/libc-2.31-c9d56de82ddd00d822d6100034f3075ef1709cd2.rb
index f230921..8582ed6 100644
--- a/lib/one_gadget/builds/libc-2.31-c9d56de82ddd00d822d6100034f3075ef1709cd2.rb
+++ b/lib/one_gadget/builds/libc-2.31-c9d56de82ddd00d822d6100034f3075ef1709cd2.rb
@@ -14,67 +14,109 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 335355,
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x60", "{\"sh\", \"-c\", rbx, NULL} is a valid argv", "rbp == NULL || (u16)[rbp] == NULL"],
+ effect: "posix_spawn(rsp+0xc, \"/bin/sh\", 0, rbp, rsp+0x50, environ)")
+OneGadget::Gadget.add(build_id, 335362,
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x60", "rax == NULL || {\"sh\", rax, rbx, NULL} is a valid argv", "rbp == NULL || (u16)[rbp] == NULL"],
+ effect: "posix_spawn(rsp+0xc, \"/bin/sh\", 0, rbp, rsp+0x50, environ)")
OneGadget::Gadget.add(build_id, 335369,
- constraints: ["rsp & 0xf == 0", "rcx == NULL", "rbp == NULL || (u16)[rbp] == NULL"],
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x60", "rcx == NULL || {rcx, rax, rbx, NULL} is a valid argv", "rbp == NULL || (u16)[rbp] == NULL"],
effect: "posix_spawn(rsp+0xc, \"/bin/sh\", 0, rbp, rsp+0x50, environ)")
+OneGadget::Gadget.add(build_id, 335376,
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x60", "rcx == NULL || {rcx, (u64)xmm1, rbx, NULL} is a valid argv", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rbp == NULL || (u16)[rbp] == NULL"],
+ effect: "posix_spawn(rsp+0xc, \"/bin/sh\", rdx, rbp, rsp+0x50, environ)")
OneGadget::Gadget.add(build_id, 335381,
- constraints: ["rsp & 0xf == 0", "(u64)xmm0 == NULL", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rbp == NULL || (u16)[rbp] == NULL"],
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x60", "(u64)xmm0 == NULL || {(u64)xmm0, (u64)xmm1, rbx, NULL} is a valid argv", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rbp == NULL || (u16)[rbp] == NULL"],
effect: "posix_spawn(rsp+0xc, \"/bin/sh\", rdx, rbp, rsp+0x50, environ)")
+OneGadget::Gadget.add(build_id, 335397,
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x60", "(u64)xmm0 == NULL || {(u64)xmm0, (u64)(xmm0 >> 64), rbx, NULL} is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rbp == NULL || (u16)[rbp] == NULL"],
+ effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rbp, rsp+0x50, [rax])")
OneGadget::Gadget.add(build_id, 335402,
- constraints: ["rsp & 0xf == 0", "[r8] == NULL", "[[rax]] == NULL || [rax] == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rbp == NULL || (u16)[rbp] == NULL"],
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rbp == NULL || (u16)[rbp] == NULL"],
effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rbp, r8, [rax])")
+OneGadget::Gadget.add(build_id, 335405,
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, [rax])")
OneGadget::Gadget.add(build_id, 335410,
- constraints: ["rsp & 0xf == 0", "[r8] == NULL", "[[rax]] == NULL || [rax] == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x68", "[r8] == NULL || r8 is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, [rax])")
+OneGadget::Gadget.add(build_id, 540981,
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x70", "{\"sh\", \"-c\", rbp, NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"],
+ effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", r12, 0, rsp+0x60, environ)")
+OneGadget::Gadget.add(build_id, 540988,
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x70", "rax == NULL || {\"sh\", rax, rbp, NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"],
+ effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", r12, 0, rsp+0x60, environ)")
OneGadget::Gadget.add(build_id, 540995,
- constraints: ["rsp & 0xf == 0", "rcx == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"],
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x70", "rcx == NULL || {rcx, rax, rbp, NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"],
effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", r12, 0, rsp+0x60, environ)")
+OneGadget::Gadget.add(build_id, 540998,
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x70", "rcx == NULL || {rcx, rax, rbp, NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
+ effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, 0, rsp+0x60, environ)")
+OneGadget::Gadget.add(build_id, 541003,
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x78", "rcx == NULL || {rcx, rax, [rsp+0x70], NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
+ effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, 0, rsp+0x60, environ)")
OneGadget::Gadget.add(build_id, 541008,
- constraints: ["rsp & 0xf == 0", "rcx == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x78", "rcx == NULL || {rcx, (u64)xmm1, [rsp+0x70], NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, 0, rsp+0x60, environ)")
OneGadget::Gadget.add(build_id, 541020,
- constraints: ["rsp & 0xf == 0", "(u64)xmm0 == NULL", "[[rax]] == NULL || [rax] == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x78", "(u64)xmm0 == NULL || {(u64)xmm0, (u64)xmm1, [rsp+0x70], NULL} is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, 0, rsp+0x60, [rax])")
+OneGadget::Gadget.add(build_id, 541026,
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x78", "(u64)xmm0 == NULL || {(u64)xmm0, (u64)(xmm0 >> 64), [rsp+0x70], NULL} is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, rcx, rsp+0x60, [rax])")
OneGadget::Gadget.add(build_id, 541033,
- constraints: ["rsp & 0xf == 0", "(u64)xmm0 == NULL", "[[rax]] == NULL || [rax] == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x78", "(u64)xmm0 == NULL || {(u64)xmm0, (u64)(xmm0 >> 64), [rsp+0x70], NULL} is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, rsp+0x60, [rax])")
+OneGadget::Gadget.add(build_id, 541040,
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x78", "[r8] == NULL || r8 is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, [rax])")
OneGadget::Gadget.add(build_id, 932606,
- constraints: ["[r15] == NULL || r15 == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[r15] == NULL || r15 == NULL || r15 is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", r15, r12)")
OneGadget::Gadget.add(build_id, 932609,
- constraints: ["[r15] == NULL || r15 == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[r15] == NULL || r15 == NULL || r15 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", r15, rdx)")
OneGadget::Gadget.add(build_id, 932612,
- constraints: ["[rsi] == NULL || rsi == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, rdx)")
OneGadget::Gadget.add(build_id, 933107,
- constraints: ["writable: rbp-0x78", "[r10] == NULL || r10 == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["writable: rbp-0x78", "[r10] == NULL || r10 == NULL || r10 is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", r10, r12)")
OneGadget::Gadget.add(build_id, 933110,
- constraints: ["writable: rbp-0x78", "[r10] == NULL || r10 == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["writable: rbp-0x78", "[r10] == NULL || r10 == NULL || r10 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", r10, rdx)")
+OneGadget::Gadget.add(build_id, 933218,
+ constraints: ["writable: rbp-0x48", "r13 == NULL || {\"/bin/sh\", r13, NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
+ effect: "execve(\"/bin/sh\", rbp-0x50, r12)")
OneGadget::Gadget.add(build_id, 933225,
- constraints: ["writable: rbp-0x48", "[rbp-0x50] == NULL || rbp-0x50 == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["writable: rbp-0x48", "rax == NULL || {rax, r13, NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", rbp-0x50, r12)")
OneGadget::Gadget.add(build_id, 933232,
- constraints: ["writable: rbp-0x50", "[rbp-0x50] == NULL || rbp-0x50 == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["writable: rbp-0x50", "rax == NULL || {rax, [rbp-0x48], NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
+ effect: "execve(\"/bin/sh\", rbp-0x50, r12)")
+OneGadget::Gadget.add(build_id, 933287,
+ constraints: ["writable: rbp-0x50", "[rbp-0x68] == NULL || {\"/bin/sh\", [rbp-0x68], NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
+ effect: "execve(\"/bin/sh\", rbp-0x50, r12)")
+OneGadget::Gadget.add(build_id, 933297,
+ constraints: ["writable: rbp-0x50", "rax == NULL || {rax, [rbp-0x68], NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", rbp-0x50, r12)")
OneGadget::Gadget.add(build_id, 933301,
- constraints: ["writable: r10+0x10", "writable: rbp-0x50", "[r10] == NULL || r10 == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["writable: r10+0x10", "writable: rbp-0x50", "[r10] == NULL || r10 == NULL || r10 is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", r10, r12)")
OneGadget::Gadget.add(build_id, 933309,
- constraints: ["writable: r10+0x10", "writable: rbp-0x48", "[r10] == NULL || r10 == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["writable: r10+0x10", "writable: rbp-0x48", "[r10] == NULL || r10 == NULL || r10 is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", r10, r12)")
OneGadget::Gadget.add(build_id, 1078698,
- constraints: ["[rsp+0x70] == NULL", "[[rsp+0xf0]] == NULL || [rsp+0xf0] == NULL", "[rsp+0x38] == NULL || (s32)[[rsp+0x38]+0x4] <= 0"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv", "[[rsp+0xf0]] == NULL || [rsp+0xf0] == NULL || [rsp+0xf0] is a valid envp", "[rsp+0x38] == NULL || (s32)[[rsp+0x38]+0x4] <= 0"],
effect: "posix_spawn(rsp+0x64, \"/bin/sh\", [rsp+0x38], 0, rsp+0x70, [rsp+0xf0])")
OneGadget::Gadget.add(build_id, 1078706,
- constraints: ["[rsp+0x70] == NULL", "[r9] == NULL || r9 == NULL", "[rsp+0x38] == NULL || (s32)[[rsp+0x38]+0x4] <= 0"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv", "[r9] == NULL || r9 == NULL || r9 is a valid envp", "[rsp+0x38] == NULL || (s32)[[rsp+0x38]+0x4] <= 0"],
effect: "posix_spawn(rsp+0x64, \"/bin/sh\", [rsp+0x38], 0, rsp+0x70, r9)")
OneGadget::Gadget.add(build_id, 1078711,
- constraints: ["[rsp+0x70] == NULL", "[r9] == NULL || r9 == NULL", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv", "[r9] == NULL || r9 == NULL || r9 is a valid envp", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
effect: "posix_spawn(rsp+0x64, \"/bin/sh\", rdx, 0, rsp+0x70, r9)")
OneGadget::Gadget.add(build_id, 1078721,
- constraints: ["[r8] == NULL", "[r9] == NULL || r9 == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
+ constraints: ["[r8] == NULL || r8 is a valid argv", "[r9] == NULL || r9 == NULL || r9 is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
effect: "posix_spawn(rdi, \"/bin/sh\", rdx, 0, r8, r9)")
diff --git a/lib/one_gadget/builds/libc-2.31-e67e80e70619717709e3180e552a11a285036a54.rb b/lib/one_gadget/builds/libc-2.31-e67e80e70619717709e3180e552a11a285036a54.rb
index 287e70c..91fab78 100644
--- a/lib/one_gadget/builds/libc-2.31-e67e80e70619717709e3180e552a11a285036a54.rb
+++ b/lib/one_gadget/builds/libc-2.31-e67e80e70619717709e3180e552a11a285036a54.rb
@@ -14,43 +14,67 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 299630,
+ constraints: ["writable: rsp+0x60", "{\"sh\", \"-c\", rbx, NULL} is a valid argv", "rbp == NULL || (u16)[rbp] == NULL"],
+ effect: "posix_spawn(rsp+0xc, \"/bin/sh\", 0, rbp, rsp+0x50, environ)")
+OneGadget::Gadget.add(build_id, 299640,
+ constraints: ["writable: rsp+0x60", "{\"sh\", \"-c\", rbx, NULL} is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, rsp+0x50, environ)")
OneGadget::Gadget.add(build_id, 299647,
- constraints: ["rax == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ constraints: ["writable: rsp+0x60", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, rsp+0x50, environ)")
+OneGadget::Gadget.add(build_id, 299652,
+ constraints: ["writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)")
+OneGadget::Gadget.add(build_id, 299657,
+ constraints: ["writable: rsp+0x50", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)")
OneGadget::Gadget.add(build_id, 299669,
- constraints: ["[r8] == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ constraints: ["writable: rsp+0x58", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)")
+OneGadget::Gadget.add(build_id, 488037,
+ constraints: ["writable: rsp+0x60", "{\"sh\", \"-c\", rbp, NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"],
+ effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", r12, 0, rsp+0x50, environ)")
OneGadget::Gadget.add(build_id, 488042,
- constraints: ["[r8] == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"],
+ constraints: ["writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"],
effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", r12, 0, r8, environ)")
+OneGadget::Gadget.add(build_id, 488047,
+ constraints: ["writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, rcx, r8, environ)")
OneGadget::Gadget.add(build_id, 488059,
- constraints: ["[r8] == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ constraints: ["writable: rsp+0x68", "[r8] == NULL || r8 is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, rcx, r8, environ)")
+OneGadget::Gadget.add(build_id, 488068,
+ constraints: ["writable: rsp+0x68", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)")
OneGadget::Gadget.add(build_id, 841642,
- constraints: ["[r12] == NULL || r12 == NULL", "[r13] == NULL || r13 == NULL"],
+ constraints: ["[r12] == NULL || r12 == NULL || r12 is a valid argv", "[r13] == NULL || r13 == NULL || r13 is a valid envp"],
effect: "execve(\"/bin/sh\", r12, r13)")
OneGadget::Gadget.add(build_id, 841645,
- constraints: ["[r12] == NULL || r12 == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[r12] == NULL || r12 == NULL || r12 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", r12, rdx)")
OneGadget::Gadget.add(build_id, 841648,
- constraints: ["[rsi] == NULL || rsi == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, rdx)")
+OneGadget::Gadget.add(build_id, 841731,
+ constraints: ["writable: rbp-0x38", "rdi == NULL || {\"/bin/sh\", rdi, NULL} is a valid argv", "[r13] == NULL || r13 == NULL || r13 is a valid envp"],
+ effect: "execve(\"/bin/sh\", rbp-0x40, r13)")
OneGadget::Gadget.add(build_id, 841738,
- constraints: ["writable: rbp-0x38", "[rbp-0x40] == NULL || rbp-0x40 == NULL", "[r13] == NULL || r13 == NULL"],
+ constraints: ["writable: rbp-0x38", "rax == NULL || {rax, rdi, NULL} is a valid argv", "[r13] == NULL || r13 == NULL || r13 is a valid envp"],
effect: "execve(\"/bin/sh\", rbp-0x40, r13)")
OneGadget::Gadget.add(build_id, 841745,
- constraints: ["writable: rbp-0x40", "[rbp-0x40] == NULL || rbp-0x40 == NULL", "[r13] == NULL || r13 == NULL"],
+ constraints: ["writable: rbp-0x40", "rax == NULL || {rax, [rbp-0x38], NULL} is a valid argv", "[r13] == NULL || r13 == NULL || r13 is a valid envp"],
effect: "execve(\"/bin/sh\", rbp-0x40, r13)")
OneGadget::Gadget.add(build_id, 962474,
- constraints: ["[rsp+0x70] == NULL", "[[rsp+0xf0]] == NULL || [rsp+0xf0] == NULL", "[rsp+0x40] == NULL || (s32)[[rsp+0x40]+0x4] <= 0"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv", "[[rsp+0xf0]] == NULL || [rsp+0xf0] == NULL || [rsp+0xf0] is a valid envp", "[rsp+0x40] == NULL || (s32)[[rsp+0x40]+0x4] <= 0"],
effect: "posix_spawn(rsp+0x64, \"/bin/sh\", [rsp+0x40], 0, rsp+0x70, [rsp+0xf0])")
OneGadget::Gadget.add(build_id, 962482,
- constraints: ["[rsp+0x70] == NULL", "[r9] == NULL || r9 == NULL", "[rsp+0x40] == NULL || (s32)[[rsp+0x40]+0x4] <= 0"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv", "[r9] == NULL || r9 == NULL || r9 is a valid envp", "[rsp+0x40] == NULL || (s32)[[rsp+0x40]+0x4] <= 0"],
effect: "posix_spawn(rsp+0x64, \"/bin/sh\", [rsp+0x40], 0, rsp+0x70, r9)")
OneGadget::Gadget.add(build_id, 962487,
- constraints: ["[rsp+0x70] == NULL", "[r9] == NULL || r9 == NULL", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv", "[r9] == NULL || r9 == NULL || r9 is a valid envp", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
effect: "posix_spawn(rsp+0x64, \"/bin/sh\", rdx, 0, rsp+0x70, r9)")
OneGadget::Gadget.add(build_id, 962497,
- constraints: ["[r8] == NULL", "[r9] == NULL || r9 == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
+ constraints: ["[r8] == NULL || r8 is a valid argv", "[r9] == NULL || r9 == NULL || r9 is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
effect: "posix_spawn(rdi, \"/bin/sh\", rdx, 0, r8, r9)")
diff --git a/lib/one_gadget/builds/libc-2.31-eb3c5cf73a0a6b7f2b3895a56dbc443806700971.rb b/lib/one_gadget/builds/libc-2.31-eb3c5cf73a0a6b7f2b3895a56dbc443806700971.rb
index 41a2cd1..d669037 100644
--- a/lib/one_gadget/builds/libc-2.31-eb3c5cf73a0a6b7f2b3895a56dbc443806700971.rb
+++ b/lib/one_gadget/builds/libc-2.31-eb3c5cf73a0a6b7f2b3895a56dbc443806700971.rb
@@ -14,43 +14,67 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 300292,
+ constraints: ["writable: rsp+0x60", "{\"sh\", \"-c\", rbx, NULL} is a valid argv", "r13 == NULL || (u16)[r13] == NULL"],
+ effect: "posix_spawn(rsp+0xc, \"/bin/sh\", 0, r13, rsp+0x50, environ)")
+OneGadget::Gadget.add(build_id, 300302,
+ constraints: ["writable: rsp+0x60", "{\"sh\", \"-c\", rbx, NULL} is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, rsp+0x50, environ)")
OneGadget::Gadget.add(build_id, 300309,
- constraints: ["rax == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ constraints: ["writable: rsp+0x60", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, rsp+0x50, environ)")
+OneGadget::Gadget.add(build_id, 300314,
+ constraints: ["writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)")
+OneGadget::Gadget.add(build_id, 300319,
+ constraints: ["writable: rsp+0x50", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)")
OneGadget::Gadget.add(build_id, 300331,
- constraints: ["[r8] == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ constraints: ["writable: rsp+0x58", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)")
+OneGadget::Gadget.add(build_id, 491701,
+ constraints: ["writable: rsp+0x60", "{\"sh\", \"-c\", rbp, NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"],
+ effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", r12, 0, rsp+0x50, environ)")
OneGadget::Gadget.add(build_id, 491706,
- constraints: ["[r8] == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"],
+ constraints: ["writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"],
effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", r12, 0, r8, environ)")
+OneGadget::Gadget.add(build_id, 491711,
+ constraints: ["writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, rcx, r8, environ)")
OneGadget::Gadget.add(build_id, 491723,
- constraints: ["[r8] == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ constraints: ["writable: rsp+0x68", "[r8] == NULL || r8 is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, rcx, r8, environ)")
+OneGadget::Gadget.add(build_id, 491732,
+ constraints: ["writable: rsp+0x68", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)")
OneGadget::Gadget.add(build_id, 846769,
- constraints: ["[r13] == NULL || r13 == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[r13] == NULL || r13 == NULL || r13 is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", r13, r12)")
OneGadget::Gadget.add(build_id, 846772,
- constraints: ["[r13] == NULL || r13 == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[r13] == NULL || r13 == NULL || r13 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", r13, rdx)")
OneGadget::Gadget.add(build_id, 846775,
- constraints: ["[rsi] == NULL || rsi == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, rdx)")
+OneGadget::Gadget.add(build_id, 846858,
+ constraints: ["writable: rbp-0x38", "rdi == NULL || {\"/bin/sh\", rdi, NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
+ effect: "execve(\"/bin/sh\", rbp-0x40, r12)")
OneGadget::Gadget.add(build_id, 846865,
- constraints: ["writable: rbp-0x38", "[rbp-0x40] == NULL || rbp-0x40 == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["writable: rbp-0x38", "rax == NULL || {rax, rdi, NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", rbp-0x40, r12)")
OneGadget::Gadget.add(build_id, 846872,
- constraints: ["writable: rbp-0x40", "[rbp-0x40] == NULL || rbp-0x40 == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["writable: rbp-0x40", "rax == NULL || {rax, [rbp-0x38], NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", rbp-0x40, r12)")
OneGadget::Gadget.add(build_id, 971058,
- constraints: ["[rsp+0x70] == NULL", "[[rsp+0xf0]] == NULL || [rsp+0xf0] == NULL", "[rsp+0x40] == NULL || (s32)[[rsp+0x40]+0x4] <= 0"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv", "[[rsp+0xf0]] == NULL || [rsp+0xf0] == NULL || [rsp+0xf0] is a valid envp", "[rsp+0x40] == NULL || (s32)[[rsp+0x40]+0x4] <= 0"],
effect: "posix_spawn(rsp+0x64, \"/bin/sh\", [rsp+0x40], 0, rsp+0x70, [rsp+0xf0])")
OneGadget::Gadget.add(build_id, 971066,
- constraints: ["[rsp+0x70] == NULL", "[r9] == NULL || r9 == NULL", "[rsp+0x40] == NULL || (s32)[[rsp+0x40]+0x4] <= 0"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv", "[r9] == NULL || r9 == NULL || r9 is a valid envp", "[rsp+0x40] == NULL || (s32)[[rsp+0x40]+0x4] <= 0"],
effect: "posix_spawn(rsp+0x64, \"/bin/sh\", [rsp+0x40], 0, rsp+0x70, r9)")
OneGadget::Gadget.add(build_id, 971071,
- constraints: ["[rsp+0x70] == NULL", "[r9] == NULL || r9 == NULL", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv", "[r9] == NULL || r9 == NULL || r9 is a valid envp", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
effect: "posix_spawn(rsp+0x64, \"/bin/sh\", rdx, 0, rsp+0x70, r9)")
OneGadget::Gadget.add(build_id, 971081,
- constraints: ["[r8] == NULL", "[r9] == NULL || r9 == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
+ constraints: ["[r8] == NULL || r8 is a valid argv", "[r9] == NULL || r9 == NULL || r9 is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
effect: "posix_spawn(rdi, \"/bin/sh\", rdx, 0, r8, r9)")
diff --git a/lib/one_gadget/builds/libc-2.31-fb7626dd8b8a50f7685920487e992528834f6775.rb b/lib/one_gadget/builds/libc-2.31-fb7626dd8b8a50f7685920487e992528834f6775.rb
index 3f9c87d..b43efa1 100644
--- a/lib/one_gadget/builds/libc-2.31-fb7626dd8b8a50f7685920487e992528834f6775.rb
+++ b/lib/one_gadget/builds/libc-2.31-fb7626dd8b8a50f7685920487e992528834f6775.rb
@@ -15,7 +15,7 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 842827,
- constraints: ["ebx is the GOT address of libc", "writable: ebp-0x20", "[[ebp-0x2c]] == NULL || [ebp-0x2c] == NULL", "[esi] == NULL || esi == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: ebp-0x20", "[[ebp-0x2c]] == NULL || [ebp-0x2c] == NULL || [ebp-0x2c] is a valid argv", "[esi] == NULL || esi == NULL || esi is a valid envp"],
effect: "execve(\"/bin/sh\", [ebp-0x2c], esi)")
OneGadget::Gadget.add(build_id, 1345531,
constraints: ["ebp is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.32-0e5c8d8738927eb715941480b3726fa764cc50ed.rb b/lib/one_gadget/builds/libc-2.32-0e5c8d8738927eb715941480b3726fa764cc50ed.rb
index 9138c02..f36e85a 100644
--- a/lib/one_gadget/builds/libc-2.32-0e5c8d8738927eb715941480b3726fa764cc50ed.rb
+++ b/lib/one_gadget/builds/libc-2.32-0e5c8d8738927eb715941480b3726fa764cc50ed.rb
@@ -14,8 +14,11 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 843712,
+ constraints: ["ebx is the GOT address of libc", "writable: ebp-0x20", "[ebp-0x34] == NULL || {\"/bin/sh\", [ebp-0x34], NULL} is a valid argv", "[[ebp-0x2c]] == NULL || [ebp-0x2c] == NULL || [ebp-0x2c] is a valid envp"],
+ effect: "execve(\"/bin/sh\", ebp-0x28, [ebp-0x2c])")
OneGadget::Gadget.add(build_id, 843715,
- constraints: ["ebx is the GOT address of libc", "writable: ebp-0x20", "[ebp-0x28] == NULL || ebp-0x28 == NULL", "[[ebp-0x2c]] == NULL || [ebp-0x2c] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: ebp-0x20", "eax == NULL || {\"/bin/sh\", eax, NULL} is a valid argv", "[[ebp-0x2c]] == NULL || [ebp-0x2c] == NULL || [ebp-0x2c] is a valid envp"],
effect: "execve(\"/bin/sh\", ebp-0x28, [ebp-0x2c])")
OneGadget::Gadget.add(build_id, 1358179,
constraints: ["ebp is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.32-1e3fb06b8c86b5e282e3e11bd207d399fb4952e2.rb b/lib/one_gadget/builds/libc-2.32-1e3fb06b8c86b5e282e3e11bd207d399fb4952e2.rb
index 2d8b05b..e6aea3d 100644
--- a/lib/one_gadget/builds/libc-2.32-1e3fb06b8c86b5e282e3e11bd207d399fb4952e2.rb
+++ b/lib/one_gadget/builds/libc-2.32-1e3fb06b8c86b5e282e3e11bd207d399fb4952e2.rb
@@ -14,70 +14,109 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 327009,
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x60", "{\"sh\", \"-c\", rbx, NULL} is a valid argv", "rbp == NULL || (u16)[rbp] == NULL"],
+ effect: "posix_spawn(rsp+0xc, \"/bin/sh\", 0, rbp, rsp+0x50, environ)")
+OneGadget::Gadget.add(build_id, 327016,
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x60", "rax == NULL || {\"sh\", rax, rbx, NULL} is a valid argv", "rbp == NULL || (u16)[rbp] == NULL"],
+ effect: "posix_spawn(rsp+0xc, \"/bin/sh\", 0, rbp, rsp+0x50, environ)")
OneGadget::Gadget.add(build_id, 327023,
- constraints: ["rsp & 0xf == 0", "rcx == NULL", "rbp == NULL || (u16)[rbp] == NULL"],
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x60", "rcx == NULL || {rcx, rax, rbx, NULL} is a valid argv", "rbp == NULL || (u16)[rbp] == NULL"],
effect: "posix_spawn(rsp+0xc, \"/bin/sh\", 0, rbp, rsp+0x50, environ)")
+OneGadget::Gadget.add(build_id, 327030,
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x60", "rcx == NULL || {rcx, (u64)xmm1, rbx, NULL} is a valid argv", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rbp == NULL || (u16)[rbp] == NULL"],
+ effect: "posix_spawn(rsp+0xc, \"/bin/sh\", rdx, rbp, rsp+0x50, environ)")
OneGadget::Gadget.add(build_id, 327035,
- constraints: ["rsp & 0xf == 0", "(u64)xmm0 == NULL", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rbp == NULL || (u16)[rbp] == NULL"],
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x60", "(u64)xmm0 == NULL || {(u64)xmm0, (u64)xmm1, rbx, NULL} is a valid argv", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rbp == NULL || (u16)[rbp] == NULL"],
effect: "posix_spawn(rsp+0xc, \"/bin/sh\", rdx, rbp, rsp+0x50, environ)")
+OneGadget::Gadget.add(build_id, 327051,
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x60", "(u64)xmm0 == NULL || {(u64)xmm0, (u64)(xmm0 >> 64), rbx, NULL} is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rbp == NULL || (u16)[rbp] == NULL"],
+ effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rbp, rsp+0x50, [rax])")
OneGadget::Gadget.add(build_id, 327056,
- constraints: ["rsp & 0xf == 0", "[r8] == NULL", "[[rax]] == NULL || [rax] == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rbp == NULL || (u16)[rbp] == NULL"],
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rbp == NULL || (u16)[rbp] == NULL"],
effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rbp, r8, [rax])")
+OneGadget::Gadget.add(build_id, 327059,
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, [rax])")
OneGadget::Gadget.add(build_id, 327064,
- constraints: ["rsp & 0xf == 0", "[r8] == NULL", "[[rax]] == NULL || [rax] == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x68", "[r8] == NULL || r8 is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, [rax])")
+OneGadget::Gadget.add(build_id, 526533,
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x70", "{\"sh\", \"-c\", rbp, NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"],
+ effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", r12, 0, rsp+0x60, environ)")
+OneGadget::Gadget.add(build_id, 526540,
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x70", "rax == NULL || {\"sh\", rax, rbp, NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"],
+ effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", r12, 0, rsp+0x60, environ)")
OneGadget::Gadget.add(build_id, 526547,
- constraints: ["rsp & 0xf == 0", "rcx == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"],
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x70", "rcx == NULL || {rcx, rax, rbp, NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"],
effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", r12, 0, rsp+0x60, environ)")
+OneGadget::Gadget.add(build_id, 526550,
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x70", "rcx == NULL || {rcx, rax, rbp, NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
+ effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, 0, rsp+0x60, environ)")
+OneGadget::Gadget.add(build_id, 526555,
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x78", "rcx == NULL || {rcx, rax, [rsp+0x70], NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
+ effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, 0, rsp+0x60, environ)")
OneGadget::Gadget.add(build_id, 526560,
- constraints: ["rsp & 0xf == 0", "rcx == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x78", "rcx == NULL || {rcx, (u64)xmm1, [rsp+0x70], NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, 0, rsp+0x60, environ)")
OneGadget::Gadget.add(build_id, 526572,
- constraints: ["rsp & 0xf == 0", "(u64)xmm0 == NULL", "[[rax]] == NULL || [rax] == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x78", "(u64)xmm0 == NULL || {(u64)xmm0, (u64)xmm1, [rsp+0x70], NULL} is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, 0, rsp+0x60, [rax])")
+OneGadget::Gadget.add(build_id, 526578,
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x78", "(u64)xmm0 == NULL || {(u64)xmm0, (u64)(xmm0 >> 64), [rsp+0x70], NULL} is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, rcx, rsp+0x60, [rax])")
OneGadget::Gadget.add(build_id, 526585,
- constraints: ["rsp & 0xf == 0", "(u64)xmm0 == NULL", "[[rax]] == NULL || [rax] == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x78", "(u64)xmm0 == NULL || {(u64)xmm0, (u64)(xmm0 >> 64), [rsp+0x70], NULL} is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, rsp+0x60, [rax])")
+OneGadget::Gadget.add(build_id, 526592,
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x78", "[r8] == NULL || r8 is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, [rax])")
OneGadget::Gadget.add(build_id, 914284,
- constraints: ["[r15] == NULL || r15 == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[r15] == NULL || r15 == NULL || r15 is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", r15, r12)")
OneGadget::Gadget.add(build_id, 914287,
- constraints: ["[r15] == NULL || r15 == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[r15] == NULL || r15 == NULL || r15 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", r15, rdx)")
OneGadget::Gadget.add(build_id, 914290,
- constraints: ["[rsi] == NULL || rsi == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, rdx)")
OneGadget::Gadget.add(build_id, 914773,
- constraints: ["writable: rbp-0x78", "[r10] == NULL || r10 == NULL", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL"],
+ constraints: ["writable: rbp-0x78", "[r10] == NULL || r10 == NULL || r10 is a valid argv", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL || [rbp-0x70] is a valid envp"],
effect: "execve(\"/bin/sh\", r10, [rbp-0x70])")
OneGadget::Gadget.add(build_id, 914777,
- constraints: ["writable: rbp-0x78", "[r10] == NULL || r10 == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["writable: rbp-0x78", "[r10] == NULL || r10 == NULL || r10 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", r10, rdx)")
+OneGadget::Gadget.add(build_id, 914879,
+ constraints: ["writable: rbp-0x48", "rbx == NULL || {\"/bin/sh\", rbx, NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
+ effect: "execve(\"/bin/sh\", rbp-0x50, r12)")
OneGadget::Gadget.add(build_id, 914886,
- constraints: ["writable: rbp-0x48", "[rbp-0x50] == NULL || rbp-0x50 == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["writable: rbp-0x48", "rax == NULL || {rax, rbx, NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", rbp-0x50, r12)")
OneGadget::Gadget.add(build_id, 914893,
- constraints: ["writable: rbp-0x50", "[rbp-0x50] == NULL || rbp-0x50 == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["writable: rbp-0x50", "rax == NULL || {rax, [rbp-0x48], NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", rbp-0x50, r12)")
+OneGadget::Gadget.add(build_id, 914948,
+ constraints: ["writable: rbp-0x48", "rbx == NULL || {\"/bin/sh\", rbx, NULL} is a valid argv", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL || [rbp-0x70] is a valid envp"],
+ effect: "execve(\"/bin/sh\", rbp-0x50, [rbp-0x70])")
OneGadget::Gadget.add(build_id, 914955,
- constraints: ["writable: rbp-0x48", "[rbp-0x50] == NULL || rbp-0x50 == NULL", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL"],
+ constraints: ["writable: rbp-0x48", "rax == NULL || {rax, rbx, NULL} is a valid argv", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL || [rbp-0x70] is a valid envp"],
effect: "execve(\"/bin/sh\", rbp-0x50, [rbp-0x70])")
OneGadget::Gadget.add(build_id, 914962,
- constraints: ["writable: rbp-0x50", "[rbp-0x50] == NULL || rbp-0x50 == NULL", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL"],
+ constraints: ["writable: rbp-0x50", "rax == NULL || {rax, [rbp-0x48], NULL} is a valid argv", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL || [rbp-0x70] is a valid envp"],
effect: "execve(\"/bin/sh\", rbp-0x50, [rbp-0x70])")
OneGadget::Gadget.add(build_id, 914966,
- constraints: ["writable: r10+0x10", "writable: rbp-0x50", "[r10] == NULL || r10 == NULL", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL"],
+ constraints: ["writable: r10+0x10", "writable: rbp-0x50", "[r10] == NULL || r10 == NULL || r10 is a valid argv", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL || [rbp-0x70] is a valid envp"],
effect: "execve(\"/bin/sh\", r10, [rbp-0x70])")
OneGadget::Gadget.add(build_id, 1056410,
- constraints: ["[rsp+0x70] == NULL", "[[rsp+0xf0]] == NULL || [rsp+0xf0] == NULL", "[rsp+0x38] == NULL || (s32)[[rsp+0x38]+0x4] <= 0"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv", "[[rsp+0xf0]] == NULL || [rsp+0xf0] == NULL || [rsp+0xf0] is a valid envp", "[rsp+0x38] == NULL || (s32)[[rsp+0x38]+0x4] <= 0"],
effect: "posix_spawn(rsp+0x64, \"/bin/sh\", [rsp+0x38], 0, rsp+0x70, [rsp+0xf0])")
OneGadget::Gadget.add(build_id, 1056418,
- constraints: ["[rsp+0x70] == NULL", "[r9] == NULL || r9 == NULL", "[rsp+0x38] == NULL || (s32)[[rsp+0x38]+0x4] <= 0"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv", "[r9] == NULL || r9 == NULL || r9 is a valid envp", "[rsp+0x38] == NULL || (s32)[[rsp+0x38]+0x4] <= 0"],
effect: "posix_spawn(rsp+0x64, \"/bin/sh\", [rsp+0x38], 0, rsp+0x70, r9)")
OneGadget::Gadget.add(build_id, 1056423,
- constraints: ["[rsp+0x70] == NULL", "[r9] == NULL || r9 == NULL", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv", "[r9] == NULL || r9 == NULL || r9 is a valid envp", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
effect: "posix_spawn(rsp+0x64, \"/bin/sh\", rdx, 0, rsp+0x70, r9)")
OneGadget::Gadget.add(build_id, 1056433,
- constraints: ["[r8] == NULL", "[r9] == NULL || r9 == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
+ constraints: ["[r8] == NULL || r8 is a valid argv", "[r9] == NULL || r9 == NULL || r9 is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
effect: "posix_spawn(rdi, \"/bin/sh\", rdx, 0, r8, r9)")
diff --git a/lib/one_gadget/builds/libc-2.32-7ec3e74da842ca3c6a9ba20b21303ce1bc7a45af.rb b/lib/one_gadget/builds/libc-2.32-7ec3e74da842ca3c6a9ba20b21303ce1bc7a45af.rb
index f4543d4..5ab05bd 100644
--- a/lib/one_gadget/builds/libc-2.32-7ec3e74da842ca3c6a9ba20b21303ce1bc7a45af.rb
+++ b/lib/one_gadget/builds/libc-2.32-7ec3e74da842ca3c6a9ba20b21303ce1bc7a45af.rb
@@ -14,70 +14,109 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 327489,
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x60", "{\"sh\", \"-c\", rbx, NULL} is a valid argv", "rbp == NULL || (u16)[rbp] == NULL"],
+ effect: "posix_spawn(rsp+0xc, \"/bin/sh\", 0, rbp, rsp+0x50, environ)")
+OneGadget::Gadget.add(build_id, 327496,
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x60", "rax == NULL || {\"sh\", rax, rbx, NULL} is a valid argv", "rbp == NULL || (u16)[rbp] == NULL"],
+ effect: "posix_spawn(rsp+0xc, \"/bin/sh\", 0, rbp, rsp+0x50, environ)")
OneGadget::Gadget.add(build_id, 327503,
- constraints: ["rsp & 0xf == 0", "rcx == NULL", "rbp == NULL || (u16)[rbp] == NULL"],
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x60", "rcx == NULL || {rcx, rax, rbx, NULL} is a valid argv", "rbp == NULL || (u16)[rbp] == NULL"],
effect: "posix_spawn(rsp+0xc, \"/bin/sh\", 0, rbp, rsp+0x50, environ)")
+OneGadget::Gadget.add(build_id, 327510,
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x60", "rcx == NULL || {rcx, (u64)xmm1, rbx, NULL} is a valid argv", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rbp == NULL || (u16)[rbp] == NULL"],
+ effect: "posix_spawn(rsp+0xc, \"/bin/sh\", rdx, rbp, rsp+0x50, environ)")
OneGadget::Gadget.add(build_id, 327515,
- constraints: ["rsp & 0xf == 0", "(u64)xmm0 == NULL", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rbp == NULL || (u16)[rbp] == NULL"],
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x60", "(u64)xmm0 == NULL || {(u64)xmm0, (u64)xmm1, rbx, NULL} is a valid argv", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rbp == NULL || (u16)[rbp] == NULL"],
effect: "posix_spawn(rsp+0xc, \"/bin/sh\", rdx, rbp, rsp+0x50, environ)")
+OneGadget::Gadget.add(build_id, 327531,
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x60", "(u64)xmm0 == NULL || {(u64)xmm0, (u64)(xmm0 >> 64), rbx, NULL} is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rbp == NULL || (u16)[rbp] == NULL"],
+ effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rbp, rsp+0x50, [rax])")
OneGadget::Gadget.add(build_id, 327536,
- constraints: ["rsp & 0xf == 0", "[r8] == NULL", "[[rax]] == NULL || [rax] == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rbp == NULL || (u16)[rbp] == NULL"],
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rbp == NULL || (u16)[rbp] == NULL"],
effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rbp, r8, [rax])")
+OneGadget::Gadget.add(build_id, 327539,
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, [rax])")
OneGadget::Gadget.add(build_id, 327544,
- constraints: ["rsp & 0xf == 0", "[r8] == NULL", "[[rax]] == NULL || [rax] == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x68", "[r8] == NULL || r8 is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, [rax])")
+OneGadget::Gadget.add(build_id, 527013,
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x70", "{\"sh\", \"-c\", rbp, NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"],
+ effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", r12, 0, rsp+0x60, environ)")
+OneGadget::Gadget.add(build_id, 527020,
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x70", "rax == NULL || {\"sh\", rax, rbp, NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"],
+ effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", r12, 0, rsp+0x60, environ)")
OneGadget::Gadget.add(build_id, 527027,
- constraints: ["rsp & 0xf == 0", "rcx == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"],
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x70", "rcx == NULL || {rcx, rax, rbp, NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"],
effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", r12, 0, rsp+0x60, environ)")
+OneGadget::Gadget.add(build_id, 527030,
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x70", "rcx == NULL || {rcx, rax, rbp, NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
+ effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, 0, rsp+0x60, environ)")
+OneGadget::Gadget.add(build_id, 527035,
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x78", "rcx == NULL || {rcx, rax, [rsp+0x70], NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
+ effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, 0, rsp+0x60, environ)")
OneGadget::Gadget.add(build_id, 527040,
- constraints: ["rsp & 0xf == 0", "rcx == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x78", "rcx == NULL || {rcx, (u64)xmm1, [rsp+0x70], NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, 0, rsp+0x60, environ)")
OneGadget::Gadget.add(build_id, 527052,
- constraints: ["rsp & 0xf == 0", "(u64)xmm0 == NULL", "[[rax]] == NULL || [rax] == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x78", "(u64)xmm0 == NULL || {(u64)xmm0, (u64)xmm1, [rsp+0x70], NULL} is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, 0, rsp+0x60, [rax])")
+OneGadget::Gadget.add(build_id, 527058,
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x78", "(u64)xmm0 == NULL || {(u64)xmm0, (u64)(xmm0 >> 64), [rsp+0x70], NULL} is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, rcx, rsp+0x60, [rax])")
OneGadget::Gadget.add(build_id, 527065,
- constraints: ["rsp & 0xf == 0", "(u64)xmm0 == NULL", "[[rax]] == NULL || [rax] == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x78", "(u64)xmm0 == NULL || {(u64)xmm0, (u64)(xmm0 >> 64), [rsp+0x70], NULL} is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, rsp+0x60, [rax])")
+OneGadget::Gadget.add(build_id, 527072,
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x78", "[r8] == NULL || r8 is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, [rax])")
OneGadget::Gadget.add(build_id, 914764,
- constraints: ["[r15] == NULL || r15 == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[r15] == NULL || r15 == NULL || r15 is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", r15, r12)")
OneGadget::Gadget.add(build_id, 914767,
- constraints: ["[r15] == NULL || r15 == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[r15] == NULL || r15 == NULL || r15 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", r15, rdx)")
OneGadget::Gadget.add(build_id, 914770,
- constraints: ["[rsi] == NULL || rsi == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, rdx)")
OneGadget::Gadget.add(build_id, 915253,
- constraints: ["writable: rbp-0x78", "[r10] == NULL || r10 == NULL", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL"],
+ constraints: ["writable: rbp-0x78", "[r10] == NULL || r10 == NULL || r10 is a valid argv", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL || [rbp-0x70] is a valid envp"],
effect: "execve(\"/bin/sh\", r10, [rbp-0x70])")
OneGadget::Gadget.add(build_id, 915257,
- constraints: ["writable: rbp-0x78", "[r10] == NULL || r10 == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["writable: rbp-0x78", "[r10] == NULL || r10 == NULL || r10 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", r10, rdx)")
+OneGadget::Gadget.add(build_id, 915359,
+ constraints: ["writable: rbp-0x48", "rbx == NULL || {\"/bin/sh\", rbx, NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
+ effect: "execve(\"/bin/sh\", rbp-0x50, r12)")
OneGadget::Gadget.add(build_id, 915366,
- constraints: ["writable: rbp-0x48", "[rbp-0x50] == NULL || rbp-0x50 == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["writable: rbp-0x48", "rax == NULL || {rax, rbx, NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", rbp-0x50, r12)")
OneGadget::Gadget.add(build_id, 915373,
- constraints: ["writable: rbp-0x50", "[rbp-0x50] == NULL || rbp-0x50 == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["writable: rbp-0x50", "rax == NULL || {rax, [rbp-0x48], NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", rbp-0x50, r12)")
+OneGadget::Gadget.add(build_id, 915428,
+ constraints: ["writable: rbp-0x48", "rbx == NULL || {\"/bin/sh\", rbx, NULL} is a valid argv", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL || [rbp-0x70] is a valid envp"],
+ effect: "execve(\"/bin/sh\", rbp-0x50, [rbp-0x70])")
OneGadget::Gadget.add(build_id, 915435,
- constraints: ["writable: rbp-0x48", "[rbp-0x50] == NULL || rbp-0x50 == NULL", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL"],
+ constraints: ["writable: rbp-0x48", "rax == NULL || {rax, rbx, NULL} is a valid argv", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL || [rbp-0x70] is a valid envp"],
effect: "execve(\"/bin/sh\", rbp-0x50, [rbp-0x70])")
OneGadget::Gadget.add(build_id, 915442,
- constraints: ["writable: rbp-0x50", "[rbp-0x50] == NULL || rbp-0x50 == NULL", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL"],
+ constraints: ["writable: rbp-0x50", "rax == NULL || {rax, [rbp-0x48], NULL} is a valid argv", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL || [rbp-0x70] is a valid envp"],
effect: "execve(\"/bin/sh\", rbp-0x50, [rbp-0x70])")
OneGadget::Gadget.add(build_id, 915446,
- constraints: ["writable: r10+0x10", "writable: rbp-0x50", "[r10] == NULL || r10 == NULL", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL"],
+ constraints: ["writable: r10+0x10", "writable: rbp-0x50", "[r10] == NULL || r10 == NULL || r10 is a valid argv", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL || [rbp-0x70] is a valid envp"],
effect: "execve(\"/bin/sh\", r10, [rbp-0x70])")
OneGadget::Gadget.add(build_id, 1056890,
- constraints: ["[rsp+0x70] == NULL", "[[rsp+0xf0]] == NULL || [rsp+0xf0] == NULL", "[rsp+0x38] == NULL || (s32)[[rsp+0x38]+0x4] <= 0"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv", "[[rsp+0xf0]] == NULL || [rsp+0xf0] == NULL || [rsp+0xf0] is a valid envp", "[rsp+0x38] == NULL || (s32)[[rsp+0x38]+0x4] <= 0"],
effect: "posix_spawn(rsp+0x64, \"/bin/sh\", [rsp+0x38], 0, rsp+0x70, [rsp+0xf0])")
OneGadget::Gadget.add(build_id, 1056898,
- constraints: ["[rsp+0x70] == NULL", "[r9] == NULL || r9 == NULL", "[rsp+0x38] == NULL || (s32)[[rsp+0x38]+0x4] <= 0"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv", "[r9] == NULL || r9 == NULL || r9 is a valid envp", "[rsp+0x38] == NULL || (s32)[[rsp+0x38]+0x4] <= 0"],
effect: "posix_spawn(rsp+0x64, \"/bin/sh\", [rsp+0x38], 0, rsp+0x70, r9)")
OneGadget::Gadget.add(build_id, 1056903,
- constraints: ["[rsp+0x70] == NULL", "[r9] == NULL || r9 == NULL", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv", "[r9] == NULL || r9 == NULL || r9 is a valid envp", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
effect: "posix_spawn(rsp+0x64, \"/bin/sh\", rdx, 0, rsp+0x70, r9)")
OneGadget::Gadget.add(build_id, 1056913,
- constraints: ["[r8] == NULL", "[r9] == NULL || r9 == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
+ constraints: ["[r8] == NULL || r8 is a valid argv", "[r9] == NULL || r9 == NULL || r9 is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
effect: "posix_spawn(rdi, \"/bin/sh\", rdx, 0, r8, r9)")
diff --git a/lib/one_gadget/builds/libc-2.32-7fba7abef941659c229c2636aa0905c28652ee3f.rb b/lib/one_gadget/builds/libc-2.32-7fba7abef941659c229c2636aa0905c28652ee3f.rb
index 204213b..e2cf3af 100644
--- a/lib/one_gadget/builds/libc-2.32-7fba7abef941659c229c2636aa0905c28652ee3f.rb
+++ b/lib/one_gadget/builds/libc-2.32-7fba7abef941659c229c2636aa0905c28652ee3f.rb
@@ -14,43 +14,67 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 305864,
+ constraints: ["writable: rsp+0x60", "{\"sh\", \"-c\", rbx, NULL} is a valid argv", "rbp == NULL || (u16)[rbp] == NULL"],
+ effect: "posix_spawn(rsp+0xc, \"/bin/sh\", 0, rbp, rsp+0x50, environ)")
+OneGadget::Gadget.add(build_id, 305874,
+ constraints: ["writable: rsp+0x60", "{\"sh\", \"-c\", rbx, NULL} is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, rsp+0x50, environ)")
OneGadget::Gadget.add(build_id, 305881,
- constraints: ["rax == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ constraints: ["writable: rsp+0x60", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, rsp+0x50, environ)")
+OneGadget::Gadget.add(build_id, 305886,
+ constraints: ["writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)")
+OneGadget::Gadget.add(build_id, 305891,
+ constraints: ["writable: rsp+0x50", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)")
OneGadget::Gadget.add(build_id, 305903,
- constraints: ["[r8] == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ constraints: ["writable: rsp+0x58", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)")
+OneGadget::Gadget.add(build_id, 490453,
+ constraints: ["writable: rsp+0x60", "{\"sh\", \"-c\", rbp, NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"],
+ effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", r12, 0, rsp+0x50, environ)")
OneGadget::Gadget.add(build_id, 490458,
- constraints: ["[r8] == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"],
+ constraints: ["writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"],
effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", r12, 0, r8, environ)")
+OneGadget::Gadget.add(build_id, 490463,
+ constraints: ["writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, rcx, r8, environ)")
OneGadget::Gadget.add(build_id, 490475,
- constraints: ["[r8] == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ constraints: ["writable: rsp+0x68", "[r8] == NULL || r8 is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, rcx, r8, environ)")
+OneGadget::Gadget.add(build_id, 490484,
+ constraints: ["writable: rsp+0x68", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)")
OneGadget::Gadget.add(build_id, 846702,
- constraints: ["[r13] == NULL || r13 == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[r13] == NULL || r13 == NULL || r13 is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", r13, r12)")
OneGadget::Gadget.add(build_id, 846705,
- constraints: ["[r13] == NULL || r13 == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[r13] == NULL || r13 == NULL || r13 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", r13, rdx)")
OneGadget::Gadget.add(build_id, 846708,
- constraints: ["[rsi] == NULL || rsi == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, rdx)")
+OneGadget::Gadget.add(build_id, 846791,
+ constraints: ["writable: rbp-0x38", "rdi == NULL || {\"/bin/sh\", rdi, NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
+ effect: "execve(\"/bin/sh\", rbp-0x40, r12)")
OneGadget::Gadget.add(build_id, 846798,
- constraints: ["writable: rbp-0x38", "[rbp-0x40] == NULL || rbp-0x40 == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["writable: rbp-0x38", "rax == NULL || {rax, rdi, NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", rbp-0x40, r12)")
OneGadget::Gadget.add(build_id, 846805,
- constraints: ["writable: rbp-0x40", "[rbp-0x40] == NULL || rbp-0x40 == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["writable: rbp-0x40", "rax == NULL || {rax, [rbp-0x38], NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", rbp-0x40, r12)")
OneGadget::Gadget.add(build_id, 968906,
- constraints: ["[rsp+0x70] == NULL", "[[rsp+0xf0]] == NULL || [rsp+0xf0] == NULL", "[rsp+0x40] == NULL || (s32)[[rsp+0x40]+0x4] <= 0"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv", "[[rsp+0xf0]] == NULL || [rsp+0xf0] == NULL || [rsp+0xf0] is a valid envp", "[rsp+0x40] == NULL || (s32)[[rsp+0x40]+0x4] <= 0"],
effect: "posix_spawn(rsp+0x64, \"/bin/sh\", [rsp+0x40], 0, rsp+0x70, [rsp+0xf0])")
OneGadget::Gadget.add(build_id, 968914,
- constraints: ["[rsp+0x70] == NULL", "[r9] == NULL || r9 == NULL", "[rsp+0x40] == NULL || (s32)[[rsp+0x40]+0x4] <= 0"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv", "[r9] == NULL || r9 == NULL || r9 is a valid envp", "[rsp+0x40] == NULL || (s32)[[rsp+0x40]+0x4] <= 0"],
effect: "posix_spawn(rsp+0x64, \"/bin/sh\", [rsp+0x40], 0, rsp+0x70, r9)")
OneGadget::Gadget.add(build_id, 968919,
- constraints: ["[rsp+0x70] == NULL", "[r9] == NULL || r9 == NULL", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv", "[r9] == NULL || r9 == NULL || r9 is a valid envp", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
effect: "posix_spawn(rsp+0x64, \"/bin/sh\", rdx, 0, rsp+0x70, r9)")
OneGadget::Gadget.add(build_id, 968929,
- constraints: ["[r8] == NULL", "[r9] == NULL || r9 == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
+ constraints: ["[r8] == NULL || r8 is a valid argv", "[r9] == NULL || r9 == NULL || r9 is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
effect: "posix_spawn(rdi, \"/bin/sh\", rdx, 0, r8, r9)")
diff --git a/lib/one_gadget/builds/libc-2.32-82f6b69e698bb579baefb35a3fb0346632fa2c4d.rb b/lib/one_gadget/builds/libc-2.32-82f6b69e698bb579baefb35a3fb0346632fa2c4d.rb
index 01d46a6..c5d648b 100644
--- a/lib/one_gadget/builds/libc-2.32-82f6b69e698bb579baefb35a3fb0346632fa2c4d.rb
+++ b/lib/one_gadget/builds/libc-2.32-82f6b69e698bb579baefb35a3fb0346632fa2c4d.rb
@@ -14,70 +14,109 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 327489,
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x60", "{\"sh\", \"-c\", rbx, NULL} is a valid argv", "rbp == NULL || (u16)[rbp] == NULL"],
+ effect: "posix_spawn(rsp+0xc, \"/bin/sh\", 0, rbp, rsp+0x50, environ)")
+OneGadget::Gadget.add(build_id, 327496,
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x60", "rax == NULL || {\"sh\", rax, rbx, NULL} is a valid argv", "rbp == NULL || (u16)[rbp] == NULL"],
+ effect: "posix_spawn(rsp+0xc, \"/bin/sh\", 0, rbp, rsp+0x50, environ)")
OneGadget::Gadget.add(build_id, 327503,
- constraints: ["rsp & 0xf == 0", "rcx == NULL", "rbp == NULL || (u16)[rbp] == NULL"],
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x60", "rcx == NULL || {rcx, rax, rbx, NULL} is a valid argv", "rbp == NULL || (u16)[rbp] == NULL"],
effect: "posix_spawn(rsp+0xc, \"/bin/sh\", 0, rbp, rsp+0x50, environ)")
+OneGadget::Gadget.add(build_id, 327510,
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x60", "rcx == NULL || {rcx, (u64)xmm1, rbx, NULL} is a valid argv", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rbp == NULL || (u16)[rbp] == NULL"],
+ effect: "posix_spawn(rsp+0xc, \"/bin/sh\", rdx, rbp, rsp+0x50, environ)")
OneGadget::Gadget.add(build_id, 327515,
- constraints: ["rsp & 0xf == 0", "(u64)xmm0 == NULL", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rbp == NULL || (u16)[rbp] == NULL"],
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x60", "(u64)xmm0 == NULL || {(u64)xmm0, (u64)xmm1, rbx, NULL} is a valid argv", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rbp == NULL || (u16)[rbp] == NULL"],
effect: "posix_spawn(rsp+0xc, \"/bin/sh\", rdx, rbp, rsp+0x50, environ)")
+OneGadget::Gadget.add(build_id, 327531,
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x60", "(u64)xmm0 == NULL || {(u64)xmm0, (u64)(xmm0 >> 64), rbx, NULL} is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rbp == NULL || (u16)[rbp] == NULL"],
+ effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rbp, rsp+0x50, [rax])")
OneGadget::Gadget.add(build_id, 327536,
- constraints: ["rsp & 0xf == 0", "[r8] == NULL", "[[rax]] == NULL || [rax] == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rbp == NULL || (u16)[rbp] == NULL"],
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rbp == NULL || (u16)[rbp] == NULL"],
effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rbp, r8, [rax])")
+OneGadget::Gadget.add(build_id, 327539,
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, [rax])")
OneGadget::Gadget.add(build_id, 327544,
- constraints: ["rsp & 0xf == 0", "[r8] == NULL", "[[rax]] == NULL || [rax] == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x68", "[r8] == NULL || r8 is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, [rax])")
+OneGadget::Gadget.add(build_id, 527013,
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x70", "{\"sh\", \"-c\", rbp, NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"],
+ effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", r12, 0, rsp+0x60, environ)")
+OneGadget::Gadget.add(build_id, 527020,
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x70", "rax == NULL || {\"sh\", rax, rbp, NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"],
+ effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", r12, 0, rsp+0x60, environ)")
OneGadget::Gadget.add(build_id, 527027,
- constraints: ["rsp & 0xf == 0", "rcx == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"],
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x70", "rcx == NULL || {rcx, rax, rbp, NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"],
effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", r12, 0, rsp+0x60, environ)")
+OneGadget::Gadget.add(build_id, 527030,
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x70", "rcx == NULL || {rcx, rax, rbp, NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
+ effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, 0, rsp+0x60, environ)")
+OneGadget::Gadget.add(build_id, 527035,
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x78", "rcx == NULL || {rcx, rax, [rsp+0x70], NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
+ effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, 0, rsp+0x60, environ)")
OneGadget::Gadget.add(build_id, 527040,
- constraints: ["rsp & 0xf == 0", "rcx == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x78", "rcx == NULL || {rcx, (u64)xmm1, [rsp+0x70], NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, 0, rsp+0x60, environ)")
OneGadget::Gadget.add(build_id, 527052,
- constraints: ["rsp & 0xf == 0", "(u64)xmm0 == NULL", "[[rax]] == NULL || [rax] == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x78", "(u64)xmm0 == NULL || {(u64)xmm0, (u64)xmm1, [rsp+0x70], NULL} is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, 0, rsp+0x60, [rax])")
+OneGadget::Gadget.add(build_id, 527058,
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x78", "(u64)xmm0 == NULL || {(u64)xmm0, (u64)(xmm0 >> 64), [rsp+0x70], NULL} is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, rcx, rsp+0x60, [rax])")
OneGadget::Gadget.add(build_id, 527065,
- constraints: ["rsp & 0xf == 0", "(u64)xmm0 == NULL", "[[rax]] == NULL || [rax] == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x78", "(u64)xmm0 == NULL || {(u64)xmm0, (u64)(xmm0 >> 64), [rsp+0x70], NULL} is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, rsp+0x60, [rax])")
+OneGadget::Gadget.add(build_id, 527072,
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x78", "[r8] == NULL || r8 is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, [rax])")
OneGadget::Gadget.add(build_id, 914764,
- constraints: ["[r15] == NULL || r15 == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[r15] == NULL || r15 == NULL || r15 is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", r15, r12)")
OneGadget::Gadget.add(build_id, 914767,
- constraints: ["[r15] == NULL || r15 == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[r15] == NULL || r15 == NULL || r15 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", r15, rdx)")
OneGadget::Gadget.add(build_id, 914770,
- constraints: ["[rsi] == NULL || rsi == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, rdx)")
OneGadget::Gadget.add(build_id, 915253,
- constraints: ["writable: rbp-0x78", "[r10] == NULL || r10 == NULL", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL"],
+ constraints: ["writable: rbp-0x78", "[r10] == NULL || r10 == NULL || r10 is a valid argv", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL || [rbp-0x70] is a valid envp"],
effect: "execve(\"/bin/sh\", r10, [rbp-0x70])")
OneGadget::Gadget.add(build_id, 915257,
- constraints: ["writable: rbp-0x78", "[r10] == NULL || r10 == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["writable: rbp-0x78", "[r10] == NULL || r10 == NULL || r10 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", r10, rdx)")
+OneGadget::Gadget.add(build_id, 915359,
+ constraints: ["writable: rbp-0x48", "rbx == NULL || {\"/bin/sh\", rbx, NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
+ effect: "execve(\"/bin/sh\", rbp-0x50, r12)")
OneGadget::Gadget.add(build_id, 915366,
- constraints: ["writable: rbp-0x48", "[rbp-0x50] == NULL || rbp-0x50 == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["writable: rbp-0x48", "rax == NULL || {rax, rbx, NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", rbp-0x50, r12)")
OneGadget::Gadget.add(build_id, 915373,
- constraints: ["writable: rbp-0x50", "[rbp-0x50] == NULL || rbp-0x50 == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["writable: rbp-0x50", "rax == NULL || {rax, [rbp-0x48], NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", rbp-0x50, r12)")
+OneGadget::Gadget.add(build_id, 915428,
+ constraints: ["writable: rbp-0x48", "rbx == NULL || {\"/bin/sh\", rbx, NULL} is a valid argv", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL || [rbp-0x70] is a valid envp"],
+ effect: "execve(\"/bin/sh\", rbp-0x50, [rbp-0x70])")
OneGadget::Gadget.add(build_id, 915435,
- constraints: ["writable: rbp-0x48", "[rbp-0x50] == NULL || rbp-0x50 == NULL", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL"],
+ constraints: ["writable: rbp-0x48", "rax == NULL || {rax, rbx, NULL} is a valid argv", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL || [rbp-0x70] is a valid envp"],
effect: "execve(\"/bin/sh\", rbp-0x50, [rbp-0x70])")
OneGadget::Gadget.add(build_id, 915442,
- constraints: ["writable: rbp-0x50", "[rbp-0x50] == NULL || rbp-0x50 == NULL", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL"],
+ constraints: ["writable: rbp-0x50", "rax == NULL || {rax, [rbp-0x48], NULL} is a valid argv", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL || [rbp-0x70] is a valid envp"],
effect: "execve(\"/bin/sh\", rbp-0x50, [rbp-0x70])")
OneGadget::Gadget.add(build_id, 915446,
- constraints: ["writable: r10+0x10", "writable: rbp-0x50", "[r10] == NULL || r10 == NULL", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL"],
+ constraints: ["writable: r10+0x10", "writable: rbp-0x50", "[r10] == NULL || r10 == NULL || r10 is a valid argv", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL || [rbp-0x70] is a valid envp"],
effect: "execve(\"/bin/sh\", r10, [rbp-0x70])")
OneGadget::Gadget.add(build_id, 1056890,
- constraints: ["[rsp+0x70] == NULL", "[[rsp+0xf0]] == NULL || [rsp+0xf0] == NULL", "[rsp+0x38] == NULL || (s32)[[rsp+0x38]+0x4] <= 0"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv", "[[rsp+0xf0]] == NULL || [rsp+0xf0] == NULL || [rsp+0xf0] is a valid envp", "[rsp+0x38] == NULL || (s32)[[rsp+0x38]+0x4] <= 0"],
effect: "posix_spawn(rsp+0x64, \"/bin/sh\", [rsp+0x38], 0, rsp+0x70, [rsp+0xf0])")
OneGadget::Gadget.add(build_id, 1056898,
- constraints: ["[rsp+0x70] == NULL", "[r9] == NULL || r9 == NULL", "[rsp+0x38] == NULL || (s32)[[rsp+0x38]+0x4] <= 0"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv", "[r9] == NULL || r9 == NULL || r9 is a valid envp", "[rsp+0x38] == NULL || (s32)[[rsp+0x38]+0x4] <= 0"],
effect: "posix_spawn(rsp+0x64, \"/bin/sh\", [rsp+0x38], 0, rsp+0x70, r9)")
OneGadget::Gadget.add(build_id, 1056903,
- constraints: ["[rsp+0x70] == NULL", "[r9] == NULL || r9 == NULL", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv", "[r9] == NULL || r9 == NULL || r9 is a valid envp", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
effect: "posix_spawn(rsp+0x64, \"/bin/sh\", rdx, 0, rsp+0x70, r9)")
OneGadget::Gadget.add(build_id, 1056913,
- constraints: ["[r8] == NULL", "[r9] == NULL || r9 == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
+ constraints: ["[r8] == NULL || r8 is a valid argv", "[r9] == NULL || r9 == NULL || r9 is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
effect: "posix_spawn(rdi, \"/bin/sh\", rdx, 0, r8, r9)")
diff --git a/lib/one_gadget/builds/libc-2.32-87f011a7e4cc3fc60a54d0d3dd690e7438decc8d.rb b/lib/one_gadget/builds/libc-2.32-87f011a7e4cc3fc60a54d0d3dd690e7438decc8d.rb
index 9d945a4..e100c5c 100644
--- a/lib/one_gadget/builds/libc-2.32-87f011a7e4cc3fc60a54d0d3dd690e7438decc8d.rb
+++ b/lib/one_gadget/builds/libc-2.32-87f011a7e4cc3fc60a54d0d3dd690e7438decc8d.rb
@@ -14,43 +14,67 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 304072,
+ constraints: ["writable: rsp+0x60", "{\"sh\", \"-c\", rbx, NULL} is a valid argv", "rbp == NULL || (u16)[rbp] == NULL"],
+ effect: "posix_spawn(rsp+0xc, \"/bin/sh\", 0, rbp, rsp+0x50, environ)")
+OneGadget::Gadget.add(build_id, 304082,
+ constraints: ["writable: rsp+0x60", "{\"sh\", \"-c\", rbx, NULL} is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, rsp+0x50, environ)")
OneGadget::Gadget.add(build_id, 304089,
- constraints: ["rax == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ constraints: ["writable: rsp+0x60", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, rsp+0x50, environ)")
+OneGadget::Gadget.add(build_id, 304094,
+ constraints: ["writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)")
+OneGadget::Gadget.add(build_id, 304099,
+ constraints: ["writable: rsp+0x50", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)")
OneGadget::Gadget.add(build_id, 304111,
- constraints: ["[r8] == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ constraints: ["writable: rsp+0x58", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)")
+OneGadget::Gadget.add(build_id, 487573,
+ constraints: ["writable: rsp+0x60", "{\"sh\", \"-c\", rbp, NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"],
+ effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", r12, 0, rsp+0x50, environ)")
OneGadget::Gadget.add(build_id, 487578,
- constraints: ["[r8] == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"],
+ constraints: ["writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"],
effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", r12, 0, r8, environ)")
+OneGadget::Gadget.add(build_id, 487583,
+ constraints: ["writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, rcx, r8, environ)")
OneGadget::Gadget.add(build_id, 487595,
- constraints: ["[r8] == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ constraints: ["writable: rsp+0x68", "[r8] == NULL || r8 is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, rcx, r8, environ)")
+OneGadget::Gadget.add(build_id, 487604,
+ constraints: ["writable: rsp+0x68", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)")
OneGadget::Gadget.add(build_id, 842330,
- constraints: ["[r12] == NULL || r12 == NULL", "[r13] == NULL || r13 == NULL"],
+ constraints: ["[r12] == NULL || r12 == NULL || r12 is a valid argv", "[r13] == NULL || r13 == NULL || r13 is a valid envp"],
effect: "execve(\"/bin/sh\", r12, r13)")
OneGadget::Gadget.add(build_id, 842333,
- constraints: ["[r12] == NULL || r12 == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[r12] == NULL || r12 == NULL || r12 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", r12, rdx)")
OneGadget::Gadget.add(build_id, 842336,
- constraints: ["[rsi] == NULL || rsi == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, rdx)")
+OneGadget::Gadget.add(build_id, 842419,
+ constraints: ["writable: rbp-0x38", "rdi == NULL || {\"/bin/sh\", rdi, NULL} is a valid argv", "[r13] == NULL || r13 == NULL || r13 is a valid envp"],
+ effect: "execve(\"/bin/sh\", rbp-0x40, r13)")
OneGadget::Gadget.add(build_id, 842426,
- constraints: ["writable: rbp-0x38", "[rbp-0x40] == NULL || rbp-0x40 == NULL", "[r13] == NULL || r13 == NULL"],
+ constraints: ["writable: rbp-0x38", "rax == NULL || {rax, rdi, NULL} is a valid argv", "[r13] == NULL || r13 == NULL || r13 is a valid envp"],
effect: "execve(\"/bin/sh\", rbp-0x40, r13)")
OneGadget::Gadget.add(build_id, 842433,
- constraints: ["writable: rbp-0x40", "[rbp-0x40] == NULL || rbp-0x40 == NULL", "[r13] == NULL || r13 == NULL"],
+ constraints: ["writable: rbp-0x40", "rax == NULL || {rax, [rbp-0x38], NULL} is a valid argv", "[r13] == NULL || r13 == NULL || r13 is a valid envp"],
effect: "execve(\"/bin/sh\", rbp-0x40, r13)")
OneGadget::Gadget.add(build_id, 963114,
- constraints: ["[rsp+0x70] == NULL", "[[rsp+0xf0]] == NULL || [rsp+0xf0] == NULL", "[rsp+0x40] == NULL || (s32)[[rsp+0x40]+0x4] <= 0"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv", "[[rsp+0xf0]] == NULL || [rsp+0xf0] == NULL || [rsp+0xf0] is a valid envp", "[rsp+0x40] == NULL || (s32)[[rsp+0x40]+0x4] <= 0"],
effect: "posix_spawn(rsp+0x64, \"/bin/sh\", [rsp+0x40], 0, rsp+0x70, [rsp+0xf0])")
OneGadget::Gadget.add(build_id, 963122,
- constraints: ["[rsp+0x70] == NULL", "[r9] == NULL || r9 == NULL", "[rsp+0x40] == NULL || (s32)[[rsp+0x40]+0x4] <= 0"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv", "[r9] == NULL || r9 == NULL || r9 is a valid envp", "[rsp+0x40] == NULL || (s32)[[rsp+0x40]+0x4] <= 0"],
effect: "posix_spawn(rsp+0x64, \"/bin/sh\", [rsp+0x40], 0, rsp+0x70, r9)")
OneGadget::Gadget.add(build_id, 963127,
- constraints: ["[rsp+0x70] == NULL", "[r9] == NULL || r9 == NULL", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv", "[r9] == NULL || r9 == NULL || r9 is a valid envp", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
effect: "posix_spawn(rsp+0x64, \"/bin/sh\", rdx, 0, rsp+0x70, r9)")
OneGadget::Gadget.add(build_id, 963137,
- constraints: ["[r8] == NULL", "[r9] == NULL || r9 == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
+ constraints: ["[r8] == NULL || r8 is a valid argv", "[r9] == NULL || r9 == NULL || r9 is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
effect: "posix_spawn(rdi, \"/bin/sh\", rdx, 0, r8, r9)")
diff --git a/lib/one_gadget/builds/libc-2.32-92199dd358616182fb49c992330fb05e42eaa423.rb b/lib/one_gadget/builds/libc-2.32-92199dd358616182fb49c992330fb05e42eaa423.rb
index 1128239..e6c137e 100644
--- a/lib/one_gadget/builds/libc-2.32-92199dd358616182fb49c992330fb05e42eaa423.rb
+++ b/lib/one_gadget/builds/libc-2.32-92199dd358616182fb49c992330fb05e42eaa423.rb
@@ -14,8 +14,11 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 843712,
+ constraints: ["ebx is the GOT address of libc", "writable: ebp-0x20", "[ebp-0x34] == NULL || {\"/bin/sh\", [ebp-0x34], NULL} is a valid argv", "[[ebp-0x2c]] == NULL || [ebp-0x2c] == NULL || [ebp-0x2c] is a valid envp"],
+ effect: "execve(\"/bin/sh\", ebp-0x28, [ebp-0x2c])")
OneGadget::Gadget.add(build_id, 843715,
- constraints: ["ebx is the GOT address of libc", "writable: ebp-0x20", "[ebp-0x28] == NULL || ebp-0x28 == NULL", "[[ebp-0x2c]] == NULL || [ebp-0x2c] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: ebp-0x20", "eax == NULL || {\"/bin/sh\", eax, NULL} is a valid argv", "[[ebp-0x2c]] == NULL || [ebp-0x2c] == NULL || [ebp-0x2c] is a valid envp"],
effect: "execve(\"/bin/sh\", ebp-0x28, [ebp-0x2c])")
OneGadget::Gadget.add(build_id, 1358307,
constraints: ["ebp is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.32-9d60d4bd625a7fe2439db781a5fc91bb69684903.rb b/lib/one_gadget/builds/libc-2.32-9d60d4bd625a7fe2439db781a5fc91bb69684903.rb
index 03ec38f..5aeaee6 100644
--- a/lib/one_gadget/builds/libc-2.32-9d60d4bd625a7fe2439db781a5fc91bb69684903.rb
+++ b/lib/one_gadget/builds/libc-2.32-9d60d4bd625a7fe2439db781a5fc91bb69684903.rb
@@ -14,8 +14,11 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 843712,
+ constraints: ["ebx is the GOT address of libc", "writable: ebp-0x20", "[ebp-0x34] == NULL || {\"/bin/sh\", [ebp-0x34], NULL} is a valid argv", "[[ebp-0x2c]] == NULL || [ebp-0x2c] == NULL || [ebp-0x2c] is a valid envp"],
+ effect: "execve(\"/bin/sh\", ebp-0x28, [ebp-0x2c])")
OneGadget::Gadget.add(build_id, 843715,
- constraints: ["ebx is the GOT address of libc", "writable: ebp-0x20", "[ebp-0x28] == NULL || ebp-0x28 == NULL", "[[ebp-0x2c]] == NULL || [ebp-0x2c] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: ebp-0x20", "eax == NULL || {\"/bin/sh\", eax, NULL} is a valid argv", "[[ebp-0x2c]] == NULL || [ebp-0x2c] == NULL || [ebp-0x2c] is a valid envp"],
effect: "execve(\"/bin/sh\", ebp-0x28, [ebp-0x2c])")
OneGadget::Gadget.add(build_id, 1358307,
constraints: ["ebp is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.32-a75b0c335a4987f12d17d3b4adb8dc430432b082.rb b/lib/one_gadget/builds/libc-2.32-a75b0c335a4987f12d17d3b4adb8dc430432b082.rb
index 7d2f397..fc6eac9 100644
--- a/lib/one_gadget/builds/libc-2.32-a75b0c335a4987f12d17d3b4adb8dc430432b082.rb
+++ b/lib/one_gadget/builds/libc-2.32-a75b0c335a4987f12d17d3b4adb8dc430432b082.rb
@@ -14,8 +14,11 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 848880,
+ constraints: ["ebx is the GOT address of libc", "writable: ebp-0x20", "[ebp-0x34] == NULL || {\"/bin/sh\", [ebp-0x34], NULL} is a valid argv", "[[ebp-0x2c]] == NULL || [ebp-0x2c] == NULL || [ebp-0x2c] is a valid envp"],
+ effect: "execve(\"/bin/sh\", ebp-0x28, [ebp-0x2c])")
OneGadget::Gadget.add(build_id, 848883,
- constraints: ["ebx is the GOT address of libc", "writable: ebp-0x20", "[ebp-0x28] == NULL || ebp-0x28 == NULL", "[[ebp-0x2c]] == NULL || [ebp-0x2c] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: ebp-0x20", "eax == NULL || {\"/bin/sh\", eax, NULL} is a valid argv", "[[ebp-0x2c]] == NULL || [ebp-0x2c] == NULL || [ebp-0x2c] is a valid envp"],
effect: "execve(\"/bin/sh\", ebp-0x28, [ebp-0x2c])")
OneGadget::Gadget.add(build_id, 1370827,
constraints: ["ebp is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.32-ac287babd169c70013b752da2713dfb96d9a503f.rb b/lib/one_gadget/builds/libc-2.32-ac287babd169c70013b752da2713dfb96d9a503f.rb
index f19e15f..bb508c6 100644
--- a/lib/one_gadget/builds/libc-2.32-ac287babd169c70013b752da2713dfb96d9a503f.rb
+++ b/lib/one_gadget/builds/libc-2.32-ac287babd169c70013b752da2713dfb96d9a503f.rb
@@ -14,70 +14,109 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 327489,
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x60", "{\"sh\", \"-c\", rbx, NULL} is a valid argv", "rbp == NULL || (u16)[rbp] == NULL"],
+ effect: "posix_spawn(rsp+0xc, \"/bin/sh\", 0, rbp, rsp+0x50, environ)")
+OneGadget::Gadget.add(build_id, 327496,
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x60", "rax == NULL || {\"sh\", rax, rbx, NULL} is a valid argv", "rbp == NULL || (u16)[rbp] == NULL"],
+ effect: "posix_spawn(rsp+0xc, \"/bin/sh\", 0, rbp, rsp+0x50, environ)")
OneGadget::Gadget.add(build_id, 327503,
- constraints: ["rsp & 0xf == 0", "rcx == NULL", "rbp == NULL || (u16)[rbp] == NULL"],
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x60", "rcx == NULL || {rcx, rax, rbx, NULL} is a valid argv", "rbp == NULL || (u16)[rbp] == NULL"],
effect: "posix_spawn(rsp+0xc, \"/bin/sh\", 0, rbp, rsp+0x50, environ)")
+OneGadget::Gadget.add(build_id, 327510,
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x60", "rcx == NULL || {rcx, (u64)xmm1, rbx, NULL} is a valid argv", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rbp == NULL || (u16)[rbp] == NULL"],
+ effect: "posix_spawn(rsp+0xc, \"/bin/sh\", rdx, rbp, rsp+0x50, environ)")
OneGadget::Gadget.add(build_id, 327515,
- constraints: ["rsp & 0xf == 0", "(u64)xmm0 == NULL", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rbp == NULL || (u16)[rbp] == NULL"],
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x60", "(u64)xmm0 == NULL || {(u64)xmm0, (u64)xmm1, rbx, NULL} is a valid argv", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rbp == NULL || (u16)[rbp] == NULL"],
effect: "posix_spawn(rsp+0xc, \"/bin/sh\", rdx, rbp, rsp+0x50, environ)")
+OneGadget::Gadget.add(build_id, 327531,
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x60", "(u64)xmm0 == NULL || {(u64)xmm0, (u64)(xmm0 >> 64), rbx, NULL} is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rbp == NULL || (u16)[rbp] == NULL"],
+ effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rbp, rsp+0x50, [rax])")
OneGadget::Gadget.add(build_id, 327536,
- constraints: ["rsp & 0xf == 0", "[r8] == NULL", "[[rax]] == NULL || [rax] == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rbp == NULL || (u16)[rbp] == NULL"],
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rbp == NULL || (u16)[rbp] == NULL"],
effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rbp, r8, [rax])")
+OneGadget::Gadget.add(build_id, 327539,
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, [rax])")
OneGadget::Gadget.add(build_id, 327544,
- constraints: ["rsp & 0xf == 0", "[r8] == NULL", "[[rax]] == NULL || [rax] == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x68", "[r8] == NULL || r8 is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, [rax])")
+OneGadget::Gadget.add(build_id, 527013,
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x70", "{\"sh\", \"-c\", rbp, NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"],
+ effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", r12, 0, rsp+0x60, environ)")
+OneGadget::Gadget.add(build_id, 527020,
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x70", "rax == NULL || {\"sh\", rax, rbp, NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"],
+ effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", r12, 0, rsp+0x60, environ)")
OneGadget::Gadget.add(build_id, 527027,
- constraints: ["rsp & 0xf == 0", "rcx == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"],
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x70", "rcx == NULL || {rcx, rax, rbp, NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"],
effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", r12, 0, rsp+0x60, environ)")
+OneGadget::Gadget.add(build_id, 527030,
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x70", "rcx == NULL || {rcx, rax, rbp, NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
+ effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, 0, rsp+0x60, environ)")
+OneGadget::Gadget.add(build_id, 527035,
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x78", "rcx == NULL || {rcx, rax, [rsp+0x70], NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
+ effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, 0, rsp+0x60, environ)")
OneGadget::Gadget.add(build_id, 527040,
- constraints: ["rsp & 0xf == 0", "rcx == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x78", "rcx == NULL || {rcx, (u64)xmm1, [rsp+0x70], NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, 0, rsp+0x60, environ)")
OneGadget::Gadget.add(build_id, 527052,
- constraints: ["rsp & 0xf == 0", "(u64)xmm0 == NULL", "[[rax]] == NULL || [rax] == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x78", "(u64)xmm0 == NULL || {(u64)xmm0, (u64)xmm1, [rsp+0x70], NULL} is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, 0, rsp+0x60, [rax])")
+OneGadget::Gadget.add(build_id, 527058,
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x78", "(u64)xmm0 == NULL || {(u64)xmm0, (u64)(xmm0 >> 64), [rsp+0x70], NULL} is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, rcx, rsp+0x60, [rax])")
OneGadget::Gadget.add(build_id, 527065,
- constraints: ["rsp & 0xf == 0", "(u64)xmm0 == NULL", "[[rax]] == NULL || [rax] == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x78", "(u64)xmm0 == NULL || {(u64)xmm0, (u64)(xmm0 >> 64), [rsp+0x70], NULL} is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, rsp+0x60, [rax])")
+OneGadget::Gadget.add(build_id, 527072,
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x78", "[r8] == NULL || r8 is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, [rax])")
OneGadget::Gadget.add(build_id, 914764,
- constraints: ["[r15] == NULL || r15 == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[r15] == NULL || r15 == NULL || r15 is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", r15, r12)")
OneGadget::Gadget.add(build_id, 914767,
- constraints: ["[r15] == NULL || r15 == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[r15] == NULL || r15 == NULL || r15 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", r15, rdx)")
OneGadget::Gadget.add(build_id, 914770,
- constraints: ["[rsi] == NULL || rsi == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, rdx)")
OneGadget::Gadget.add(build_id, 915253,
- constraints: ["writable: rbp-0x78", "[r10] == NULL || r10 == NULL", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL"],
+ constraints: ["writable: rbp-0x78", "[r10] == NULL || r10 == NULL || r10 is a valid argv", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL || [rbp-0x70] is a valid envp"],
effect: "execve(\"/bin/sh\", r10, [rbp-0x70])")
OneGadget::Gadget.add(build_id, 915257,
- constraints: ["writable: rbp-0x78", "[r10] == NULL || r10 == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["writable: rbp-0x78", "[r10] == NULL || r10 == NULL || r10 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", r10, rdx)")
+OneGadget::Gadget.add(build_id, 915359,
+ constraints: ["writable: rbp-0x48", "rbx == NULL || {\"/bin/sh\", rbx, NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
+ effect: "execve(\"/bin/sh\", rbp-0x50, r12)")
OneGadget::Gadget.add(build_id, 915366,
- constraints: ["writable: rbp-0x48", "[rbp-0x50] == NULL || rbp-0x50 == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["writable: rbp-0x48", "rax == NULL || {rax, rbx, NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", rbp-0x50, r12)")
OneGadget::Gadget.add(build_id, 915373,
- constraints: ["writable: rbp-0x50", "[rbp-0x50] == NULL || rbp-0x50 == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["writable: rbp-0x50", "rax == NULL || {rax, [rbp-0x48], NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", rbp-0x50, r12)")
+OneGadget::Gadget.add(build_id, 915428,
+ constraints: ["writable: rbp-0x48", "rbx == NULL || {\"/bin/sh\", rbx, NULL} is a valid argv", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL || [rbp-0x70] is a valid envp"],
+ effect: "execve(\"/bin/sh\", rbp-0x50, [rbp-0x70])")
OneGadget::Gadget.add(build_id, 915435,
- constraints: ["writable: rbp-0x48", "[rbp-0x50] == NULL || rbp-0x50 == NULL", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL"],
+ constraints: ["writable: rbp-0x48", "rax == NULL || {rax, rbx, NULL} is a valid argv", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL || [rbp-0x70] is a valid envp"],
effect: "execve(\"/bin/sh\", rbp-0x50, [rbp-0x70])")
OneGadget::Gadget.add(build_id, 915442,
- constraints: ["writable: rbp-0x50", "[rbp-0x50] == NULL || rbp-0x50 == NULL", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL"],
+ constraints: ["writable: rbp-0x50", "rax == NULL || {rax, [rbp-0x48], NULL} is a valid argv", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL || [rbp-0x70] is a valid envp"],
effect: "execve(\"/bin/sh\", rbp-0x50, [rbp-0x70])")
OneGadget::Gadget.add(build_id, 915446,
- constraints: ["writable: r10+0x10", "writable: rbp-0x50", "[r10] == NULL || r10 == NULL", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL"],
+ constraints: ["writable: r10+0x10", "writable: rbp-0x50", "[r10] == NULL || r10 == NULL || r10 is a valid argv", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL || [rbp-0x70] is a valid envp"],
effect: "execve(\"/bin/sh\", r10, [rbp-0x70])")
OneGadget::Gadget.add(build_id, 1056890,
- constraints: ["[rsp+0x70] == NULL", "[[rsp+0xf0]] == NULL || [rsp+0xf0] == NULL", "[rsp+0x38] == NULL || (s32)[[rsp+0x38]+0x4] <= 0"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv", "[[rsp+0xf0]] == NULL || [rsp+0xf0] == NULL || [rsp+0xf0] is a valid envp", "[rsp+0x38] == NULL || (s32)[[rsp+0x38]+0x4] <= 0"],
effect: "posix_spawn(rsp+0x64, \"/bin/sh\", [rsp+0x38], 0, rsp+0x70, [rsp+0xf0])")
OneGadget::Gadget.add(build_id, 1056898,
- constraints: ["[rsp+0x70] == NULL", "[r9] == NULL || r9 == NULL", "[rsp+0x38] == NULL || (s32)[[rsp+0x38]+0x4] <= 0"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv", "[r9] == NULL || r9 == NULL || r9 is a valid envp", "[rsp+0x38] == NULL || (s32)[[rsp+0x38]+0x4] <= 0"],
effect: "posix_spawn(rsp+0x64, \"/bin/sh\", [rsp+0x38], 0, rsp+0x70, r9)")
OneGadget::Gadget.add(build_id, 1056903,
- constraints: ["[rsp+0x70] == NULL", "[r9] == NULL || r9 == NULL", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv", "[r9] == NULL || r9 == NULL || r9 is a valid envp", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
effect: "posix_spawn(rsp+0x64, \"/bin/sh\", rdx, 0, rsp+0x70, r9)")
OneGadget::Gadget.add(build_id, 1056913,
- constraints: ["[r8] == NULL", "[r9] == NULL || r9 == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
+ constraints: ["[r8] == NULL || r8 is a valid argv", "[r9] == NULL || r9 == NULL || r9 is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
effect: "posix_spawn(rdi, \"/bin/sh\", rdx, 0, r8, r9)")
diff --git a/lib/one_gadget/builds/libc-2.32-aebd80372a00285a5c486ef72917f935eb8f91be.rb b/lib/one_gadget/builds/libc-2.32-aebd80372a00285a5c486ef72917f935eb8f91be.rb
index 71b71c4..c150932 100644
--- a/lib/one_gadget/builds/libc-2.32-aebd80372a00285a5c486ef72917f935eb8f91be.rb
+++ b/lib/one_gadget/builds/libc-2.32-aebd80372a00285a5c486ef72917f935eb8f91be.rb
@@ -14,8 +14,11 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 843328,
+ constraints: ["ebx is the GOT address of libc", "writable: ebp-0x20", "[ebp-0x34] == NULL || {\"/bin/sh\", [ebp-0x34], NULL} is a valid argv", "[[ebp-0x2c]] == NULL || [ebp-0x2c] == NULL || [ebp-0x2c] is a valid envp"],
+ effect: "execve(\"/bin/sh\", ebp-0x28, [ebp-0x2c])")
OneGadget::Gadget.add(build_id, 843331,
- constraints: ["ebx is the GOT address of libc", "writable: ebp-0x20", "[ebp-0x28] == NULL || ebp-0x28 == NULL", "[[ebp-0x2c]] == NULL || [ebp-0x2c] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: ebp-0x20", "eax == NULL || {\"/bin/sh\", eax, NULL} is a valid argv", "[[ebp-0x2c]] == NULL || [ebp-0x2c] == NULL || [ebp-0x2c] is a valid envp"],
effect: "execve(\"/bin/sh\", ebp-0x28, [ebp-0x2c])")
OneGadget::Gadget.add(build_id, 1357923,
constraints: ["ebp is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.32-bd0e9dc4e27475b5ab7dc59141daaa2626b8a760.rb b/lib/one_gadget/builds/libc-2.32-bd0e9dc4e27475b5ab7dc59141daaa2626b8a760.rb
index 501ea45..d0dd443 100644
--- a/lib/one_gadget/builds/libc-2.32-bd0e9dc4e27475b5ab7dc59141daaa2626b8a760.rb
+++ b/lib/one_gadget/builds/libc-2.32-bd0e9dc4e27475b5ab7dc59141daaa2626b8a760.rb
@@ -14,8 +14,11 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 848496,
+ constraints: ["ebx is the GOT address of libc", "writable: ebp-0x20", "[ebp-0x34] == NULL || {\"/bin/sh\", [ebp-0x34], NULL} is a valid argv", "[[ebp-0x2c]] == NULL || [ebp-0x2c] == NULL || [ebp-0x2c] is a valid envp"],
+ effect: "execve(\"/bin/sh\", ebp-0x28, [ebp-0x2c])")
OneGadget::Gadget.add(build_id, 848499,
- constraints: ["ebx is the GOT address of libc", "writable: ebp-0x20", "[ebp-0x28] == NULL || ebp-0x28 == NULL", "[[ebp-0x2c]] == NULL || [ebp-0x2c] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: ebp-0x20", "eax == NULL || {\"/bin/sh\", eax, NULL} is a valid argv", "[[ebp-0x2c]] == NULL || [ebp-0x2c] == NULL || [ebp-0x2c] is a valid envp"],
effect: "execve(\"/bin/sh\", ebp-0x28, [ebp-0x2c])")
OneGadget::Gadget.add(build_id, 1370571,
constraints: ["ebp is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.32-bddeb6374fc99723cef3b3baafe48ac78fce13b4.rb b/lib/one_gadget/builds/libc-2.32-bddeb6374fc99723cef3b3baafe48ac78fce13b4.rb
index 0cf5065..b767dc9 100644
--- a/lib/one_gadget/builds/libc-2.32-bddeb6374fc99723cef3b3baafe48ac78fce13b4.rb
+++ b/lib/one_gadget/builds/libc-2.32-bddeb6374fc99723cef3b3baafe48ac78fce13b4.rb
@@ -14,8 +14,11 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 848880,
+ constraints: ["ebx is the GOT address of libc", "writable: ebp-0x20", "[ebp-0x34] == NULL || {\"/bin/sh\", [ebp-0x34], NULL} is a valid argv", "[[ebp-0x2c]] == NULL || [ebp-0x2c] == NULL || [ebp-0x2c] is a valid envp"],
+ effect: "execve(\"/bin/sh\", ebp-0x28, [ebp-0x2c])")
OneGadget::Gadget.add(build_id, 848883,
- constraints: ["ebx is the GOT address of libc", "writable: ebp-0x20", "[ebp-0x28] == NULL || ebp-0x28 == NULL", "[[ebp-0x2c]] == NULL || [ebp-0x2c] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: ebp-0x20", "eax == NULL || {\"/bin/sh\", eax, NULL} is a valid argv", "[[ebp-0x2c]] == NULL || [ebp-0x2c] == NULL || [ebp-0x2c] is a valid envp"],
effect: "execve(\"/bin/sh\", ebp-0x28, [ebp-0x2c])")
OneGadget::Gadget.add(build_id, 1370955,
constraints: ["ebp is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.32-cb91dd613d38b806a16bed1b364c084ad63d1a1f.rb b/lib/one_gadget/builds/libc-2.32-cb91dd613d38b806a16bed1b364c084ad63d1a1f.rb
index c5bee1d..cdd0604 100644
--- a/lib/one_gadget/builds/libc-2.32-cb91dd613d38b806a16bed1b364c084ad63d1a1f.rb
+++ b/lib/one_gadget/builds/libc-2.32-cb91dd613d38b806a16bed1b364c084ad63d1a1f.rb
@@ -14,43 +14,67 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 305368,
+ constraints: ["writable: rsp+0x60", "{\"sh\", \"-c\", rbx, NULL} is a valid argv", "rbp == NULL || (u16)[rbp] == NULL"],
+ effect: "posix_spawn(rsp+0xc, \"/bin/sh\", 0, rbp, rsp+0x50, environ)")
+OneGadget::Gadget.add(build_id, 305378,
+ constraints: ["writable: rsp+0x60", "{\"sh\", \"-c\", rbx, NULL} is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, rsp+0x50, environ)")
OneGadget::Gadget.add(build_id, 305385,
- constraints: ["rax == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ constraints: ["writable: rsp+0x60", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, rsp+0x50, environ)")
+OneGadget::Gadget.add(build_id, 305390,
+ constraints: ["writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)")
+OneGadget::Gadget.add(build_id, 305395,
+ constraints: ["writable: rsp+0x50", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)")
OneGadget::Gadget.add(build_id, 305407,
- constraints: ["[r8] == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ constraints: ["writable: rsp+0x58", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)")
+OneGadget::Gadget.add(build_id, 489957,
+ constraints: ["writable: rsp+0x60", "{\"sh\", \"-c\", rbp, NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"],
+ effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", r12, 0, rsp+0x50, environ)")
OneGadget::Gadget.add(build_id, 489962,
- constraints: ["[r8] == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"],
+ constraints: ["writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"],
effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", r12, 0, r8, environ)")
+OneGadget::Gadget.add(build_id, 489967,
+ constraints: ["writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, rcx, r8, environ)")
OneGadget::Gadget.add(build_id, 489979,
- constraints: ["[r8] == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ constraints: ["writable: rsp+0x68", "[r8] == NULL || r8 is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, rcx, r8, environ)")
+OneGadget::Gadget.add(build_id, 489988,
+ constraints: ["writable: rsp+0x68", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)")
OneGadget::Gadget.add(build_id, 846206,
- constraints: ["[r13] == NULL || r13 == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[r13] == NULL || r13 == NULL || r13 is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", r13, r12)")
OneGadget::Gadget.add(build_id, 846209,
- constraints: ["[r13] == NULL || r13 == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[r13] == NULL || r13 == NULL || r13 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", r13, rdx)")
OneGadget::Gadget.add(build_id, 846212,
- constraints: ["[rsi] == NULL || rsi == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, rdx)")
+OneGadget::Gadget.add(build_id, 846295,
+ constraints: ["writable: rbp-0x38", "rdi == NULL || {\"/bin/sh\", rdi, NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
+ effect: "execve(\"/bin/sh\", rbp-0x40, r12)")
OneGadget::Gadget.add(build_id, 846302,
- constraints: ["writable: rbp-0x38", "[rbp-0x40] == NULL || rbp-0x40 == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["writable: rbp-0x38", "rax == NULL || {rax, rdi, NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", rbp-0x40, r12)")
OneGadget::Gadget.add(build_id, 846309,
- constraints: ["writable: rbp-0x40", "[rbp-0x40] == NULL || rbp-0x40 == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["writable: rbp-0x40", "rax == NULL || {rax, [rbp-0x38], NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", rbp-0x40, r12)")
OneGadget::Gadget.add(build_id, 968410,
- constraints: ["[rsp+0x70] == NULL", "[[rsp+0xf0]] == NULL || [rsp+0xf0] == NULL", "[rsp+0x40] == NULL || (s32)[[rsp+0x40]+0x4] <= 0"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv", "[[rsp+0xf0]] == NULL || [rsp+0xf0] == NULL || [rsp+0xf0] is a valid envp", "[rsp+0x40] == NULL || (s32)[[rsp+0x40]+0x4] <= 0"],
effect: "posix_spawn(rsp+0x64, \"/bin/sh\", [rsp+0x40], 0, rsp+0x70, [rsp+0xf0])")
OneGadget::Gadget.add(build_id, 968418,
- constraints: ["[rsp+0x70] == NULL", "[r9] == NULL || r9 == NULL", "[rsp+0x40] == NULL || (s32)[[rsp+0x40]+0x4] <= 0"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv", "[r9] == NULL || r9 == NULL || r9 is a valid envp", "[rsp+0x40] == NULL || (s32)[[rsp+0x40]+0x4] <= 0"],
effect: "posix_spawn(rsp+0x64, \"/bin/sh\", [rsp+0x40], 0, rsp+0x70, r9)")
OneGadget::Gadget.add(build_id, 968423,
- constraints: ["[rsp+0x70] == NULL", "[r9] == NULL || r9 == NULL", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv", "[r9] == NULL || r9 == NULL || r9 is a valid envp", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
effect: "posix_spawn(rsp+0x64, \"/bin/sh\", rdx, 0, rsp+0x70, r9)")
OneGadget::Gadget.add(build_id, 968433,
- constraints: ["[r8] == NULL", "[r9] == NULL || r9 == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
+ constraints: ["[r8] == NULL || r8 is a valid argv", "[r9] == NULL || r9 == NULL || r9 is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
effect: "posix_spawn(rdi, \"/bin/sh\", rdx, 0, r8, r9)")
diff --git a/lib/one_gadget/builds/libc-2.32-d3f1cf7f55b985fd6d989880ec3599724fe40a26.rb b/lib/one_gadget/builds/libc-2.32-d3f1cf7f55b985fd6d989880ec3599724fe40a26.rb
index e724e2f..edfcb24 100644
--- a/lib/one_gadget/builds/libc-2.32-d3f1cf7f55b985fd6d989880ec3599724fe40a26.rb
+++ b/lib/one_gadget/builds/libc-2.32-d3f1cf7f55b985fd6d989880ec3599724fe40a26.rb
@@ -14,8 +14,11 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 848880,
+ constraints: ["ebx is the GOT address of libc", "writable: ebp-0x20", "[ebp-0x34] == NULL || {\"/bin/sh\", [ebp-0x34], NULL} is a valid argv", "[[ebp-0x2c]] == NULL || [ebp-0x2c] == NULL || [ebp-0x2c] is a valid envp"],
+ effect: "execve(\"/bin/sh\", ebp-0x28, [ebp-0x2c])")
OneGadget::Gadget.add(build_id, 848883,
- constraints: ["ebx is the GOT address of libc", "writable: ebp-0x20", "[ebp-0x28] == NULL || ebp-0x28 == NULL", "[[ebp-0x2c]] == NULL || [ebp-0x2c] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: ebp-0x20", "eax == NULL || {\"/bin/sh\", eax, NULL} is a valid argv", "[[ebp-0x2c]] == NULL || [ebp-0x2c] == NULL || [ebp-0x2c] is a valid envp"],
effect: "execve(\"/bin/sh\", ebp-0x28, [ebp-0x2c])")
OneGadget::Gadget.add(build_id, 1370955,
constraints: ["ebp is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.32-e13b24f94b260dd6394bdb2433d2a78e37078d5c.rb b/lib/one_gadget/builds/libc-2.32-e13b24f94b260dd6394bdb2433d2a78e37078d5c.rb
index 05d9183..3c807c0 100644
--- a/lib/one_gadget/builds/libc-2.32-e13b24f94b260dd6394bdb2433d2a78e37078d5c.rb
+++ b/lib/one_gadget/builds/libc-2.32-e13b24f94b260dd6394bdb2433d2a78e37078d5c.rb
@@ -14,43 +14,67 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 305864,
+ constraints: ["writable: rsp+0x60", "{\"sh\", \"-c\", rbx, NULL} is a valid argv", "rbp == NULL || (u16)[rbp] == NULL"],
+ effect: "posix_spawn(rsp+0xc, \"/bin/sh\", 0, rbp, rsp+0x50, environ)")
+OneGadget::Gadget.add(build_id, 305874,
+ constraints: ["writable: rsp+0x60", "{\"sh\", \"-c\", rbx, NULL} is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, rsp+0x50, environ)")
OneGadget::Gadget.add(build_id, 305881,
- constraints: ["rax == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ constraints: ["writable: rsp+0x60", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, rsp+0x50, environ)")
+OneGadget::Gadget.add(build_id, 305886,
+ constraints: ["writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)")
+OneGadget::Gadget.add(build_id, 305891,
+ constraints: ["writable: rsp+0x50", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)")
OneGadget::Gadget.add(build_id, 305903,
- constraints: ["[r8] == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ constraints: ["writable: rsp+0x58", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)")
+OneGadget::Gadget.add(build_id, 490453,
+ constraints: ["writable: rsp+0x60", "{\"sh\", \"-c\", rbp, NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"],
+ effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", r12, 0, rsp+0x50, environ)")
OneGadget::Gadget.add(build_id, 490458,
- constraints: ["[r8] == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"],
+ constraints: ["writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"],
effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", r12, 0, r8, environ)")
+OneGadget::Gadget.add(build_id, 490463,
+ constraints: ["writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, rcx, r8, environ)")
OneGadget::Gadget.add(build_id, 490475,
- constraints: ["[r8] == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ constraints: ["writable: rsp+0x68", "[r8] == NULL || r8 is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, rcx, r8, environ)")
+OneGadget::Gadget.add(build_id, 490484,
+ constraints: ["writable: rsp+0x68", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)")
OneGadget::Gadget.add(build_id, 846702,
- constraints: ["[r13] == NULL || r13 == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[r13] == NULL || r13 == NULL || r13 is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", r13, r12)")
OneGadget::Gadget.add(build_id, 846705,
- constraints: ["[r13] == NULL || r13 == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[r13] == NULL || r13 == NULL || r13 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", r13, rdx)")
OneGadget::Gadget.add(build_id, 846708,
- constraints: ["[rsi] == NULL || rsi == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, rdx)")
+OneGadget::Gadget.add(build_id, 846791,
+ constraints: ["writable: rbp-0x38", "rdi == NULL || {\"/bin/sh\", rdi, NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
+ effect: "execve(\"/bin/sh\", rbp-0x40, r12)")
OneGadget::Gadget.add(build_id, 846798,
- constraints: ["writable: rbp-0x38", "[rbp-0x40] == NULL || rbp-0x40 == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["writable: rbp-0x38", "rax == NULL || {rax, rdi, NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", rbp-0x40, r12)")
OneGadget::Gadget.add(build_id, 846805,
- constraints: ["writable: rbp-0x40", "[rbp-0x40] == NULL || rbp-0x40 == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["writable: rbp-0x40", "rax == NULL || {rax, [rbp-0x38], NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", rbp-0x40, r12)")
OneGadget::Gadget.add(build_id, 968906,
- constraints: ["[rsp+0x70] == NULL", "[[rsp+0xf0]] == NULL || [rsp+0xf0] == NULL", "[rsp+0x40] == NULL || (s32)[[rsp+0x40]+0x4] <= 0"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv", "[[rsp+0xf0]] == NULL || [rsp+0xf0] == NULL || [rsp+0xf0] is a valid envp", "[rsp+0x40] == NULL || (s32)[[rsp+0x40]+0x4] <= 0"],
effect: "posix_spawn(rsp+0x64, \"/bin/sh\", [rsp+0x40], 0, rsp+0x70, [rsp+0xf0])")
OneGadget::Gadget.add(build_id, 968914,
- constraints: ["[rsp+0x70] == NULL", "[r9] == NULL || r9 == NULL", "[rsp+0x40] == NULL || (s32)[[rsp+0x40]+0x4] <= 0"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv", "[r9] == NULL || r9 == NULL || r9 is a valid envp", "[rsp+0x40] == NULL || (s32)[[rsp+0x40]+0x4] <= 0"],
effect: "posix_spawn(rsp+0x64, \"/bin/sh\", [rsp+0x40], 0, rsp+0x70, r9)")
OneGadget::Gadget.add(build_id, 968919,
- constraints: ["[rsp+0x70] == NULL", "[r9] == NULL || r9 == NULL", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv", "[r9] == NULL || r9 == NULL || r9 is a valid envp", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
effect: "posix_spawn(rsp+0x64, \"/bin/sh\", rdx, 0, rsp+0x70, r9)")
OneGadget::Gadget.add(build_id, 968929,
- constraints: ["[r8] == NULL", "[r9] == NULL || r9 == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
+ constraints: ["[r8] == NULL || r8 is a valid argv", "[r9] == NULL || r9 == NULL || r9 is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
effect: "posix_spawn(rdi, \"/bin/sh\", rdx, 0, r8, r9)")
diff --git a/lib/one_gadget/builds/libc-2.32-e1596c76d0d93d8a36378ba976f034f140618d59.rb b/lib/one_gadget/builds/libc-2.32-e1596c76d0d93d8a36378ba976f034f140618d59.rb
index ba3d49f..295bfcd 100644
--- a/lib/one_gadget/builds/libc-2.32-e1596c76d0d93d8a36378ba976f034f140618d59.rb
+++ b/lib/one_gadget/builds/libc-2.32-e1596c76d0d93d8a36378ba976f034f140618d59.rb
@@ -14,43 +14,67 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 305864,
+ constraints: ["writable: rsp+0x60", "{\"sh\", \"-c\", rbx, NULL} is a valid argv", "rbp == NULL || (u16)[rbp] == NULL"],
+ effect: "posix_spawn(rsp+0xc, \"/bin/sh\", 0, rbp, rsp+0x50, environ)")
+OneGadget::Gadget.add(build_id, 305874,
+ constraints: ["writable: rsp+0x60", "{\"sh\", \"-c\", rbx, NULL} is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, rsp+0x50, environ)")
OneGadget::Gadget.add(build_id, 305881,
- constraints: ["rax == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ constraints: ["writable: rsp+0x60", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, rsp+0x50, environ)")
+OneGadget::Gadget.add(build_id, 305886,
+ constraints: ["writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)")
+OneGadget::Gadget.add(build_id, 305891,
+ constraints: ["writable: rsp+0x50", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)")
OneGadget::Gadget.add(build_id, 305903,
- constraints: ["[r8] == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ constraints: ["writable: rsp+0x58", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)")
+OneGadget::Gadget.add(build_id, 490453,
+ constraints: ["writable: rsp+0x60", "{\"sh\", \"-c\", rbp, NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"],
+ effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", r12, 0, rsp+0x50, environ)")
OneGadget::Gadget.add(build_id, 490458,
- constraints: ["[r8] == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"],
+ constraints: ["writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"],
effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", r12, 0, r8, environ)")
+OneGadget::Gadget.add(build_id, 490463,
+ constraints: ["writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, rcx, r8, environ)")
OneGadget::Gadget.add(build_id, 490475,
- constraints: ["[r8] == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ constraints: ["writable: rsp+0x68", "[r8] == NULL || r8 is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, rcx, r8, environ)")
+OneGadget::Gadget.add(build_id, 490484,
+ constraints: ["writable: rsp+0x68", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)")
OneGadget::Gadget.add(build_id, 846702,
- constraints: ["[r13] == NULL || r13 == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[r13] == NULL || r13 == NULL || r13 is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", r13, r12)")
OneGadget::Gadget.add(build_id, 846705,
- constraints: ["[r13] == NULL || r13 == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[r13] == NULL || r13 == NULL || r13 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", r13, rdx)")
OneGadget::Gadget.add(build_id, 846708,
- constraints: ["[rsi] == NULL || rsi == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, rdx)")
+OneGadget::Gadget.add(build_id, 846791,
+ constraints: ["writable: rbp-0x38", "rdi == NULL || {\"/bin/sh\", rdi, NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
+ effect: "execve(\"/bin/sh\", rbp-0x40, r12)")
OneGadget::Gadget.add(build_id, 846798,
- constraints: ["writable: rbp-0x38", "[rbp-0x40] == NULL || rbp-0x40 == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["writable: rbp-0x38", "rax == NULL || {rax, rdi, NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", rbp-0x40, r12)")
OneGadget::Gadget.add(build_id, 846805,
- constraints: ["writable: rbp-0x40", "[rbp-0x40] == NULL || rbp-0x40 == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["writable: rbp-0x40", "rax == NULL || {rax, [rbp-0x38], NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", rbp-0x40, r12)")
OneGadget::Gadget.add(build_id, 968906,
- constraints: ["[rsp+0x70] == NULL", "[[rsp+0xf0]] == NULL || [rsp+0xf0] == NULL", "[rsp+0x40] == NULL || (s32)[[rsp+0x40]+0x4] <= 0"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv", "[[rsp+0xf0]] == NULL || [rsp+0xf0] == NULL || [rsp+0xf0] is a valid envp", "[rsp+0x40] == NULL || (s32)[[rsp+0x40]+0x4] <= 0"],
effect: "posix_spawn(rsp+0x64, \"/bin/sh\", [rsp+0x40], 0, rsp+0x70, [rsp+0xf0])")
OneGadget::Gadget.add(build_id, 968914,
- constraints: ["[rsp+0x70] == NULL", "[r9] == NULL || r9 == NULL", "[rsp+0x40] == NULL || (s32)[[rsp+0x40]+0x4] <= 0"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv", "[r9] == NULL || r9 == NULL || r9 is a valid envp", "[rsp+0x40] == NULL || (s32)[[rsp+0x40]+0x4] <= 0"],
effect: "posix_spawn(rsp+0x64, \"/bin/sh\", [rsp+0x40], 0, rsp+0x70, r9)")
OneGadget::Gadget.add(build_id, 968919,
- constraints: ["[rsp+0x70] == NULL", "[r9] == NULL || r9 == NULL", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv", "[r9] == NULL || r9 == NULL || r9 is a valid envp", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
effect: "posix_spawn(rsp+0x64, \"/bin/sh\", rdx, 0, rsp+0x70, r9)")
OneGadget::Gadget.add(build_id, 968929,
- constraints: ["[r8] == NULL", "[r9] == NULL || r9 == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
+ constraints: ["[r8] == NULL || r8 is a valid argv", "[r9] == NULL || r9 == NULL || r9 is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
effect: "posix_spawn(rdi, \"/bin/sh\", rdx, 0, r8, r9)")
diff --git a/lib/one_gadget/builds/libc-2.32-f45b67ab28af1581cba8e4713e0fd3b2bc004b2e.rb b/lib/one_gadget/builds/libc-2.32-f45b67ab28af1581cba8e4713e0fd3b2bc004b2e.rb
index 9b2f650..59e0575 100644
--- a/lib/one_gadget/builds/libc-2.32-f45b67ab28af1581cba8e4713e0fd3b2bc004b2e.rb
+++ b/lib/one_gadget/builds/libc-2.32-f45b67ab28af1581cba8e4713e0fd3b2bc004b2e.rb
@@ -14,43 +14,67 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 304072,
+ constraints: ["writable: rsp+0x60", "{\"sh\", \"-c\", rbx, NULL} is a valid argv", "rbp == NULL || (u16)[rbp] == NULL"],
+ effect: "posix_spawn(rsp+0xc, \"/bin/sh\", 0, rbp, rsp+0x50, environ)")
+OneGadget::Gadget.add(build_id, 304082,
+ constraints: ["writable: rsp+0x60", "{\"sh\", \"-c\", rbx, NULL} is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, rsp+0x50, environ)")
OneGadget::Gadget.add(build_id, 304089,
- constraints: ["rax == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ constraints: ["writable: rsp+0x60", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, rsp+0x50, environ)")
+OneGadget::Gadget.add(build_id, 304094,
+ constraints: ["writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)")
+OneGadget::Gadget.add(build_id, 304099,
+ constraints: ["writable: rsp+0x50", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)")
OneGadget::Gadget.add(build_id, 304111,
- constraints: ["[r8] == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ constraints: ["writable: rsp+0x58", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)")
+OneGadget::Gadget.add(build_id, 487573,
+ constraints: ["writable: rsp+0x60", "{\"sh\", \"-c\", rbp, NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"],
+ effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", r12, 0, rsp+0x50, environ)")
OneGadget::Gadget.add(build_id, 487578,
- constraints: ["[r8] == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"],
+ constraints: ["writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"],
effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", r12, 0, r8, environ)")
+OneGadget::Gadget.add(build_id, 487583,
+ constraints: ["writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, rcx, r8, environ)")
OneGadget::Gadget.add(build_id, 487595,
- constraints: ["[r8] == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ constraints: ["writable: rsp+0x68", "[r8] == NULL || r8 is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, rcx, r8, environ)")
+OneGadget::Gadget.add(build_id, 487604,
+ constraints: ["writable: rsp+0x68", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)")
OneGadget::Gadget.add(build_id, 842330,
- constraints: ["[r12] == NULL || r12 == NULL", "[r13] == NULL || r13 == NULL"],
+ constraints: ["[r12] == NULL || r12 == NULL || r12 is a valid argv", "[r13] == NULL || r13 == NULL || r13 is a valid envp"],
effect: "execve(\"/bin/sh\", r12, r13)")
OneGadget::Gadget.add(build_id, 842333,
- constraints: ["[r12] == NULL || r12 == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[r12] == NULL || r12 == NULL || r12 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", r12, rdx)")
OneGadget::Gadget.add(build_id, 842336,
- constraints: ["[rsi] == NULL || rsi == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, rdx)")
+OneGadget::Gadget.add(build_id, 842419,
+ constraints: ["writable: rbp-0x38", "rdi == NULL || {\"/bin/sh\", rdi, NULL} is a valid argv", "[r13] == NULL || r13 == NULL || r13 is a valid envp"],
+ effect: "execve(\"/bin/sh\", rbp-0x40, r13)")
OneGadget::Gadget.add(build_id, 842426,
- constraints: ["writable: rbp-0x38", "[rbp-0x40] == NULL || rbp-0x40 == NULL", "[r13] == NULL || r13 == NULL"],
+ constraints: ["writable: rbp-0x38", "rax == NULL || {rax, rdi, NULL} is a valid argv", "[r13] == NULL || r13 == NULL || r13 is a valid envp"],
effect: "execve(\"/bin/sh\", rbp-0x40, r13)")
OneGadget::Gadget.add(build_id, 842433,
- constraints: ["writable: rbp-0x40", "[rbp-0x40] == NULL || rbp-0x40 == NULL", "[r13] == NULL || r13 == NULL"],
+ constraints: ["writable: rbp-0x40", "rax == NULL || {rax, [rbp-0x38], NULL} is a valid argv", "[r13] == NULL || r13 == NULL || r13 is a valid envp"],
effect: "execve(\"/bin/sh\", rbp-0x40, r13)")
OneGadget::Gadget.add(build_id, 963114,
- constraints: ["[rsp+0x70] == NULL", "[[rsp+0xf0]] == NULL || [rsp+0xf0] == NULL", "[rsp+0x40] == NULL || (s32)[[rsp+0x40]+0x4] <= 0"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv", "[[rsp+0xf0]] == NULL || [rsp+0xf0] == NULL || [rsp+0xf0] is a valid envp", "[rsp+0x40] == NULL || (s32)[[rsp+0x40]+0x4] <= 0"],
effect: "posix_spawn(rsp+0x64, \"/bin/sh\", [rsp+0x40], 0, rsp+0x70, [rsp+0xf0])")
OneGadget::Gadget.add(build_id, 963122,
- constraints: ["[rsp+0x70] == NULL", "[r9] == NULL || r9 == NULL", "[rsp+0x40] == NULL || (s32)[[rsp+0x40]+0x4] <= 0"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv", "[r9] == NULL || r9 == NULL || r9 is a valid envp", "[rsp+0x40] == NULL || (s32)[[rsp+0x40]+0x4] <= 0"],
effect: "posix_spawn(rsp+0x64, \"/bin/sh\", [rsp+0x40], 0, rsp+0x70, r9)")
OneGadget::Gadget.add(build_id, 963127,
- constraints: ["[rsp+0x70] == NULL", "[r9] == NULL || r9 == NULL", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv", "[r9] == NULL || r9 == NULL || r9 is a valid envp", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
effect: "posix_spawn(rsp+0x64, \"/bin/sh\", rdx, 0, rsp+0x70, r9)")
OneGadget::Gadget.add(build_id, 963137,
- constraints: ["[r8] == NULL", "[r9] == NULL || r9 == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
+ constraints: ["[r8] == NULL || r8 is a valid argv", "[r9] == NULL || r9 == NULL || r9 is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
effect: "posix_spawn(rdi, \"/bin/sh\", rdx, 0, r8, r9)")
diff --git a/lib/one_gadget/builds/libc-2.33-18edf6b683a2f9768cc0ee9cc64ae6fbb545deb2.rb b/lib/one_gadget/builds/libc-2.33-18edf6b683a2f9768cc0ee9cc64ae6fbb545deb2.rb
index a906e3e..017d4b4 100644
--- a/lib/one_gadget/builds/libc-2.33-18edf6b683a2f9768cc0ee9cc64ae6fbb545deb2.rb
+++ b/lib/one_gadget/builds/libc-2.33-18edf6b683a2f9768cc0ee9cc64ae6fbb545deb2.rb
@@ -14,70 +14,109 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 325073,
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x60", "{\"sh\", \"-c\", rbx, NULL} is a valid argv", "rbp == NULL || (u16)[rbp] == NULL"],
+ effect: "posix_spawn(rsp+0xc, \"/bin/sh\", 0, rbp, rsp+0x50, environ)")
+OneGadget::Gadget.add(build_id, 325080,
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x60", "rax == NULL || {\"sh\", rax, rbx, NULL} is a valid argv", "rbp == NULL || (u16)[rbp] == NULL"],
+ effect: "posix_spawn(rsp+0xc, \"/bin/sh\", 0, rbp, rsp+0x50, environ)")
OneGadget::Gadget.add(build_id, 325087,
- constraints: ["rsp & 0xf == 0", "rcx == NULL", "rbp == NULL || (u16)[rbp] == NULL"],
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x60", "rcx == NULL || {rcx, rax, rbx, NULL} is a valid argv", "rbp == NULL || (u16)[rbp] == NULL"],
effect: "posix_spawn(rsp+0xc, \"/bin/sh\", 0, rbp, rsp+0x50, environ)")
+OneGadget::Gadget.add(build_id, 325094,
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x60", "rcx == NULL || {rcx, (u64)xmm1, rbx, NULL} is a valid argv", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rbp == NULL || (u16)[rbp] == NULL"],
+ effect: "posix_spawn(rsp+0xc, \"/bin/sh\", rdx, rbp, rsp+0x50, environ)")
OneGadget::Gadget.add(build_id, 325099,
- constraints: ["rsp & 0xf == 0", "(u64)xmm0 == NULL", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rbp == NULL || (u16)[rbp] == NULL"],
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x60", "(u64)xmm0 == NULL || {(u64)xmm0, (u64)xmm1, rbx, NULL} is a valid argv", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rbp == NULL || (u16)[rbp] == NULL"],
effect: "posix_spawn(rsp+0xc, \"/bin/sh\", rdx, rbp, rsp+0x50, environ)")
+OneGadget::Gadget.add(build_id, 325115,
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x60", "(u64)xmm0 == NULL || {(u64)xmm0, (u64)(xmm0 >> 64), rbx, NULL} is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rbp == NULL || (u16)[rbp] == NULL"],
+ effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rbp, rsp+0x50, [rax])")
OneGadget::Gadget.add(build_id, 325120,
- constraints: ["rsp & 0xf == 0", "[r8] == NULL", "[[rax]] == NULL || [rax] == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rbp == NULL || (u16)[rbp] == NULL"],
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rbp == NULL || (u16)[rbp] == NULL"],
effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rbp, r8, [rax])")
+OneGadget::Gadget.add(build_id, 325123,
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, [rax])")
OneGadget::Gadget.add(build_id, 325128,
- constraints: ["rsp & 0xf == 0", "[r8] == NULL", "[[rax]] == NULL || [rax] == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x68", "[r8] == NULL || r8 is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, [rax])")
+OneGadget::Gadget.add(build_id, 526053,
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x70", "{\"sh\", \"-c\", rbp, NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"],
+ effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", r12, 0, rsp+0x60, environ)")
+OneGadget::Gadget.add(build_id, 526060,
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x70", "rax == NULL || {\"sh\", rax, rbp, NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"],
+ effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", r12, 0, rsp+0x60, environ)")
OneGadget::Gadget.add(build_id, 526067,
- constraints: ["rsp & 0xf == 0", "rcx == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"],
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x70", "rcx == NULL || {rcx, rax, rbp, NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"],
effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", r12, 0, rsp+0x60, environ)")
+OneGadget::Gadget.add(build_id, 526070,
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x70", "rcx == NULL || {rcx, rax, rbp, NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
+ effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, 0, rsp+0x60, environ)")
+OneGadget::Gadget.add(build_id, 526075,
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x78", "rcx == NULL || {rcx, rax, [rsp+0x70], NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
+ effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, 0, rsp+0x60, environ)")
OneGadget::Gadget.add(build_id, 526080,
- constraints: ["rsp & 0xf == 0", "rcx == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x78", "rcx == NULL || {rcx, (u64)xmm1, [rsp+0x70], NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, 0, rsp+0x60, environ)")
OneGadget::Gadget.add(build_id, 526092,
- constraints: ["rsp & 0xf == 0", "(u64)xmm0 == NULL", "[[rax]] == NULL || [rax] == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x78", "(u64)xmm0 == NULL || {(u64)xmm0, (u64)xmm1, [rsp+0x70], NULL} is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, 0, rsp+0x60, [rax])")
+OneGadget::Gadget.add(build_id, 526098,
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x78", "(u64)xmm0 == NULL || {(u64)xmm0, (u64)(xmm0 >> 64), [rsp+0x70], NULL} is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, rcx, rsp+0x60, [rax])")
OneGadget::Gadget.add(build_id, 526105,
- constraints: ["rsp & 0xf == 0", "(u64)xmm0 == NULL", "[[rax]] == NULL || [rax] == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x78", "(u64)xmm0 == NULL || {(u64)xmm0, (u64)(xmm0 >> 64), [rsp+0x70], NULL} is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, rsp+0x60, [rax])")
+OneGadget::Gadget.add(build_id, 526112,
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x78", "[r8] == NULL || r8 is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, [rax])")
OneGadget::Gadget.add(build_id, 911132,
- constraints: ["[r15] == NULL || r15 == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[r15] == NULL || r15 == NULL || r15 is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", r15, r12)")
OneGadget::Gadget.add(build_id, 911135,
- constraints: ["[r15] == NULL || r15 == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[r15] == NULL || r15 == NULL || r15 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", r15, rdx)")
OneGadget::Gadget.add(build_id, 911138,
- constraints: ["[rsi] == NULL || rsi == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, rdx)")
OneGadget::Gadget.add(build_id, 911621,
- constraints: ["writable: rbp-0x78", "[r10] == NULL || r10 == NULL", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL"],
+ constraints: ["writable: rbp-0x78", "[r10] == NULL || r10 == NULL || r10 is a valid argv", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL || [rbp-0x70] is a valid envp"],
effect: "execve(\"/bin/sh\", r10, [rbp-0x70])")
OneGadget::Gadget.add(build_id, 911625,
- constraints: ["writable: rbp-0x78", "[r10] == NULL || r10 == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["writable: rbp-0x78", "[r10] == NULL || r10 == NULL || r10 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", r10, rdx)")
+OneGadget::Gadget.add(build_id, 911727,
+ constraints: ["writable: rbp-0x48", "rbx == NULL || {\"/bin/sh\", rbx, NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
+ effect: "execve(\"/bin/sh\", rbp-0x50, r12)")
OneGadget::Gadget.add(build_id, 911734,
- constraints: ["writable: rbp-0x48", "[rbp-0x50] == NULL || rbp-0x50 == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["writable: rbp-0x48", "rax == NULL || {rax, rbx, NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", rbp-0x50, r12)")
OneGadget::Gadget.add(build_id, 911741,
- constraints: ["writable: rbp-0x50", "[rbp-0x50] == NULL || rbp-0x50 == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["writable: rbp-0x50", "rax == NULL || {rax, [rbp-0x48], NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", rbp-0x50, r12)")
+OneGadget::Gadget.add(build_id, 911796,
+ constraints: ["writable: rbp-0x48", "rbx == NULL || {\"/bin/sh\", rbx, NULL} is a valid argv", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL || [rbp-0x70] is a valid envp"],
+ effect: "execve(\"/bin/sh\", rbp-0x50, [rbp-0x70])")
OneGadget::Gadget.add(build_id, 911803,
- constraints: ["writable: rbp-0x48", "[rbp-0x50] == NULL || rbp-0x50 == NULL", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL"],
+ constraints: ["writable: rbp-0x48", "rax == NULL || {rax, rbx, NULL} is a valid argv", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL || [rbp-0x70] is a valid envp"],
effect: "execve(\"/bin/sh\", rbp-0x50, [rbp-0x70])")
OneGadget::Gadget.add(build_id, 911810,
- constraints: ["writable: rbp-0x50", "[rbp-0x50] == NULL || rbp-0x50 == NULL", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL"],
+ constraints: ["writable: rbp-0x50", "rax == NULL || {rax, [rbp-0x48], NULL} is a valid argv", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL || [rbp-0x70] is a valid envp"],
effect: "execve(\"/bin/sh\", rbp-0x50, [rbp-0x70])")
OneGadget::Gadget.add(build_id, 911814,
- constraints: ["writable: r10+0x10", "writable: rbp-0x50", "[r10] == NULL || r10 == NULL", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL"],
+ constraints: ["writable: r10+0x10", "writable: rbp-0x50", "[r10] == NULL || r10 == NULL || r10 is a valid argv", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL || [rbp-0x70] is a valid envp"],
effect: "execve(\"/bin/sh\", r10, [rbp-0x70])")
OneGadget::Gadget.add(build_id, 1052858,
- constraints: ["[rsp+0x70] == NULL", "[[rsp+0xf0]] == NULL || [rsp+0xf0] == NULL", "[rsp+0x38] == NULL || (s32)[[rsp+0x38]+0x4] <= 0"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv", "[[rsp+0xf0]] == NULL || [rsp+0xf0] == NULL || [rsp+0xf0] is a valid envp", "[rsp+0x38] == NULL || (s32)[[rsp+0x38]+0x4] <= 0"],
effect: "posix_spawn(rsp+0x64, \"/bin/sh\", [rsp+0x38], 0, rsp+0x70, [rsp+0xf0])")
OneGadget::Gadget.add(build_id, 1052866,
- constraints: ["[rsp+0x70] == NULL", "[r9] == NULL || r9 == NULL", "[rsp+0x38] == NULL || (s32)[[rsp+0x38]+0x4] <= 0"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv", "[r9] == NULL || r9 == NULL || r9 is a valid envp", "[rsp+0x38] == NULL || (s32)[[rsp+0x38]+0x4] <= 0"],
effect: "posix_spawn(rsp+0x64, \"/bin/sh\", [rsp+0x38], 0, rsp+0x70, r9)")
OneGadget::Gadget.add(build_id, 1052871,
- constraints: ["[rsp+0x70] == NULL", "[r9] == NULL || r9 == NULL", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv", "[r9] == NULL || r9 == NULL || r9 is a valid envp", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
effect: "posix_spawn(rsp+0x64, \"/bin/sh\", rdx, 0, rsp+0x70, r9)")
OneGadget::Gadget.add(build_id, 1052881,
- constraints: ["[r8] == NULL", "[r9] == NULL || r9 == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
+ constraints: ["[r8] == NULL || r8 is a valid argv", "[r9] == NULL || r9 == NULL || r9 is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
effect: "posix_spawn(rdi, \"/bin/sh\", rdx, 0, r8, r9)")
diff --git a/lib/one_gadget/builds/libc-2.33-1c943bf313b5b4546e47b830e70de6bbd6a0ba57.rb b/lib/one_gadget/builds/libc-2.33-1c943bf313b5b4546e47b830e70de6bbd6a0ba57.rb
index c1cd645..5c9ad6b 100644
--- a/lib/one_gadget/builds/libc-2.33-1c943bf313b5b4546e47b830e70de6bbd6a0ba57.rb
+++ b/lib/one_gadget/builds/libc-2.33-1c943bf313b5b4546e47b830e70de6bbd6a0ba57.rb
@@ -14,8 +14,11 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 840640,
+ constraints: ["ebx is the GOT address of libc", "writable: ebp-0x20", "[ebp-0x34] == NULL || {\"/bin/sh\", [ebp-0x34], NULL} is a valid argv", "[[ebp-0x2c]] == NULL || [ebp-0x2c] == NULL || [ebp-0x2c] is a valid envp"],
+ effect: "execve(\"/bin/sh\", ebp-0x28, [ebp-0x2c])")
OneGadget::Gadget.add(build_id, 840643,
- constraints: ["ebx is the GOT address of libc", "writable: ebp-0x20", "[ebp-0x28] == NULL || ebp-0x28 == NULL", "[[ebp-0x2c]] == NULL || [ebp-0x2c] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: ebp-0x20", "eax == NULL || {\"/bin/sh\", eax, NULL} is a valid argv", "[[ebp-0x2c]] == NULL || [ebp-0x2c] == NULL || [ebp-0x2c] is a valid envp"],
effect: "execve(\"/bin/sh\", ebp-0x28, [ebp-0x2c])")
OneGadget::Gadget.add(build_id, 1357363,
constraints: ["ebp is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.33-2b48299781548c9bc452eac6df39902547c884ed.rb b/lib/one_gadget/builds/libc-2.33-2b48299781548c9bc452eac6df39902547c884ed.rb
index 3e86947..6cae341 100644
--- a/lib/one_gadget/builds/libc-2.33-2b48299781548c9bc452eac6df39902547c884ed.rb
+++ b/lib/one_gadget/builds/libc-2.33-2b48299781548c9bc452eac6df39902547c884ed.rb
@@ -14,70 +14,109 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 325073,
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x60", "{\"sh\", \"-c\", rbx, NULL} is a valid argv", "rbp == NULL || (u16)[rbp] == NULL"],
+ effect: "posix_spawn(rsp+0xc, \"/bin/sh\", 0, rbp, rsp+0x50, environ)")
+OneGadget::Gadget.add(build_id, 325080,
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x60", "rax == NULL || {\"sh\", rax, rbx, NULL} is a valid argv", "rbp == NULL || (u16)[rbp] == NULL"],
+ effect: "posix_spawn(rsp+0xc, \"/bin/sh\", 0, rbp, rsp+0x50, environ)")
OneGadget::Gadget.add(build_id, 325087,
- constraints: ["rsp & 0xf == 0", "rcx == NULL", "rbp == NULL || (u16)[rbp] == NULL"],
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x60", "rcx == NULL || {rcx, rax, rbx, NULL} is a valid argv", "rbp == NULL || (u16)[rbp] == NULL"],
effect: "posix_spawn(rsp+0xc, \"/bin/sh\", 0, rbp, rsp+0x50, environ)")
+OneGadget::Gadget.add(build_id, 325094,
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x60", "rcx == NULL || {rcx, (u64)xmm1, rbx, NULL} is a valid argv", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rbp == NULL || (u16)[rbp] == NULL"],
+ effect: "posix_spawn(rsp+0xc, \"/bin/sh\", rdx, rbp, rsp+0x50, environ)")
OneGadget::Gadget.add(build_id, 325099,
- constraints: ["rsp & 0xf == 0", "(u64)xmm0 == NULL", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rbp == NULL || (u16)[rbp] == NULL"],
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x60", "(u64)xmm0 == NULL || {(u64)xmm0, (u64)xmm1, rbx, NULL} is a valid argv", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rbp == NULL || (u16)[rbp] == NULL"],
effect: "posix_spawn(rsp+0xc, \"/bin/sh\", rdx, rbp, rsp+0x50, environ)")
+OneGadget::Gadget.add(build_id, 325115,
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x60", "(u64)xmm0 == NULL || {(u64)xmm0, (u64)(xmm0 >> 64), rbx, NULL} is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rbp == NULL || (u16)[rbp] == NULL"],
+ effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rbp, rsp+0x50, [rax])")
OneGadget::Gadget.add(build_id, 325120,
- constraints: ["rsp & 0xf == 0", "[r8] == NULL", "[[rax]] == NULL || [rax] == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rbp == NULL || (u16)[rbp] == NULL"],
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rbp == NULL || (u16)[rbp] == NULL"],
effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rbp, r8, [rax])")
+OneGadget::Gadget.add(build_id, 325123,
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, [rax])")
OneGadget::Gadget.add(build_id, 325128,
- constraints: ["rsp & 0xf == 0", "[r8] == NULL", "[[rax]] == NULL || [rax] == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x68", "[r8] == NULL || r8 is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, [rax])")
+OneGadget::Gadget.add(build_id, 526053,
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x70", "{\"sh\", \"-c\", rbp, NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"],
+ effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", r12, 0, rsp+0x60, environ)")
+OneGadget::Gadget.add(build_id, 526060,
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x70", "rax == NULL || {\"sh\", rax, rbp, NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"],
+ effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", r12, 0, rsp+0x60, environ)")
OneGadget::Gadget.add(build_id, 526067,
- constraints: ["rsp & 0xf == 0", "rcx == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"],
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x70", "rcx == NULL || {rcx, rax, rbp, NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"],
effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", r12, 0, rsp+0x60, environ)")
+OneGadget::Gadget.add(build_id, 526070,
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x70", "rcx == NULL || {rcx, rax, rbp, NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
+ effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, 0, rsp+0x60, environ)")
+OneGadget::Gadget.add(build_id, 526075,
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x78", "rcx == NULL || {rcx, rax, [rsp+0x70], NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
+ effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, 0, rsp+0x60, environ)")
OneGadget::Gadget.add(build_id, 526080,
- constraints: ["rsp & 0xf == 0", "rcx == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x78", "rcx == NULL || {rcx, (u64)xmm1, [rsp+0x70], NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, 0, rsp+0x60, environ)")
OneGadget::Gadget.add(build_id, 526092,
- constraints: ["rsp & 0xf == 0", "(u64)xmm0 == NULL", "[[rax]] == NULL || [rax] == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x78", "(u64)xmm0 == NULL || {(u64)xmm0, (u64)xmm1, [rsp+0x70], NULL} is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, 0, rsp+0x60, [rax])")
+OneGadget::Gadget.add(build_id, 526098,
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x78", "(u64)xmm0 == NULL || {(u64)xmm0, (u64)(xmm0 >> 64), [rsp+0x70], NULL} is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, rcx, rsp+0x60, [rax])")
OneGadget::Gadget.add(build_id, 526105,
- constraints: ["rsp & 0xf == 0", "(u64)xmm0 == NULL", "[[rax]] == NULL || [rax] == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x78", "(u64)xmm0 == NULL || {(u64)xmm0, (u64)(xmm0 >> 64), [rsp+0x70], NULL} is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, rsp+0x60, [rax])")
+OneGadget::Gadget.add(build_id, 526112,
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x78", "[r8] == NULL || r8 is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, [rax])")
OneGadget::Gadget.add(build_id, 911244,
- constraints: ["[r15] == NULL || r15 == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[r15] == NULL || r15 == NULL || r15 is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", r15, r12)")
OneGadget::Gadget.add(build_id, 911247,
- constraints: ["[r15] == NULL || r15 == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[r15] == NULL || r15 == NULL || r15 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", r15, rdx)")
OneGadget::Gadget.add(build_id, 911250,
- constraints: ["[rsi] == NULL || rsi == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, rdx)")
OneGadget::Gadget.add(build_id, 911733,
- constraints: ["writable: rbp-0x78", "[r10] == NULL || r10 == NULL", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL"],
+ constraints: ["writable: rbp-0x78", "[r10] == NULL || r10 == NULL || r10 is a valid argv", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL || [rbp-0x70] is a valid envp"],
effect: "execve(\"/bin/sh\", r10, [rbp-0x70])")
OneGadget::Gadget.add(build_id, 911737,
- constraints: ["writable: rbp-0x78", "[r10] == NULL || r10 == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["writable: rbp-0x78", "[r10] == NULL || r10 == NULL || r10 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", r10, rdx)")
+OneGadget::Gadget.add(build_id, 911839,
+ constraints: ["writable: rbp-0x48", "rbx == NULL || {\"/bin/sh\", rbx, NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
+ effect: "execve(\"/bin/sh\", rbp-0x50, r12)")
OneGadget::Gadget.add(build_id, 911846,
- constraints: ["writable: rbp-0x48", "[rbp-0x50] == NULL || rbp-0x50 == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["writable: rbp-0x48", "rax == NULL || {rax, rbx, NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", rbp-0x50, r12)")
OneGadget::Gadget.add(build_id, 911853,
- constraints: ["writable: rbp-0x50", "[rbp-0x50] == NULL || rbp-0x50 == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["writable: rbp-0x50", "rax == NULL || {rax, [rbp-0x48], NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", rbp-0x50, r12)")
+OneGadget::Gadget.add(build_id, 911908,
+ constraints: ["writable: rbp-0x48", "rbx == NULL || {\"/bin/sh\", rbx, NULL} is a valid argv", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL || [rbp-0x70] is a valid envp"],
+ effect: "execve(\"/bin/sh\", rbp-0x50, [rbp-0x70])")
OneGadget::Gadget.add(build_id, 911915,
- constraints: ["writable: rbp-0x48", "[rbp-0x50] == NULL || rbp-0x50 == NULL", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL"],
+ constraints: ["writable: rbp-0x48", "rax == NULL || {rax, rbx, NULL} is a valid argv", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL || [rbp-0x70] is a valid envp"],
effect: "execve(\"/bin/sh\", rbp-0x50, [rbp-0x70])")
OneGadget::Gadget.add(build_id, 911922,
- constraints: ["writable: rbp-0x50", "[rbp-0x50] == NULL || rbp-0x50 == NULL", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL"],
+ constraints: ["writable: rbp-0x50", "rax == NULL || {rax, [rbp-0x48], NULL} is a valid argv", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL || [rbp-0x70] is a valid envp"],
effect: "execve(\"/bin/sh\", rbp-0x50, [rbp-0x70])")
OneGadget::Gadget.add(build_id, 911926,
- constraints: ["writable: r10+0x10", "writable: rbp-0x50", "[r10] == NULL || r10 == NULL", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL"],
+ constraints: ["writable: r10+0x10", "writable: rbp-0x50", "[r10] == NULL || r10 == NULL || r10 is a valid argv", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL || [rbp-0x70] is a valid envp"],
effect: "execve(\"/bin/sh\", r10, [rbp-0x70])")
OneGadget::Gadget.add(build_id, 1052906,
- constraints: ["[rsp+0x70] == NULL", "[[rsp+0xf0]] == NULL || [rsp+0xf0] == NULL", "[rsp+0x38] == NULL || (s32)[[rsp+0x38]+0x4] <= 0"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv", "[[rsp+0xf0]] == NULL || [rsp+0xf0] == NULL || [rsp+0xf0] is a valid envp", "[rsp+0x38] == NULL || (s32)[[rsp+0x38]+0x4] <= 0"],
effect: "posix_spawn(rsp+0x64, \"/bin/sh\", [rsp+0x38], 0, rsp+0x70, [rsp+0xf0])")
OneGadget::Gadget.add(build_id, 1052914,
- constraints: ["[rsp+0x70] == NULL", "[r9] == NULL || r9 == NULL", "[rsp+0x38] == NULL || (s32)[[rsp+0x38]+0x4] <= 0"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv", "[r9] == NULL || r9 == NULL || r9 is a valid envp", "[rsp+0x38] == NULL || (s32)[[rsp+0x38]+0x4] <= 0"],
effect: "posix_spawn(rsp+0x64, \"/bin/sh\", [rsp+0x38], 0, rsp+0x70, r9)")
OneGadget::Gadget.add(build_id, 1052919,
- constraints: ["[rsp+0x70] == NULL", "[r9] == NULL || r9 == NULL", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv", "[r9] == NULL || r9 == NULL || r9 is a valid envp", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
effect: "posix_spawn(rsp+0x64, \"/bin/sh\", rdx, 0, rsp+0x70, r9)")
OneGadget::Gadget.add(build_id, 1052929,
- constraints: ["[r8] == NULL", "[r9] == NULL || r9 == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
+ constraints: ["[r8] == NULL || r8 is a valid argv", "[r9] == NULL || r9 == NULL || r9 is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
effect: "posix_spawn(rdi, \"/bin/sh\", rdx, 0, r8, r9)")
diff --git a/lib/one_gadget/builds/libc-2.33-37169e68b33cad12e272bb4896d71fd0d4fd98bb.rb b/lib/one_gadget/builds/libc-2.33-37169e68b33cad12e272bb4896d71fd0d4fd98bb.rb
index e78bf67..30716de 100644
--- a/lib/one_gadget/builds/libc-2.33-37169e68b33cad12e272bb4896d71fd0d4fd98bb.rb
+++ b/lib/one_gadget/builds/libc-2.33-37169e68b33cad12e272bb4896d71fd0d4fd98bb.rb
@@ -14,43 +14,67 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 303704,
+ constraints: ["writable: rsp+0x60", "{\"sh\", \"-c\", rbx, NULL} is a valid argv", "rbp == NULL || (u16)[rbp] == NULL"],
+ effect: "posix_spawn(rsp+0xc, \"/bin/sh\", 0, rbp, rsp+0x50, environ)")
+OneGadget::Gadget.add(build_id, 303714,
+ constraints: ["writable: rsp+0x60", "{\"sh\", \"-c\", rbx, NULL} is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, rsp+0x50, environ)")
OneGadget::Gadget.add(build_id, 303721,
- constraints: ["rax == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ constraints: ["writable: rsp+0x60", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, rsp+0x50, environ)")
+OneGadget::Gadget.add(build_id, 303726,
+ constraints: ["writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)")
+OneGadget::Gadget.add(build_id, 303731,
+ constraints: ["writable: rsp+0x50", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)")
OneGadget::Gadget.add(build_id, 303743,
- constraints: ["[r8] == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ constraints: ["writable: rsp+0x58", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)")
+OneGadget::Gadget.add(build_id, 488949,
+ constraints: ["writable: rsp+0x60", "{\"sh\", \"-c\", rbp, NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"],
+ effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", r12, 0, rsp+0x50, environ)")
OneGadget::Gadget.add(build_id, 488954,
- constraints: ["[r8] == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"],
+ constraints: ["writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"],
effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", r12, 0, r8, environ)")
+OneGadget::Gadget.add(build_id, 488959,
+ constraints: ["writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, rcx, r8, environ)")
OneGadget::Gadget.add(build_id, 488971,
- constraints: ["[r8] == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ constraints: ["writable: rsp+0x68", "[r8] == NULL || r8 is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, rcx, r8, environ)")
+OneGadget::Gadget.add(build_id, 488980,
+ constraints: ["writable: rsp+0x68", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)")
OneGadget::Gadget.add(build_id, 842382,
- constraints: ["[r13] == NULL || r13 == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[r13] == NULL || r13 == NULL || r13 is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", r13, r12)")
OneGadget::Gadget.add(build_id, 842385,
- constraints: ["[r13] == NULL || r13 == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[r13] == NULL || r13 == NULL || r13 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", r13, rdx)")
OneGadget::Gadget.add(build_id, 842388,
- constraints: ["[rsi] == NULL || rsi == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, rdx)")
+OneGadget::Gadget.add(build_id, 842471,
+ constraints: ["writable: rbp-0x38", "rdi == NULL || {\"/bin/sh\", rdi, NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
+ effect: "execve(\"/bin/sh\", rbp-0x40, r12)")
OneGadget::Gadget.add(build_id, 842478,
- constraints: ["writable: rbp-0x38", "[rbp-0x40] == NULL || rbp-0x40 == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["writable: rbp-0x38", "rax == NULL || {rax, rdi, NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", rbp-0x40, r12)")
OneGadget::Gadget.add(build_id, 842485,
- constraints: ["writable: rbp-0x40", "[rbp-0x40] == NULL || rbp-0x40 == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["writable: rbp-0x40", "rax == NULL || {rax, [rbp-0x38], NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", rbp-0x40, r12)")
OneGadget::Gadget.add(build_id, 964842,
- constraints: ["[rsp+0x70] == NULL", "[[rsp+0xf0]] == NULL || [rsp+0xf0] == NULL", "[rsp+0x40] == NULL || (s32)[[rsp+0x40]+0x4] <= 0"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv", "[[rsp+0xf0]] == NULL || [rsp+0xf0] == NULL || [rsp+0xf0] is a valid envp", "[rsp+0x40] == NULL || (s32)[[rsp+0x40]+0x4] <= 0"],
effect: "posix_spawn(rsp+0x64, \"/bin/sh\", [rsp+0x40], 0, rsp+0x70, [rsp+0xf0])")
OneGadget::Gadget.add(build_id, 964850,
- constraints: ["[rsp+0x70] == NULL", "[r9] == NULL || r9 == NULL", "[rsp+0x40] == NULL || (s32)[[rsp+0x40]+0x4] <= 0"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv", "[r9] == NULL || r9 == NULL || r9 is a valid envp", "[rsp+0x40] == NULL || (s32)[[rsp+0x40]+0x4] <= 0"],
effect: "posix_spawn(rsp+0x64, \"/bin/sh\", [rsp+0x40], 0, rsp+0x70, r9)")
OneGadget::Gadget.add(build_id, 964855,
- constraints: ["[rsp+0x70] == NULL", "[r9] == NULL || r9 == NULL", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv", "[r9] == NULL || r9 == NULL || r9 is a valid envp", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
effect: "posix_spawn(rsp+0x64, \"/bin/sh\", rdx, 0, rsp+0x70, r9)")
OneGadget::Gadget.add(build_id, 964865,
- constraints: ["[r8] == NULL", "[r9] == NULL || r9 == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
+ constraints: ["[r8] == NULL || r8 is a valid argv", "[r9] == NULL || r9 == NULL || r9 is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
effect: "posix_spawn(rdi, \"/bin/sh\", rdx, 0, r8, r9)")
diff --git a/lib/one_gadget/builds/libc-2.33-54a6e404e7dc1de7c1434a00b7b1ad325b81f22a.rb b/lib/one_gadget/builds/libc-2.33-54a6e404e7dc1de7c1434a00b7b1ad325b81f22a.rb
index d0167d5..e2ef4e8 100644
--- a/lib/one_gadget/builds/libc-2.33-54a6e404e7dc1de7c1434a00b7b1ad325b81f22a.rb
+++ b/lib/one_gadget/builds/libc-2.33-54a6e404e7dc1de7c1434a00b7b1ad325b81f22a.rb
@@ -14,43 +14,67 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 302248,
+ constraints: ["writable: rsp+0x60", "{\"sh\", \"-c\", rbx, NULL} is a valid argv", "rbp == NULL || (u16)[rbp] == NULL"],
+ effect: "posix_spawn(rsp+0xc, \"/bin/sh\", 0, rbp, rsp+0x50, environ)")
+OneGadget::Gadget.add(build_id, 302258,
+ constraints: ["writable: rsp+0x60", "{\"sh\", \"-c\", rbx, NULL} is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, rsp+0x50, environ)")
OneGadget::Gadget.add(build_id, 302265,
- constraints: ["rax == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ constraints: ["writable: rsp+0x60", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, rsp+0x50, environ)")
+OneGadget::Gadget.add(build_id, 302270,
+ constraints: ["writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)")
+OneGadget::Gadget.add(build_id, 302275,
+ constraints: ["writable: rsp+0x50", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)")
OneGadget::Gadget.add(build_id, 302287,
- constraints: ["[r8] == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ constraints: ["writable: rsp+0x58", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)")
+OneGadget::Gadget.add(build_id, 485861,
+ constraints: ["writable: rsp+0x60", "{\"sh\", \"-c\", rbp, NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"],
+ effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", r12, 0, rsp+0x50, environ)")
OneGadget::Gadget.add(build_id, 485866,
- constraints: ["[r8] == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"],
+ constraints: ["writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"],
effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", r12, 0, r8, environ)")
+OneGadget::Gadget.add(build_id, 485871,
+ constraints: ["writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, rcx, r8, environ)")
OneGadget::Gadget.add(build_id, 485883,
- constraints: ["[r8] == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ constraints: ["writable: rsp+0x68", "[r8] == NULL || r8 is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, rcx, r8, environ)")
+OneGadget::Gadget.add(build_id, 485892,
+ constraints: ["writable: rsp+0x68", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)")
OneGadget::Gadget.add(build_id, 838682,
- constraints: ["[r12] == NULL || r12 == NULL", "[r13] == NULL || r13 == NULL"],
+ constraints: ["[r12] == NULL || r12 == NULL || r12 is a valid argv", "[r13] == NULL || r13 == NULL || r13 is a valid envp"],
effect: "execve(\"/bin/sh\", r12, r13)")
OneGadget::Gadget.add(build_id, 838685,
- constraints: ["[r12] == NULL || r12 == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[r12] == NULL || r12 == NULL || r12 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", r12, rdx)")
OneGadget::Gadget.add(build_id, 838688,
- constraints: ["[rsi] == NULL || rsi == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, rdx)")
+OneGadget::Gadget.add(build_id, 838771,
+ constraints: ["writable: rbp-0x38", "rdi == NULL || {\"/bin/sh\", rdi, NULL} is a valid argv", "[r13] == NULL || r13 == NULL || r13 is a valid envp"],
+ effect: "execve(\"/bin/sh\", rbp-0x40, r13)")
OneGadget::Gadget.add(build_id, 838778,
- constraints: ["writable: rbp-0x38", "[rbp-0x40] == NULL || rbp-0x40 == NULL", "[r13] == NULL || r13 == NULL"],
+ constraints: ["writable: rbp-0x38", "rax == NULL || {rax, rdi, NULL} is a valid argv", "[r13] == NULL || r13 == NULL || r13 is a valid envp"],
effect: "execve(\"/bin/sh\", rbp-0x40, r13)")
OneGadget::Gadget.add(build_id, 838785,
- constraints: ["writable: rbp-0x40", "[rbp-0x40] == NULL || rbp-0x40 == NULL", "[r13] == NULL || r13 == NULL"],
+ constraints: ["writable: rbp-0x40", "rax == NULL || {rax, [rbp-0x38], NULL} is a valid argv", "[r13] == NULL || r13 == NULL || r13 is a valid envp"],
effect: "execve(\"/bin/sh\", rbp-0x40, r13)")
OneGadget::Gadget.add(build_id, 959850,
- constraints: ["[rsp+0x70] == NULL", "[[rsp+0xf0]] == NULL || [rsp+0xf0] == NULL", "[rsp+0x40] == NULL || (s32)[[rsp+0x40]+0x4] <= 0"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv", "[[rsp+0xf0]] == NULL || [rsp+0xf0] == NULL || [rsp+0xf0] is a valid envp", "[rsp+0x40] == NULL || (s32)[[rsp+0x40]+0x4] <= 0"],
effect: "posix_spawn(rsp+0x64, \"/bin/sh\", [rsp+0x40], 0, rsp+0x70, [rsp+0xf0])")
OneGadget::Gadget.add(build_id, 959858,
- constraints: ["[rsp+0x70] == NULL", "[r9] == NULL || r9 == NULL", "[rsp+0x40] == NULL || (s32)[[rsp+0x40]+0x4] <= 0"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv", "[r9] == NULL || r9 == NULL || r9 is a valid envp", "[rsp+0x40] == NULL || (s32)[[rsp+0x40]+0x4] <= 0"],
effect: "posix_spawn(rsp+0x64, \"/bin/sh\", [rsp+0x40], 0, rsp+0x70, r9)")
OneGadget::Gadget.add(build_id, 959863,
- constraints: ["[rsp+0x70] == NULL", "[r9] == NULL || r9 == NULL", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv", "[r9] == NULL || r9 == NULL || r9 is a valid envp", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
effect: "posix_spawn(rsp+0x64, \"/bin/sh\", rdx, 0, rsp+0x70, r9)")
OneGadget::Gadget.add(build_id, 959873,
- constraints: ["[r8] == NULL", "[r9] == NULL || r9 == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
+ constraints: ["[r8] == NULL || r8 is a valid argv", "[r9] == NULL || r9 == NULL || r9 is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
effect: "posix_spawn(rdi, \"/bin/sh\", rdx, 0, r8, r9)")
diff --git a/lib/one_gadget/builds/libc-2.33-7983d313db4a441a3762c8861ca405aa0331c0c8.rb b/lib/one_gadget/builds/libc-2.33-7983d313db4a441a3762c8861ca405aa0331c0c8.rb
index 59bffcd..c2a4c45 100644
--- a/lib/one_gadget/builds/libc-2.33-7983d313db4a441a3762c8861ca405aa0331c0c8.rb
+++ b/lib/one_gadget/builds/libc-2.33-7983d313db4a441a3762c8861ca405aa0331c0c8.rb
@@ -14,43 +14,67 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 303704,
+ constraints: ["writable: rsp+0x60", "{\"sh\", \"-c\", rbx, NULL} is a valid argv", "rbp == NULL || (u16)[rbp] == NULL"],
+ effect: "posix_spawn(rsp+0xc, \"/bin/sh\", 0, rbp, rsp+0x50, environ)")
+OneGadget::Gadget.add(build_id, 303714,
+ constraints: ["writable: rsp+0x60", "{\"sh\", \"-c\", rbx, NULL} is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, rsp+0x50, environ)")
OneGadget::Gadget.add(build_id, 303721,
- constraints: ["rax == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ constraints: ["writable: rsp+0x60", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, rsp+0x50, environ)")
+OneGadget::Gadget.add(build_id, 303726,
+ constraints: ["writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)")
+OneGadget::Gadget.add(build_id, 303731,
+ constraints: ["writable: rsp+0x50", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)")
OneGadget::Gadget.add(build_id, 303743,
- constraints: ["[r8] == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ constraints: ["writable: rsp+0x58", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)")
+OneGadget::Gadget.add(build_id, 488949,
+ constraints: ["writable: rsp+0x60", "{\"sh\", \"-c\", rbp, NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"],
+ effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", r12, 0, rsp+0x50, environ)")
OneGadget::Gadget.add(build_id, 488954,
- constraints: ["[r8] == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"],
+ constraints: ["writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"],
effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", r12, 0, r8, environ)")
+OneGadget::Gadget.add(build_id, 488959,
+ constraints: ["writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, rcx, r8, environ)")
OneGadget::Gadget.add(build_id, 488971,
- constraints: ["[r8] == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ constraints: ["writable: rsp+0x68", "[r8] == NULL || r8 is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, rcx, r8, environ)")
+OneGadget::Gadget.add(build_id, 488980,
+ constraints: ["writable: rsp+0x68", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)")
OneGadget::Gadget.add(build_id, 842238,
- constraints: ["[r13] == NULL || r13 == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[r13] == NULL || r13 == NULL || r13 is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", r13, r12)")
OneGadget::Gadget.add(build_id, 842241,
- constraints: ["[r13] == NULL || r13 == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[r13] == NULL || r13 == NULL || r13 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", r13, rdx)")
OneGadget::Gadget.add(build_id, 842244,
- constraints: ["[rsi] == NULL || rsi == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, rdx)")
+OneGadget::Gadget.add(build_id, 842327,
+ constraints: ["writable: rbp-0x38", "rdi == NULL || {\"/bin/sh\", rdi, NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
+ effect: "execve(\"/bin/sh\", rbp-0x40, r12)")
OneGadget::Gadget.add(build_id, 842334,
- constraints: ["writable: rbp-0x38", "[rbp-0x40] == NULL || rbp-0x40 == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["writable: rbp-0x38", "rax == NULL || {rax, rdi, NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", rbp-0x40, r12)")
OneGadget::Gadget.add(build_id, 842341,
- constraints: ["writable: rbp-0x40", "[rbp-0x40] == NULL || rbp-0x40 == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["writable: rbp-0x40", "rax == NULL || {rax, [rbp-0x38], NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", rbp-0x40, r12)")
OneGadget::Gadget.add(build_id, 964698,
- constraints: ["[rsp+0x70] == NULL", "[[rsp+0xf0]] == NULL || [rsp+0xf0] == NULL", "[rsp+0x40] == NULL || (s32)[[rsp+0x40]+0x4] <= 0"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv", "[[rsp+0xf0]] == NULL || [rsp+0xf0] == NULL || [rsp+0xf0] is a valid envp", "[rsp+0x40] == NULL || (s32)[[rsp+0x40]+0x4] <= 0"],
effect: "posix_spawn(rsp+0x64, \"/bin/sh\", [rsp+0x40], 0, rsp+0x70, [rsp+0xf0])")
OneGadget::Gadget.add(build_id, 964706,
- constraints: ["[rsp+0x70] == NULL", "[r9] == NULL || r9 == NULL", "[rsp+0x40] == NULL || (s32)[[rsp+0x40]+0x4] <= 0"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv", "[r9] == NULL || r9 == NULL || r9 is a valid envp", "[rsp+0x40] == NULL || (s32)[[rsp+0x40]+0x4] <= 0"],
effect: "posix_spawn(rsp+0x64, \"/bin/sh\", [rsp+0x40], 0, rsp+0x70, r9)")
OneGadget::Gadget.add(build_id, 964711,
- constraints: ["[rsp+0x70] == NULL", "[r9] == NULL || r9 == NULL", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv", "[r9] == NULL || r9 == NULL || r9 is a valid envp", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
effect: "posix_spawn(rsp+0x64, \"/bin/sh\", rdx, 0, rsp+0x70, r9)")
OneGadget::Gadget.add(build_id, 964721,
- constraints: ["[r8] == NULL", "[r9] == NULL || r9 == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
+ constraints: ["[r8] == NULL || r8 is a valid argv", "[r9] == NULL || r9 == NULL || r9 is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
effect: "posix_spawn(rdi, \"/bin/sh\", rdx, 0, r8, r9)")
diff --git a/lib/one_gadget/builds/libc-2.33-8fdc2b2c65f3d782e52c01b546399eee8aa466dc.rb b/lib/one_gadget/builds/libc-2.33-8fdc2b2c65f3d782e52c01b546399eee8aa466dc.rb
index b8e844b..44f2d63 100644
--- a/lib/one_gadget/builds/libc-2.33-8fdc2b2c65f3d782e52c01b546399eee8aa466dc.rb
+++ b/lib/one_gadget/builds/libc-2.33-8fdc2b2c65f3d782e52c01b546399eee8aa466dc.rb
@@ -14,8 +14,11 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 840576,
+ constraints: ["ebx is the GOT address of libc", "writable: ebp-0x20", "[ebp-0x34] == NULL || {\"/bin/sh\", [ebp-0x34], NULL} is a valid argv", "[[ebp-0x2c]] == NULL || [ebp-0x2c] == NULL || [ebp-0x2c] is a valid envp"],
+ effect: "execve(\"/bin/sh\", ebp-0x28, [ebp-0x2c])")
OneGadget::Gadget.add(build_id, 840579,
- constraints: ["ebx is the GOT address of libc", "writable: ebp-0x20", "[ebp-0x28] == NULL || ebp-0x28 == NULL", "[[ebp-0x2c]] == NULL || [ebp-0x2c] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: ebp-0x20", "eax == NULL || {\"/bin/sh\", eax, NULL} is a valid argv", "[[ebp-0x2c]] == NULL || [ebp-0x2c] == NULL || [ebp-0x2c] is a valid envp"],
effect: "execve(\"/bin/sh\", ebp-0x28, [ebp-0x2c])")
OneGadget::Gadget.add(build_id, 1357603,
constraints: ["ebp is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.33-9143da129b44b931a1c180e2b103e993dd2474fd.rb b/lib/one_gadget/builds/libc-2.33-9143da129b44b931a1c180e2b103e993dd2474fd.rb
index abc2137..56ad3b7 100644
--- a/lib/one_gadget/builds/libc-2.33-9143da129b44b931a1c180e2b103e993dd2474fd.rb
+++ b/lib/one_gadget/builds/libc-2.33-9143da129b44b931a1c180e2b103e993dd2474fd.rb
@@ -14,8 +14,11 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 846000,
+ constraints: ["ebx is the GOT address of libc", "writable: ebp-0x20", "[ebp-0x34] == NULL || {\"/bin/sh\", [ebp-0x34], NULL} is a valid argv", "[[ebp-0x2c]] == NULL || [ebp-0x2c] == NULL || [ebp-0x2c] is a valid envp"],
+ effect: "execve(\"/bin/sh\", ebp-0x28, [ebp-0x2c])")
OneGadget::Gadget.add(build_id, 846003,
- constraints: ["ebx is the GOT address of libc", "writable: ebp-0x20", "[ebp-0x28] == NULL || ebp-0x28 == NULL", "[[ebp-0x2c]] == NULL || [ebp-0x2c] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: ebp-0x20", "eax == NULL || {\"/bin/sh\", eax, NULL} is a valid argv", "[[ebp-0x2c]] == NULL || [ebp-0x2c] == NULL || [ebp-0x2c] is a valid envp"],
effect: "execve(\"/bin/sh\", ebp-0x28, [ebp-0x2c])")
OneGadget::Gadget.add(build_id, 1370395,
constraints: ["ebp is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.33-97c8d90bd86bc698d156630e8803de433a640090.rb b/lib/one_gadget/builds/libc-2.33-97c8d90bd86bc698d156630e8803de433a640090.rb
index bf01099..281273e 100644
--- a/lib/one_gadget/builds/libc-2.33-97c8d90bd86bc698d156630e8803de433a640090.rb
+++ b/lib/one_gadget/builds/libc-2.33-97c8d90bd86bc698d156630e8803de433a640090.rb
@@ -14,70 +14,109 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 325057,
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x60", "{\"sh\", \"-c\", rbx, NULL} is a valid argv", "rbp == NULL || (u16)[rbp] == NULL"],
+ effect: "posix_spawn(rsp+0xc, \"/bin/sh\", 0, rbp, rsp+0x50, environ)")
+OneGadget::Gadget.add(build_id, 325064,
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x60", "rax == NULL || {\"sh\", rax, rbx, NULL} is a valid argv", "rbp == NULL || (u16)[rbp] == NULL"],
+ effect: "posix_spawn(rsp+0xc, \"/bin/sh\", 0, rbp, rsp+0x50, environ)")
OneGadget::Gadget.add(build_id, 325071,
- constraints: ["rsp & 0xf == 0", "rcx == NULL", "rbp == NULL || (u16)[rbp] == NULL"],
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x60", "rcx == NULL || {rcx, rax, rbx, NULL} is a valid argv", "rbp == NULL || (u16)[rbp] == NULL"],
effect: "posix_spawn(rsp+0xc, \"/bin/sh\", 0, rbp, rsp+0x50, environ)")
+OneGadget::Gadget.add(build_id, 325078,
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x60", "rcx == NULL || {rcx, (u64)xmm1, rbx, NULL} is a valid argv", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rbp == NULL || (u16)[rbp] == NULL"],
+ effect: "posix_spawn(rsp+0xc, \"/bin/sh\", rdx, rbp, rsp+0x50, environ)")
OneGadget::Gadget.add(build_id, 325083,
- constraints: ["rsp & 0xf == 0", "(u64)xmm0 == NULL", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rbp == NULL || (u16)[rbp] == NULL"],
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x60", "(u64)xmm0 == NULL || {(u64)xmm0, (u64)xmm1, rbx, NULL} is a valid argv", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rbp == NULL || (u16)[rbp] == NULL"],
effect: "posix_spawn(rsp+0xc, \"/bin/sh\", rdx, rbp, rsp+0x50, environ)")
+OneGadget::Gadget.add(build_id, 325099,
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x60", "(u64)xmm0 == NULL || {(u64)xmm0, (u64)(xmm0 >> 64), rbx, NULL} is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rbp == NULL || (u16)[rbp] == NULL"],
+ effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rbp, rsp+0x50, [rax])")
OneGadget::Gadget.add(build_id, 325104,
- constraints: ["rsp & 0xf == 0", "[r8] == NULL", "[[rax]] == NULL || [rax] == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rbp == NULL || (u16)[rbp] == NULL"],
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rbp == NULL || (u16)[rbp] == NULL"],
effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rbp, r8, [rax])")
+OneGadget::Gadget.add(build_id, 325107,
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, [rax])")
OneGadget::Gadget.add(build_id, 325112,
- constraints: ["rsp & 0xf == 0", "[r8] == NULL", "[[rax]] == NULL || [rax] == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x68", "[r8] == NULL || r8 is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, [rax])")
+OneGadget::Gadget.add(build_id, 526053,
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x70", "{\"sh\", \"-c\", rbp, NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"],
+ effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", r12, 0, rsp+0x60, environ)")
+OneGadget::Gadget.add(build_id, 526060,
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x70", "rax == NULL || {\"sh\", rax, rbp, NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"],
+ effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", r12, 0, rsp+0x60, environ)")
OneGadget::Gadget.add(build_id, 526067,
- constraints: ["rsp & 0xf == 0", "rcx == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"],
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x70", "rcx == NULL || {rcx, rax, rbp, NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"],
effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", r12, 0, rsp+0x60, environ)")
+OneGadget::Gadget.add(build_id, 526070,
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x70", "rcx == NULL || {rcx, rax, rbp, NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
+ effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, 0, rsp+0x60, environ)")
+OneGadget::Gadget.add(build_id, 526075,
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x78", "rcx == NULL || {rcx, rax, [rsp+0x70], NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
+ effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, 0, rsp+0x60, environ)")
OneGadget::Gadget.add(build_id, 526080,
- constraints: ["rsp & 0xf == 0", "rcx == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x78", "rcx == NULL || {rcx, (u64)xmm1, [rsp+0x70], NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, 0, rsp+0x60, environ)")
OneGadget::Gadget.add(build_id, 526092,
- constraints: ["rsp & 0xf == 0", "(u64)xmm0 == NULL", "[[rax]] == NULL || [rax] == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x78", "(u64)xmm0 == NULL || {(u64)xmm0, (u64)xmm1, [rsp+0x70], NULL} is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, 0, rsp+0x60, [rax])")
+OneGadget::Gadget.add(build_id, 526098,
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x78", "(u64)xmm0 == NULL || {(u64)xmm0, (u64)(xmm0 >> 64), [rsp+0x70], NULL} is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, rcx, rsp+0x60, [rax])")
OneGadget::Gadget.add(build_id, 526105,
- constraints: ["rsp & 0xf == 0", "(u64)xmm0 == NULL", "[[rax]] == NULL || [rax] == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x78", "(u64)xmm0 == NULL || {(u64)xmm0, (u64)(xmm0 >> 64), [rsp+0x70], NULL} is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, rsp+0x60, [rax])")
+OneGadget::Gadget.add(build_id, 526112,
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x78", "[r8] == NULL || r8 is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, [rax])")
OneGadget::Gadget.add(build_id, 911244,
- constraints: ["[r15] == NULL || r15 == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[r15] == NULL || r15 == NULL || r15 is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", r15, r12)")
OneGadget::Gadget.add(build_id, 911247,
- constraints: ["[r15] == NULL || r15 == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[r15] == NULL || r15 == NULL || r15 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", r15, rdx)")
OneGadget::Gadget.add(build_id, 911250,
- constraints: ["[rsi] == NULL || rsi == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, rdx)")
OneGadget::Gadget.add(build_id, 911733,
- constraints: ["writable: rbp-0x78", "[r10] == NULL || r10 == NULL", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL"],
+ constraints: ["writable: rbp-0x78", "[r10] == NULL || r10 == NULL || r10 is a valid argv", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL || [rbp-0x70] is a valid envp"],
effect: "execve(\"/bin/sh\", r10, [rbp-0x70])")
OneGadget::Gadget.add(build_id, 911737,
- constraints: ["writable: rbp-0x78", "[r10] == NULL || r10 == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["writable: rbp-0x78", "[r10] == NULL || r10 == NULL || r10 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", r10, rdx)")
+OneGadget::Gadget.add(build_id, 911839,
+ constraints: ["writable: rbp-0x48", "rbx == NULL || {\"/bin/sh\", rbx, NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
+ effect: "execve(\"/bin/sh\", rbp-0x50, r12)")
OneGadget::Gadget.add(build_id, 911846,
- constraints: ["writable: rbp-0x48", "[rbp-0x50] == NULL || rbp-0x50 == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["writable: rbp-0x48", "rax == NULL || {rax, rbx, NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", rbp-0x50, r12)")
OneGadget::Gadget.add(build_id, 911853,
- constraints: ["writable: rbp-0x50", "[rbp-0x50] == NULL || rbp-0x50 == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["writable: rbp-0x50", "rax == NULL || {rax, [rbp-0x48], NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", rbp-0x50, r12)")
+OneGadget::Gadget.add(build_id, 911908,
+ constraints: ["writable: rbp-0x48", "rbx == NULL || {\"/bin/sh\", rbx, NULL} is a valid argv", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL || [rbp-0x70] is a valid envp"],
+ effect: "execve(\"/bin/sh\", rbp-0x50, [rbp-0x70])")
OneGadget::Gadget.add(build_id, 911915,
- constraints: ["writable: rbp-0x48", "[rbp-0x50] == NULL || rbp-0x50 == NULL", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL"],
+ constraints: ["writable: rbp-0x48", "rax == NULL || {rax, rbx, NULL} is a valid argv", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL || [rbp-0x70] is a valid envp"],
effect: "execve(\"/bin/sh\", rbp-0x50, [rbp-0x70])")
OneGadget::Gadget.add(build_id, 911922,
- constraints: ["writable: rbp-0x50", "[rbp-0x50] == NULL || rbp-0x50 == NULL", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL"],
+ constraints: ["writable: rbp-0x50", "rax == NULL || {rax, [rbp-0x48], NULL} is a valid argv", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL || [rbp-0x70] is a valid envp"],
effect: "execve(\"/bin/sh\", rbp-0x50, [rbp-0x70])")
OneGadget::Gadget.add(build_id, 911926,
- constraints: ["writable: r10+0x10", "writable: rbp-0x50", "[r10] == NULL || r10 == NULL", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL"],
+ constraints: ["writable: r10+0x10", "writable: rbp-0x50", "[r10] == NULL || r10 == NULL || r10 is a valid argv", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL || [rbp-0x70] is a valid envp"],
effect: "execve(\"/bin/sh\", r10, [rbp-0x70])")
OneGadget::Gadget.add(build_id, 1052938,
- constraints: ["[rsp+0x70] == NULL", "[[rsp+0xf0]] == NULL || [rsp+0xf0] == NULL", "[rsp+0x38] == NULL || (s32)[[rsp+0x38]+0x4] <= 0"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv", "[[rsp+0xf0]] == NULL || [rsp+0xf0] == NULL || [rsp+0xf0] is a valid envp", "[rsp+0x38] == NULL || (s32)[[rsp+0x38]+0x4] <= 0"],
effect: "posix_spawn(rsp+0x64, \"/bin/sh\", [rsp+0x38], 0, rsp+0x70, [rsp+0xf0])")
OneGadget::Gadget.add(build_id, 1052946,
- constraints: ["[rsp+0x70] == NULL", "[r9] == NULL || r9 == NULL", "[rsp+0x38] == NULL || (s32)[[rsp+0x38]+0x4] <= 0"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv", "[r9] == NULL || r9 == NULL || r9 is a valid envp", "[rsp+0x38] == NULL || (s32)[[rsp+0x38]+0x4] <= 0"],
effect: "posix_spawn(rsp+0x64, \"/bin/sh\", [rsp+0x38], 0, rsp+0x70, r9)")
OneGadget::Gadget.add(build_id, 1052951,
- constraints: ["[rsp+0x70] == NULL", "[r9] == NULL || r9 == NULL", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv", "[r9] == NULL || r9 == NULL || r9 is a valid envp", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
effect: "posix_spawn(rsp+0x64, \"/bin/sh\", rdx, 0, rsp+0x70, r9)")
OneGadget::Gadget.add(build_id, 1052961,
- constraints: ["[r8] == NULL", "[r9] == NULL || r9 == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
+ constraints: ["[r8] == NULL || r8 is a valid argv", "[r9] == NULL || r9 == NULL || r9 is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
effect: "posix_spawn(rdi, \"/bin/sh\", rdx, 0, r8, r9)")
diff --git a/lib/one_gadget/builds/libc-2.33-9bf4c513db255ab7248cef9f0f96b4403df29852.rb b/lib/one_gadget/builds/libc-2.33-9bf4c513db255ab7248cef9f0f96b4403df29852.rb
index d21a96e..b42ea6e 100644
--- a/lib/one_gadget/builds/libc-2.33-9bf4c513db255ab7248cef9f0f96b4403df29852.rb
+++ b/lib/one_gadget/builds/libc-2.33-9bf4c513db255ab7248cef9f0f96b4403df29852.rb
@@ -14,43 +14,67 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 303704,
+ constraints: ["writable: rsp+0x60", "{\"sh\", \"-c\", rbx, NULL} is a valid argv", "rbp == NULL || (u16)[rbp] == NULL"],
+ effect: "posix_spawn(rsp+0xc, \"/bin/sh\", 0, rbp, rsp+0x50, environ)")
+OneGadget::Gadget.add(build_id, 303714,
+ constraints: ["writable: rsp+0x60", "{\"sh\", \"-c\", rbx, NULL} is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, rsp+0x50, environ)")
OneGadget::Gadget.add(build_id, 303721,
- constraints: ["rax == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ constraints: ["writable: rsp+0x60", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, rsp+0x50, environ)")
+OneGadget::Gadget.add(build_id, 303726,
+ constraints: ["writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)")
+OneGadget::Gadget.add(build_id, 303731,
+ constraints: ["writable: rsp+0x50", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)")
OneGadget::Gadget.add(build_id, 303743,
- constraints: ["[r8] == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ constraints: ["writable: rsp+0x58", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)")
+OneGadget::Gadget.add(build_id, 488933,
+ constraints: ["writable: rsp+0x60", "{\"sh\", \"-c\", rbp, NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"],
+ effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", r12, 0, rsp+0x50, environ)")
OneGadget::Gadget.add(build_id, 488938,
- constraints: ["[r8] == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"],
+ constraints: ["writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"],
effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", r12, 0, r8, environ)")
+OneGadget::Gadget.add(build_id, 488943,
+ constraints: ["writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, rcx, r8, environ)")
OneGadget::Gadget.add(build_id, 488955,
- constraints: ["[r8] == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ constraints: ["writable: rsp+0x68", "[r8] == NULL || r8 is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, rcx, r8, environ)")
+OneGadget::Gadget.add(build_id, 488964,
+ constraints: ["writable: rsp+0x68", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)")
OneGadget::Gadget.add(build_id, 842382,
- constraints: ["[r13] == NULL || r13 == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[r13] == NULL || r13 == NULL || r13 is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", r13, r12)")
OneGadget::Gadget.add(build_id, 842385,
- constraints: ["[r13] == NULL || r13 == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[r13] == NULL || r13 == NULL || r13 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", r13, rdx)")
OneGadget::Gadget.add(build_id, 842388,
- constraints: ["[rsi] == NULL || rsi == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, rdx)")
+OneGadget::Gadget.add(build_id, 842471,
+ constraints: ["writable: rbp-0x38", "rdi == NULL || {\"/bin/sh\", rdi, NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
+ effect: "execve(\"/bin/sh\", rbp-0x40, r12)")
OneGadget::Gadget.add(build_id, 842478,
- constraints: ["writable: rbp-0x38", "[rbp-0x40] == NULL || rbp-0x40 == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["writable: rbp-0x38", "rax == NULL || {rax, rdi, NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", rbp-0x40, r12)")
OneGadget::Gadget.add(build_id, 842485,
- constraints: ["writable: rbp-0x40", "[rbp-0x40] == NULL || rbp-0x40 == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["writable: rbp-0x40", "rax == NULL || {rax, [rbp-0x38], NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", rbp-0x40, r12)")
OneGadget::Gadget.add(build_id, 964842,
- constraints: ["[rsp+0x70] == NULL", "[[rsp+0xf0]] == NULL || [rsp+0xf0] == NULL", "[rsp+0x40] == NULL || (s32)[[rsp+0x40]+0x4] <= 0"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv", "[[rsp+0xf0]] == NULL || [rsp+0xf0] == NULL || [rsp+0xf0] is a valid envp", "[rsp+0x40] == NULL || (s32)[[rsp+0x40]+0x4] <= 0"],
effect: "posix_spawn(rsp+0x64, \"/bin/sh\", [rsp+0x40], 0, rsp+0x70, [rsp+0xf0])")
OneGadget::Gadget.add(build_id, 964850,
- constraints: ["[rsp+0x70] == NULL", "[r9] == NULL || r9 == NULL", "[rsp+0x40] == NULL || (s32)[[rsp+0x40]+0x4] <= 0"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv", "[r9] == NULL || r9 == NULL || r9 is a valid envp", "[rsp+0x40] == NULL || (s32)[[rsp+0x40]+0x4] <= 0"],
effect: "posix_spawn(rsp+0x64, \"/bin/sh\", [rsp+0x40], 0, rsp+0x70, r9)")
OneGadget::Gadget.add(build_id, 964855,
- constraints: ["[rsp+0x70] == NULL", "[r9] == NULL || r9 == NULL", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv", "[r9] == NULL || r9 == NULL || r9 is a valid envp", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
effect: "posix_spawn(rsp+0x64, \"/bin/sh\", rdx, 0, rsp+0x70, r9)")
OneGadget::Gadget.add(build_id, 964865,
- constraints: ["[r8] == NULL", "[r9] == NULL || r9 == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
+ constraints: ["[r8] == NULL || r8 is a valid argv", "[r9] == NULL || r9 == NULL || r9 is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
effect: "posix_spawn(rdi, \"/bin/sh\", rdx, 0, r8, r9)")
diff --git a/lib/one_gadget/builds/libc-2.33-9e592d3efa165bc2bab8b40426370bd50cb0b027.rb b/lib/one_gadget/builds/libc-2.33-9e592d3efa165bc2bab8b40426370bd50cb0b027.rb
index 1638848..47ab9af 100644
--- a/lib/one_gadget/builds/libc-2.33-9e592d3efa165bc2bab8b40426370bd50cb0b027.rb
+++ b/lib/one_gadget/builds/libc-2.33-9e592d3efa165bc2bab8b40426370bd50cb0b027.rb
@@ -14,43 +14,67 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 302248,
+ constraints: ["writable: rsp+0x60", "{\"sh\", \"-c\", rbx, NULL} is a valid argv", "rbp == NULL || (u16)[rbp] == NULL"],
+ effect: "posix_spawn(rsp+0xc, \"/bin/sh\", 0, rbp, rsp+0x50, environ)")
+OneGadget::Gadget.add(build_id, 302258,
+ constraints: ["writable: rsp+0x60", "{\"sh\", \"-c\", rbx, NULL} is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, rsp+0x50, environ)")
OneGadget::Gadget.add(build_id, 302265,
- constraints: ["rax == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ constraints: ["writable: rsp+0x60", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, rsp+0x50, environ)")
+OneGadget::Gadget.add(build_id, 302270,
+ constraints: ["writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)")
+OneGadget::Gadget.add(build_id, 302275,
+ constraints: ["writable: rsp+0x50", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)")
OneGadget::Gadget.add(build_id, 302287,
- constraints: ["[r8] == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ constraints: ["writable: rsp+0x58", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)")
+OneGadget::Gadget.add(build_id, 485925,
+ constraints: ["writable: rsp+0x60", "{\"sh\", \"-c\", rbp, NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"],
+ effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", r12, 0, rsp+0x50, environ)")
OneGadget::Gadget.add(build_id, 485930,
- constraints: ["[r8] == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"],
+ constraints: ["writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"],
effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", r12, 0, r8, environ)")
+OneGadget::Gadget.add(build_id, 485935,
+ constraints: ["writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, rcx, r8, environ)")
OneGadget::Gadget.add(build_id, 485947,
- constraints: ["[r8] == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ constraints: ["writable: rsp+0x68", "[r8] == NULL || r8 is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, rcx, r8, environ)")
+OneGadget::Gadget.add(build_id, 485956,
+ constraints: ["writable: rsp+0x68", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)")
OneGadget::Gadget.add(build_id, 838938,
- constraints: ["[r12] == NULL || r12 == NULL", "[r13] == NULL || r13 == NULL"],
+ constraints: ["[r12] == NULL || r12 == NULL || r12 is a valid argv", "[r13] == NULL || r13 == NULL || r13 is a valid envp"],
effect: "execve(\"/bin/sh\", r12, r13)")
OneGadget::Gadget.add(build_id, 838941,
- constraints: ["[r12] == NULL || r12 == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[r12] == NULL || r12 == NULL || r12 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", r12, rdx)")
OneGadget::Gadget.add(build_id, 838944,
- constraints: ["[rsi] == NULL || rsi == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, rdx)")
+OneGadget::Gadget.add(build_id, 839027,
+ constraints: ["writable: rbp-0x38", "rdi == NULL || {\"/bin/sh\", rdi, NULL} is a valid argv", "[r13] == NULL || r13 == NULL || r13 is a valid envp"],
+ effect: "execve(\"/bin/sh\", rbp-0x40, r13)")
OneGadget::Gadget.add(build_id, 839034,
- constraints: ["writable: rbp-0x38", "[rbp-0x40] == NULL || rbp-0x40 == NULL", "[r13] == NULL || r13 == NULL"],
+ constraints: ["writable: rbp-0x38", "rax == NULL || {rax, rdi, NULL} is a valid argv", "[r13] == NULL || r13 == NULL || r13 is a valid envp"],
effect: "execve(\"/bin/sh\", rbp-0x40, r13)")
OneGadget::Gadget.add(build_id, 839041,
- constraints: ["writable: rbp-0x40", "[rbp-0x40] == NULL || rbp-0x40 == NULL", "[r13] == NULL || r13 == NULL"],
+ constraints: ["writable: rbp-0x40", "rax == NULL || {rax, [rbp-0x38], NULL} is a valid argv", "[r13] == NULL || r13 == NULL || r13 is a valid envp"],
effect: "execve(\"/bin/sh\", rbp-0x40, r13)")
OneGadget::Gadget.add(build_id, 960106,
- constraints: ["[rsp+0x70] == NULL", "[[rsp+0xf0]] == NULL || [rsp+0xf0] == NULL", "[rsp+0x40] == NULL || (s32)[[rsp+0x40]+0x4] <= 0"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv", "[[rsp+0xf0]] == NULL || [rsp+0xf0] == NULL || [rsp+0xf0] is a valid envp", "[rsp+0x40] == NULL || (s32)[[rsp+0x40]+0x4] <= 0"],
effect: "posix_spawn(rsp+0x64, \"/bin/sh\", [rsp+0x40], 0, rsp+0x70, [rsp+0xf0])")
OneGadget::Gadget.add(build_id, 960114,
- constraints: ["[rsp+0x70] == NULL", "[r9] == NULL || r9 == NULL", "[rsp+0x40] == NULL || (s32)[[rsp+0x40]+0x4] <= 0"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv", "[r9] == NULL || r9 == NULL || r9 is a valid envp", "[rsp+0x40] == NULL || (s32)[[rsp+0x40]+0x4] <= 0"],
effect: "posix_spawn(rsp+0x64, \"/bin/sh\", [rsp+0x40], 0, rsp+0x70, r9)")
OneGadget::Gadget.add(build_id, 960119,
- constraints: ["[rsp+0x70] == NULL", "[r9] == NULL || r9 == NULL", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv", "[r9] == NULL || r9 == NULL || r9 is a valid envp", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
effect: "posix_spawn(rsp+0x64, \"/bin/sh\", rdx, 0, rsp+0x70, r9)")
OneGadget::Gadget.add(build_id, 960129,
- constraints: ["[r8] == NULL", "[r9] == NULL || r9 == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
+ constraints: ["[r8] == NULL || r8 is a valid argv", "[r9] == NULL || r9 == NULL || r9 is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
effect: "posix_spawn(rdi, \"/bin/sh\", rdx, 0, r8, r9)")
diff --git a/lib/one_gadget/builds/libc-2.33-abf3b2a9815c0cd6e4280cd99474d34102804eb2.rb b/lib/one_gadget/builds/libc-2.33-abf3b2a9815c0cd6e4280cd99474d34102804eb2.rb
index 1029096..d3a8da0 100644
--- a/lib/one_gadget/builds/libc-2.33-abf3b2a9815c0cd6e4280cd99474d34102804eb2.rb
+++ b/lib/one_gadget/builds/libc-2.33-abf3b2a9815c0cd6e4280cd99474d34102804eb2.rb
@@ -14,43 +14,67 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 302248,
+ constraints: ["writable: rsp+0x60", "{\"sh\", \"-c\", rbx, NULL} is a valid argv", "rbp == NULL || (u16)[rbp] == NULL"],
+ effect: "posix_spawn(rsp+0xc, \"/bin/sh\", 0, rbp, rsp+0x50, environ)")
+OneGadget::Gadget.add(build_id, 302258,
+ constraints: ["writable: rsp+0x60", "{\"sh\", \"-c\", rbx, NULL} is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, rsp+0x50, environ)")
OneGadget::Gadget.add(build_id, 302265,
- constraints: ["rax == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ constraints: ["writable: rsp+0x60", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, rsp+0x50, environ)")
+OneGadget::Gadget.add(build_id, 302270,
+ constraints: ["writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)")
+OneGadget::Gadget.add(build_id, 302275,
+ constraints: ["writable: rsp+0x50", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)")
OneGadget::Gadget.add(build_id, 302287,
- constraints: ["[r8] == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ constraints: ["writable: rsp+0x58", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)")
+OneGadget::Gadget.add(build_id, 485925,
+ constraints: ["writable: rsp+0x60", "{\"sh\", \"-c\", rbp, NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"],
+ effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", r12, 0, rsp+0x50, environ)")
OneGadget::Gadget.add(build_id, 485930,
- constraints: ["[r8] == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"],
+ constraints: ["writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"],
effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", r12, 0, r8, environ)")
+OneGadget::Gadget.add(build_id, 485935,
+ constraints: ["writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, rcx, r8, environ)")
OneGadget::Gadget.add(build_id, 485947,
- constraints: ["[r8] == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ constraints: ["writable: rsp+0x68", "[r8] == NULL || r8 is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, rcx, r8, environ)")
+OneGadget::Gadget.add(build_id, 485956,
+ constraints: ["writable: rsp+0x68", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)")
OneGadget::Gadget.add(build_id, 838938,
- constraints: ["[r12] == NULL || r12 == NULL", "[r13] == NULL || r13 == NULL"],
+ constraints: ["[r12] == NULL || r12 == NULL || r12 is a valid argv", "[r13] == NULL || r13 == NULL || r13 is a valid envp"],
effect: "execve(\"/bin/sh\", r12, r13)")
OneGadget::Gadget.add(build_id, 838941,
- constraints: ["[r12] == NULL || r12 == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[r12] == NULL || r12 == NULL || r12 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", r12, rdx)")
OneGadget::Gadget.add(build_id, 838944,
- constraints: ["[rsi] == NULL || rsi == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, rdx)")
+OneGadget::Gadget.add(build_id, 839027,
+ constraints: ["writable: rbp-0x38", "rdi == NULL || {\"/bin/sh\", rdi, NULL} is a valid argv", "[r13] == NULL || r13 == NULL || r13 is a valid envp"],
+ effect: "execve(\"/bin/sh\", rbp-0x40, r13)")
OneGadget::Gadget.add(build_id, 839034,
- constraints: ["writable: rbp-0x38", "[rbp-0x40] == NULL || rbp-0x40 == NULL", "[r13] == NULL || r13 == NULL"],
+ constraints: ["writable: rbp-0x38", "rax == NULL || {rax, rdi, NULL} is a valid argv", "[r13] == NULL || r13 == NULL || r13 is a valid envp"],
effect: "execve(\"/bin/sh\", rbp-0x40, r13)")
OneGadget::Gadget.add(build_id, 839041,
- constraints: ["writable: rbp-0x40", "[rbp-0x40] == NULL || rbp-0x40 == NULL", "[r13] == NULL || r13 == NULL"],
+ constraints: ["writable: rbp-0x40", "rax == NULL || {rax, [rbp-0x38], NULL} is a valid argv", "[r13] == NULL || r13 == NULL || r13 is a valid envp"],
effect: "execve(\"/bin/sh\", rbp-0x40, r13)")
OneGadget::Gadget.add(build_id, 960106,
- constraints: ["[rsp+0x70] == NULL", "[[rsp+0xf0]] == NULL || [rsp+0xf0] == NULL", "[rsp+0x40] == NULL || (s32)[[rsp+0x40]+0x4] <= 0"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv", "[[rsp+0xf0]] == NULL || [rsp+0xf0] == NULL || [rsp+0xf0] is a valid envp", "[rsp+0x40] == NULL || (s32)[[rsp+0x40]+0x4] <= 0"],
effect: "posix_spawn(rsp+0x64, \"/bin/sh\", [rsp+0x40], 0, rsp+0x70, [rsp+0xf0])")
OneGadget::Gadget.add(build_id, 960114,
- constraints: ["[rsp+0x70] == NULL", "[r9] == NULL || r9 == NULL", "[rsp+0x40] == NULL || (s32)[[rsp+0x40]+0x4] <= 0"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv", "[r9] == NULL || r9 == NULL || r9 is a valid envp", "[rsp+0x40] == NULL || (s32)[[rsp+0x40]+0x4] <= 0"],
effect: "posix_spawn(rsp+0x64, \"/bin/sh\", [rsp+0x40], 0, rsp+0x70, r9)")
OneGadget::Gadget.add(build_id, 960119,
- constraints: ["[rsp+0x70] == NULL", "[r9] == NULL || r9 == NULL", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv", "[r9] == NULL || r9 == NULL || r9 is a valid envp", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
effect: "posix_spawn(rsp+0x64, \"/bin/sh\", rdx, 0, rsp+0x70, r9)")
OneGadget::Gadget.add(build_id, 960129,
- constraints: ["[r8] == NULL", "[r9] == NULL || r9 == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
+ constraints: ["[r8] == NULL || r8 is a valid argv", "[r9] == NULL || r9 == NULL || r9 is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
effect: "posix_spawn(rdi, \"/bin/sh\", rdx, 0, r8, r9)")
diff --git a/lib/one_gadget/builds/libc-2.33-b046eecd056a0c30995703f6cfca7a8e3a9ef5fa.rb b/lib/one_gadget/builds/libc-2.33-b046eecd056a0c30995703f6cfca7a8e3a9ef5fa.rb
index 738c045..25d5f94 100644
--- a/lib/one_gadget/builds/libc-2.33-b046eecd056a0c30995703f6cfca7a8e3a9ef5fa.rb
+++ b/lib/one_gadget/builds/libc-2.33-b046eecd056a0c30995703f6cfca7a8e3a9ef5fa.rb
@@ -14,43 +14,67 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 302248,
+ constraints: ["writable: rsp+0x60", "{\"sh\", \"-c\", rbx, NULL} is a valid argv", "rbp == NULL || (u16)[rbp] == NULL"],
+ effect: "posix_spawn(rsp+0xc, \"/bin/sh\", 0, rbp, rsp+0x50, environ)")
+OneGadget::Gadget.add(build_id, 302258,
+ constraints: ["writable: rsp+0x60", "{\"sh\", \"-c\", rbx, NULL} is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, rsp+0x50, environ)")
OneGadget::Gadget.add(build_id, 302265,
- constraints: ["rax == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ constraints: ["writable: rsp+0x60", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, rsp+0x50, environ)")
+OneGadget::Gadget.add(build_id, 302270,
+ constraints: ["writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)")
+OneGadget::Gadget.add(build_id, 302275,
+ constraints: ["writable: rsp+0x50", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)")
OneGadget::Gadget.add(build_id, 302287,
- constraints: ["[r8] == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ constraints: ["writable: rsp+0x58", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)")
+OneGadget::Gadget.add(build_id, 485925,
+ constraints: ["writable: rsp+0x60", "{\"sh\", \"-c\", rbp, NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"],
+ effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", r12, 0, rsp+0x50, environ)")
OneGadget::Gadget.add(build_id, 485930,
- constraints: ["[r8] == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"],
+ constraints: ["writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"],
effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", r12, 0, r8, environ)")
+OneGadget::Gadget.add(build_id, 485935,
+ constraints: ["writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, rcx, r8, environ)")
OneGadget::Gadget.add(build_id, 485947,
- constraints: ["[r8] == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ constraints: ["writable: rsp+0x68", "[r8] == NULL || r8 is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, rcx, r8, environ)")
+OneGadget::Gadget.add(build_id, 485956,
+ constraints: ["writable: rsp+0x68", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)")
OneGadget::Gadget.add(build_id, 838938,
- constraints: ["[r12] == NULL || r12 == NULL", "[r13] == NULL || r13 == NULL"],
+ constraints: ["[r12] == NULL || r12 == NULL || r12 is a valid argv", "[r13] == NULL || r13 == NULL || r13 is a valid envp"],
effect: "execve(\"/bin/sh\", r12, r13)")
OneGadget::Gadget.add(build_id, 838941,
- constraints: ["[r12] == NULL || r12 == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[r12] == NULL || r12 == NULL || r12 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", r12, rdx)")
OneGadget::Gadget.add(build_id, 838944,
- constraints: ["[rsi] == NULL || rsi == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, rdx)")
+OneGadget::Gadget.add(build_id, 839027,
+ constraints: ["writable: rbp-0x38", "rdi == NULL || {\"/bin/sh\", rdi, NULL} is a valid argv", "[r13] == NULL || r13 == NULL || r13 is a valid envp"],
+ effect: "execve(\"/bin/sh\", rbp-0x40, r13)")
OneGadget::Gadget.add(build_id, 839034,
- constraints: ["writable: rbp-0x38", "[rbp-0x40] == NULL || rbp-0x40 == NULL", "[r13] == NULL || r13 == NULL"],
+ constraints: ["writable: rbp-0x38", "rax == NULL || {rax, rdi, NULL} is a valid argv", "[r13] == NULL || r13 == NULL || r13 is a valid envp"],
effect: "execve(\"/bin/sh\", rbp-0x40, r13)")
OneGadget::Gadget.add(build_id, 839041,
- constraints: ["writable: rbp-0x40", "[rbp-0x40] == NULL || rbp-0x40 == NULL", "[r13] == NULL || r13 == NULL"],
+ constraints: ["writable: rbp-0x40", "rax == NULL || {rax, [rbp-0x38], NULL} is a valid argv", "[r13] == NULL || r13 == NULL || r13 is a valid envp"],
effect: "execve(\"/bin/sh\", rbp-0x40, r13)")
OneGadget::Gadget.add(build_id, 960106,
- constraints: ["[rsp+0x70] == NULL", "[[rsp+0xf0]] == NULL || [rsp+0xf0] == NULL", "[rsp+0x40] == NULL || (s32)[[rsp+0x40]+0x4] <= 0"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv", "[[rsp+0xf0]] == NULL || [rsp+0xf0] == NULL || [rsp+0xf0] is a valid envp", "[rsp+0x40] == NULL || (s32)[[rsp+0x40]+0x4] <= 0"],
effect: "posix_spawn(rsp+0x64, \"/bin/sh\", [rsp+0x40], 0, rsp+0x70, [rsp+0xf0])")
OneGadget::Gadget.add(build_id, 960114,
- constraints: ["[rsp+0x70] == NULL", "[r9] == NULL || r9 == NULL", "[rsp+0x40] == NULL || (s32)[[rsp+0x40]+0x4] <= 0"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv", "[r9] == NULL || r9 == NULL || r9 is a valid envp", "[rsp+0x40] == NULL || (s32)[[rsp+0x40]+0x4] <= 0"],
effect: "posix_spawn(rsp+0x64, \"/bin/sh\", [rsp+0x40], 0, rsp+0x70, r9)")
OneGadget::Gadget.add(build_id, 960119,
- constraints: ["[rsp+0x70] == NULL", "[r9] == NULL || r9 == NULL", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv", "[r9] == NULL || r9 == NULL || r9 is a valid envp", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
effect: "posix_spawn(rsp+0x64, \"/bin/sh\", rdx, 0, rsp+0x70, r9)")
OneGadget::Gadget.add(build_id, 960129,
- constraints: ["[r8] == NULL", "[r9] == NULL || r9 == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
+ constraints: ["[r8] == NULL || r8 is a valid argv", "[r9] == NULL || r9 == NULL || r9 is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
effect: "posix_spawn(rdi, \"/bin/sh\", rdx, 0, r8, r9)")
diff --git a/lib/one_gadget/builds/libc-2.33-b2262bfa6f1bffd1e9ddc845276dfaebb7c8f0b9.rb b/lib/one_gadget/builds/libc-2.33-b2262bfa6f1bffd1e9ddc845276dfaebb7c8f0b9.rb
index ecc3a02..48070e2 100644
--- a/lib/one_gadget/builds/libc-2.33-b2262bfa6f1bffd1e9ddc845276dfaebb7c8f0b9.rb
+++ b/lib/one_gadget/builds/libc-2.33-b2262bfa6f1bffd1e9ddc845276dfaebb7c8f0b9.rb
@@ -14,8 +14,11 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 840688,
+ constraints: ["ebx is the GOT address of libc", "writable: ebp-0x20", "[ebp-0x34] == NULL || {\"/bin/sh\", [ebp-0x34], NULL} is a valid argv", "[[ebp-0x2c]] == NULL || [ebp-0x2c] == NULL || [ebp-0x2c] is a valid envp"],
+ effect: "execve(\"/bin/sh\", ebp-0x28, [ebp-0x2c])")
OneGadget::Gadget.add(build_id, 840691,
- constraints: ["ebx is the GOT address of libc", "writable: ebp-0x20", "[ebp-0x28] == NULL || ebp-0x28 == NULL", "[[ebp-0x2c]] == NULL || [ebp-0x2c] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: ebp-0x20", "eax == NULL || {\"/bin/sh\", eax, NULL} is a valid argv", "[[ebp-0x2c]] == NULL || [ebp-0x2c] == NULL || [ebp-0x2c] is a valid envp"],
effect: "execve(\"/bin/sh\", ebp-0x28, [ebp-0x2c])")
OneGadget::Gadget.add(build_id, 1357523,
constraints: ["ebp is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.33-f462ab2b79c7f29fb866da6e087e45261570a09c.rb b/lib/one_gadget/builds/libc-2.33-f462ab2b79c7f29fb866da6e087e45261570a09c.rb
index 7d3a9d7..7438bda 100644
--- a/lib/one_gadget/builds/libc-2.33-f462ab2b79c7f29fb866da6e087e45261570a09c.rb
+++ b/lib/one_gadget/builds/libc-2.33-f462ab2b79c7f29fb866da6e087e45261570a09c.rb
@@ -14,8 +14,11 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 845936,
+ constraints: ["ebx is the GOT address of libc", "writable: ebp-0x20", "[ebp-0x34] == NULL || {\"/bin/sh\", [ebp-0x34], NULL} is a valid argv", "[[ebp-0x2c]] == NULL || [ebp-0x2c] == NULL || [ebp-0x2c] is a valid envp"],
+ effect: "execve(\"/bin/sh\", ebp-0x28, [ebp-0x2c])")
OneGadget::Gadget.add(build_id, 845939,
- constraints: ["ebx is the GOT address of libc", "writable: ebp-0x20", "[ebp-0x28] == NULL || ebp-0x28 == NULL", "[[ebp-0x2c]] == NULL || [ebp-0x2c] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: ebp-0x20", "eax == NULL || {\"/bin/sh\", eax, NULL} is a valid argv", "[[ebp-0x2c]] == NULL || [ebp-0x2c] == NULL || [ebp-0x2c] is a valid envp"],
effect: "execve(\"/bin/sh\", ebp-0x28, [ebp-0x2c])")
OneGadget::Gadget.add(build_id, 1369851,
constraints: ["ebp is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.33-f4af69206091c7f14a941f2dd77a79a7682a1184.rb b/lib/one_gadget/builds/libc-2.33-f4af69206091c7f14a941f2dd77a79a7682a1184.rb
index 4fa7ac0..4ec8c65 100644
--- a/lib/one_gadget/builds/libc-2.33-f4af69206091c7f14a941f2dd77a79a7682a1184.rb
+++ b/lib/one_gadget/builds/libc-2.33-f4af69206091c7f14a941f2dd77a79a7682a1184.rb
@@ -14,8 +14,11 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 846000,
+ constraints: ["ebx is the GOT address of libc", "writable: ebp-0x20", "[ebp-0x34] == NULL || {\"/bin/sh\", [ebp-0x34], NULL} is a valid argv", "[[ebp-0x2c]] == NULL || [ebp-0x2c] == NULL || [ebp-0x2c] is a valid envp"],
+ effect: "execve(\"/bin/sh\", ebp-0x28, [ebp-0x2c])")
OneGadget::Gadget.add(build_id, 846003,
- constraints: ["ebx is the GOT address of libc", "writable: ebp-0x20", "[ebp-0x28] == NULL || ebp-0x28 == NULL", "[[ebp-0x2c]] == NULL || [ebp-0x2c] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: ebp-0x20", "eax == NULL || {\"/bin/sh\", eax, NULL} is a valid argv", "[[ebp-0x2c]] == NULL || [ebp-0x2c] == NULL || [ebp-0x2c] is a valid envp"],
effect: "execve(\"/bin/sh\", ebp-0x28, [ebp-0x2c])")
OneGadget::Gadget.add(build_id, 1370043,
constraints: ["ebp is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.34-140609514178a4bb96a3cd44ffdfede398a77610.rb b/lib/one_gadget/builds/libc-2.34-140609514178a4bb96a3cd44ffdfede398a77610.rb
index 57989f9..96b7369 100644
--- a/lib/one_gadget/builds/libc-2.34-140609514178a4bb96a3cd44ffdfede398a77610.rb
+++ b/lib/one_gadget/builds/libc-2.34-140609514178a4bb96a3cd44ffdfede398a77610.rb
@@ -14,8 +14,11 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 902864,
+ constraints: ["ebx is the GOT address of libc", "writable: ebp-0x20", "[ebp-0x34] == NULL || {\"/bin/sh\", [ebp-0x34], NULL} is a valid argv", "[[ebp-0x2c]] == NULL || [ebp-0x2c] == NULL || [ebp-0x2c] is a valid envp"],
+ effect: "execve(\"/bin/sh\", ebp-0x28, [ebp-0x2c])")
OneGadget::Gadget.add(build_id, 902867,
- constraints: ["ebx is the GOT address of libc", "writable: ebp-0x20", "[ebp-0x28] == NULL || ebp-0x28 == NULL", "[[ebp-0x2c]] == NULL || [ebp-0x2c] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: ebp-0x20", "eax == NULL || {\"/bin/sh\", eax, NULL} is a valid argv", "[[ebp-0x2c]] == NULL || [ebp-0x2c] == NULL || [ebp-0x2c] is a valid envp"],
effect: "execve(\"/bin/sh\", ebp-0x28, [ebp-0x2c])")
OneGadget::Gadget.add(build_id, 1494977,
constraints: ["esi is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.34-25594d4b6cbecda86ec968fa940c6c09937db70f.rb b/lib/one_gadget/builds/libc-2.34-25594d4b6cbecda86ec968fa940c6c09937db70f.rb
index 07fd738..cc27801 100644
--- a/lib/one_gadget/builds/libc-2.34-25594d4b6cbecda86ec968fa940c6c09937db70f.rb
+++ b/lib/one_gadget/builds/libc-2.34-25594d4b6cbecda86ec968fa940c6c09937db70f.rb
@@ -14,37 +14,70 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 307913,
+ constraints: ["writable: rsp+0x60", "{\"sh\", \"-c\", rbx, NULL} is a valid argv", "rbp == NULL || (u16)[rbp] == NULL"],
+ effect: "posix_spawn(rsp+0xc, \"/bin/sh\", 0, rbp, rsp+0x50, environ)")
+OneGadget::Gadget.add(build_id, 307923,
+ constraints: ["writable: rsp+0x60", "{\"sh\", \"-c\", rbx, NULL} is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, rsp+0x50, environ)")
OneGadget::Gadget.add(build_id, 307930,
- constraints: ["rax == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ constraints: ["writable: rsp+0x60", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, rsp+0x50, environ)")
+OneGadget::Gadget.add(build_id, 307935,
+ constraints: ["writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)")
+OneGadget::Gadget.add(build_id, 307940,
+ constraints: ["writable: rsp+0x50", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)")
OneGadget::Gadget.add(build_id, 307952,
- constraints: ["[r8] == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ constraints: ["writable: rsp+0x58", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)")
+OneGadget::Gadget.add(build_id, 490357,
+ constraints: ["writable: rsp+0x70", "{\"sh\", \"-c\", rbp, NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"],
+ effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", r12, 0, rsp+0x60, environ)")
OneGadget::Gadget.add(build_id, 490364,
- constraints: ["[r8] == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ constraints: ["writable: rsp+0x70", "[r8] == NULL || r8 is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", r12, rcx, r8, environ)")
+OneGadget::Gadget.add(build_id, 490367,
+ constraints: ["writable: rsp+0x70", "[r8] == NULL || r8 is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, rcx, r8, environ)")
OneGadget::Gadget.add(build_id, 490379,
- constraints: ["[r8] == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ constraints: ["writable: rsp+0x78", "[r8] == NULL || r8 is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, rcx, r8, environ)")
+OneGadget::Gadget.add(build_id, 490386,
+ constraints: ["writable: rsp+0x78", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)")
+OneGadget::Gadget.add(build_id, 490407,
+ constraints: ["writable: rsp+0x68", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)")
OneGadget::Gadget.add(build_id, 893550,
- constraints: ["[r13] == NULL || r13 == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[r13] == NULL || r13 == NULL || r13 is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", r13, r12)")
OneGadget::Gadget.add(build_id, 893553,
- constraints: ["[r13] == NULL || r13 == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[r13] == NULL || r13 == NULL || r13 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", r13, rdx)")
OneGadget::Gadget.add(build_id, 893556,
- constraints: ["[rsi] == NULL || rsi == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, rdx)")
+OneGadget::Gadget.add(build_id, 893639,
+ constraints: ["writable: rbp-0x38", "rdi == NULL || {\"/bin/sh\", rdi, NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
+ effect: "execve(\"/bin/sh\", rbp-0x40, r12)")
+OneGadget::Gadget.add(build_id, 893646,
+ constraints: ["writable: rbp-0x38", "rax == NULL || {rax, rdi, NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
+ effect: "execve(\"/bin/sh\", rbp-0x40, r12)")
+OneGadget::Gadget.add(build_id, 893653,
+ constraints: ["writable: rbp-0x40", "rax == NULL || {rax, [rbp-0x38], NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
+ effect: "execve(\"/bin/sh\", rbp-0x40, r12)")
OneGadget::Gadget.add(build_id, 1014858,
- constraints: ["[rsp+0x70] == NULL", "[[rsp+0xf0]] == NULL || [rsp+0xf0] == NULL", "[rsp+0x40] == NULL || (s32)[[rsp+0x40]+0x4] <= 0"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv", "[[rsp+0xf0]] == NULL || [rsp+0xf0] == NULL || [rsp+0xf0] is a valid envp", "[rsp+0x40] == NULL || (s32)[[rsp+0x40]+0x4] <= 0"],
effect: "posix_spawn(rsp+0x64, \"/bin/sh\", [rsp+0x40], 0, rsp+0x70, [rsp+0xf0])")
OneGadget::Gadget.add(build_id, 1014866,
- constraints: ["[rsp+0x70] == NULL", "[r9] == NULL || r9 == NULL", "[rsp+0x40] == NULL || (s32)[[rsp+0x40]+0x4] <= 0"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv", "[r9] == NULL || r9 == NULL || r9 is a valid envp", "[rsp+0x40] == NULL || (s32)[[rsp+0x40]+0x4] <= 0"],
effect: "posix_spawn(rsp+0x64, \"/bin/sh\", [rsp+0x40], 0, rsp+0x70, r9)")
OneGadget::Gadget.add(build_id, 1014871,
- constraints: ["[rsp+0x70] == NULL", "[r9] == NULL || r9 == NULL", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv", "[r9] == NULL || r9 == NULL || r9 is a valid envp", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
effect: "posix_spawn(rsp+0x64, \"/bin/sh\", rdx, 0, rsp+0x70, r9)")
OneGadget::Gadget.add(build_id, 1014881,
- constraints: ["[r8] == NULL", "[r9] == NULL || r9 == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
+ constraints: ["[r8] == NULL || r8 is a valid argv", "[r9] == NULL || r9 == NULL || r9 is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
effect: "posix_spawn(rdi, \"/bin/sh\", rdx, 0, r8, r9)")
diff --git a/lib/one_gadget/builds/libc-2.34-387920279e1c7892042ff27d76315d55e4651db9.rb b/lib/one_gadget/builds/libc-2.34-387920279e1c7892042ff27d76315d55e4651db9.rb
index d6cc5d1..cf9f445 100644
--- a/lib/one_gadget/builds/libc-2.34-387920279e1c7892042ff27d76315d55e4651db9.rb
+++ b/lib/one_gadget/builds/libc-2.34-387920279e1c7892042ff27d76315d55e4651db9.rb
@@ -14,8 +14,11 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 908704,
+ constraints: ["ebx is the GOT address of libc", "writable: ebp-0x20", "[ebp-0x34] == NULL || {\"/bin/sh\", [ebp-0x34], NULL} is a valid argv", "[[ebp-0x2c]] == NULL || [ebp-0x2c] == NULL || [ebp-0x2c] is a valid envp"],
+ effect: "execve(\"/bin/sh\", ebp-0x28, [ebp-0x2c])")
OneGadget::Gadget.add(build_id, 908707,
- constraints: ["ebx is the GOT address of libc", "writable: ebp-0x20", "[ebp-0x28] == NULL || ebp-0x28 == NULL", "[[ebp-0x2c]] == NULL || [ebp-0x2c] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: ebp-0x20", "eax == NULL || {\"/bin/sh\", eax, NULL} is a valid argv", "[[ebp-0x2c]] == NULL || [ebp-0x2c] == NULL || [ebp-0x2c] is a valid envp"],
effect: "execve(\"/bin/sh\", ebp-0x28, [ebp-0x2c])")
OneGadget::Gadget.add(build_id, 1509937,
constraints: ["esi is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.34-7e46fbc4d85f5df8b6f18630787ad281786a3512.rb b/lib/one_gadget/builds/libc-2.34-7e46fbc4d85f5df8b6f18630787ad281786a3512.rb
index 2d4c3b4..823c2ed 100644
--- a/lib/one_gadget/builds/libc-2.34-7e46fbc4d85f5df8b6f18630787ad281786a3512.rb
+++ b/lib/one_gadget/builds/libc-2.34-7e46fbc4d85f5df8b6f18630787ad281786a3512.rb
@@ -14,8 +14,11 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 925056,
+ constraints: ["ebx is the GOT address of libc", "writable: ebp-0x20", "[ebp-0x34] == NULL || {\"/bin/sh\", [ebp-0x34], NULL} is a valid argv", "[[ebp-0x2c]] == NULL || [ebp-0x2c] == NULL || [ebp-0x2c] is a valid envp"],
+ effect: "execve(\"/bin/sh\", ebp-0x28, [ebp-0x2c])")
OneGadget::Gadget.add(build_id, 925059,
- constraints: ["ebx is the GOT address of libc", "writable: ebp-0x20", "[ebp-0x28] == NULL || ebp-0x28 == NULL", "[[ebp-0x2c]] == NULL || [ebp-0x2c] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: ebp-0x20", "eax == NULL || {\"/bin/sh\", eax, NULL} is a valid argv", "[[ebp-0x2c]] == NULL || [ebp-0x2c] == NULL || [ebp-0x2c] is a valid envp"],
effect: "execve(\"/bin/sh\", ebp-0x28, [ebp-0x2c])")
OneGadget::Gadget.add(build_id, 1526097,
constraints: ["esi is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.34-8d631c824a37b236d1dc9686b224a573fd6048b4.rb b/lib/one_gadget/builds/libc-2.34-8d631c824a37b236d1dc9686b224a573fd6048b4.rb
index afec7c3..cb12ac3 100644
--- a/lib/one_gadget/builds/libc-2.34-8d631c824a37b236d1dc9686b224a573fd6048b4.rb
+++ b/lib/one_gadget/builds/libc-2.34-8d631c824a37b236d1dc9686b224a573fd6048b4.rb
@@ -14,8 +14,11 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 919216,
+ constraints: ["ebx is the GOT address of libc", "writable: ebp-0x20", "[ebp-0x34] == NULL || {\"/bin/sh\", [ebp-0x34], NULL} is a valid argv", "[[ebp-0x2c]] == NULL || [ebp-0x2c] == NULL || [ebp-0x2c] is a valid envp"],
+ effect: "execve(\"/bin/sh\", ebp-0x28, [ebp-0x2c])")
OneGadget::Gadget.add(build_id, 919219,
- constraints: ["ebx is the GOT address of libc", "writable: ebp-0x20", "[ebp-0x28] == NULL || ebp-0x28 == NULL", "[[ebp-0x2c]] == NULL || [ebp-0x2c] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: ebp-0x20", "eax == NULL || {\"/bin/sh\", eax, NULL} is a valid argv", "[[ebp-0x2c]] == NULL || [ebp-0x2c] == NULL || [ebp-0x2c] is a valid envp"],
effect: "execve(\"/bin/sh\", ebp-0x28, [ebp-0x2c])")
OneGadget::Gadget.add(build_id, 1511121,
constraints: ["esi is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.34-b8037b6260865346802321dd2256b8ad1d857e63.rb b/lib/one_gadget/builds/libc-2.34-b8037b6260865346802321dd2256b8ad1d857e63.rb
index e071cdb..2a85219 100644
--- a/lib/one_gadget/builds/libc-2.34-b8037b6260865346802321dd2256b8ad1d857e63.rb
+++ b/lib/one_gadget/builds/libc-2.34-b8037b6260865346802321dd2256b8ad1d857e63.rb
@@ -14,55 +14,106 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 345986,
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x60", "{\"sh\", \"-c\", rbx, NULL} is a valid argv", "rbp == NULL || (u16)[rbp] == NULL"],
+ effect: "posix_spawn(rsp+0xc, \"/bin/sh\", 0, rbp, rsp+0x50, environ)")
+OneGadget::Gadget.add(build_id, 345993,
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x60", "rax == NULL || {\"sh\", rax, rbx, NULL} is a valid argv", "rbp == NULL || (u16)[rbp] == NULL"],
+ effect: "posix_spawn(rsp+0xc, \"/bin/sh\", 0, rbp, rsp+0x50, environ)")
OneGadget::Gadget.add(build_id, 346000,
- constraints: ["rsp & 0xf == 0", "rcx == NULL", "rbp == NULL || (u16)[rbp] == NULL"],
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x60", "rcx == NULL || {rcx, rax, rbx, NULL} is a valid argv", "rbp == NULL || (u16)[rbp] == NULL"],
effect: "posix_spawn(rsp+0xc, \"/bin/sh\", 0, rbp, rsp+0x50, environ)")
+OneGadget::Gadget.add(build_id, 346007,
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x60", "rcx == NULL || {rcx, (u64)xmm1, rbx, NULL} is a valid argv", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rbp == NULL || (u16)[rbp] == NULL"],
+ effect: "posix_spawn(rsp+0xc, \"/bin/sh\", rdx, rbp, rsp+0x50, environ)")
OneGadget::Gadget.add(build_id, 346012,
- constraints: ["rsp & 0xf == 0", "(u64)xmm0 == NULL", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rbp == NULL || (u16)[rbp] == NULL"],
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x60", "(u64)xmm0 == NULL || {(u64)xmm0, (u64)xmm1, rbx, NULL} is a valid argv", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rbp == NULL || (u16)[rbp] == NULL"],
effect: "posix_spawn(rsp+0xc, \"/bin/sh\", rdx, rbp, rsp+0x50, environ)")
+OneGadget::Gadget.add(build_id, 346028,
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x60", "(u64)xmm0 == NULL || {(u64)xmm0, (u64)(xmm0 >> 64), rbx, NULL} is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rbp == NULL || (u16)[rbp] == NULL"],
+ effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rbp, rsp+0x50, [rax])")
OneGadget::Gadget.add(build_id, 346033,
- constraints: ["rsp & 0xf == 0", "[r8] == NULL", "[[rax]] == NULL || [rax] == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rbp == NULL || (u16)[rbp] == NULL"],
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rbp == NULL || (u16)[rbp] == NULL"],
effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rbp, r8, [rax])")
+OneGadget::Gadget.add(build_id, 346036,
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, [rax])")
OneGadget::Gadget.add(build_id, 346041,
- constraints: ["rsp & 0xf == 0", "[r8] == NULL", "[[rax]] == NULL || [rax] == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x68", "[r8] == NULL || r8 is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, [rax])")
+OneGadget::Gadget.add(build_id, 543797,
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x70", "{\"sh\", \"-c\", rbp, NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"],
+ effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", r12, 0, rsp+0x60, environ)")
+OneGadget::Gadget.add(build_id, 543804,
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x70", "rax == NULL || {\"sh\", rax, rbp, NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"],
+ effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", r12, 0, rsp+0x60, environ)")
OneGadget::Gadget.add(build_id, 543811,
- constraints: ["rsp & 0xf == 0", "rcx == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"],
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x70", "rcx == NULL || {rcx, rax, rbp, NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"],
effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", r12, 0, rsp+0x60, environ)")
+OneGadget::Gadget.add(build_id, 543814,
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x70", "rcx == NULL || {rcx, rax, rbp, NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
+ effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, 0, rsp+0x60, environ)")
+OneGadget::Gadget.add(build_id, 543819,
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x78", "rcx == NULL || {rcx, rax, [rsp+0x70], NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
+ effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, 0, rsp+0x60, environ)")
OneGadget::Gadget.add(build_id, 543824,
- constraints: ["rsp & 0xf == 0", "rcx == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x78", "rcx == NULL || {rcx, (u64)xmm1, [rsp+0x70], NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, 0, rsp+0x60, environ)")
OneGadget::Gadget.add(build_id, 543829,
- constraints: ["rsp & 0xf == 0", "(u64)xmm0 == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x78", "(u64)xmm0 == NULL || {(u64)xmm0, (u64)xmm1, [rsp+0x70], NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, 0, rsp+0x60, environ)")
OneGadget::Gadget.add(build_id, 543834,
- constraints: ["rsp & 0xf == 0", "[r8] == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x78", "[r8] == NULL || r8 is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, 0, r8, environ)")
+OneGadget::Gadget.add(build_id, 543854,
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x78", "[r8] == NULL || r8 is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, [rax])")
OneGadget::Gadget.add(build_id, 978124,
- constraints: ["[r15] == NULL || r15 == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[r15] == NULL || r15 == NULL || r15 is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", r15, r12)")
OneGadget::Gadget.add(build_id, 978127,
- constraints: ["[r15] == NULL || r15 == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[r15] == NULL || r15 == NULL || r15 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", r15, rdx)")
OneGadget::Gadget.add(build_id, 978130,
- constraints: ["[rsi] == NULL || rsi == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, rdx)")
OneGadget::Gadget.add(build_id, 978613,
- constraints: ["writable: rbp-0x78", "[r10] == NULL || r10 == NULL", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL"],
+ constraints: ["writable: rbp-0x78", "[r10] == NULL || r10 == NULL || r10 is a valid argv", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL || [rbp-0x70] is a valid envp"],
effect: "execve(\"/bin/sh\", r10, [rbp-0x70])")
OneGadget::Gadget.add(build_id, 978617,
- constraints: ["writable: rbp-0x78", "[r10] == NULL || r10 == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["writable: rbp-0x78", "[r10] == NULL || r10 == NULL || r10 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", r10, rdx)")
+OneGadget::Gadget.add(build_id, 978719,
+ constraints: ["writable: rbp-0x48", "rbx == NULL || {\"/bin/sh\", rbx, NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
+ effect: "execve(\"/bin/sh\", rbp-0x50, r12)")
+OneGadget::Gadget.add(build_id, 978726,
+ constraints: ["writable: rbp-0x48", "rax == NULL || {rax, rbx, NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
+ effect: "execve(\"/bin/sh\", rbp-0x50, r12)")
+OneGadget::Gadget.add(build_id, 978733,
+ constraints: ["writable: rbp-0x50", "rax == NULL || {rax, [rbp-0x48], NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
+ effect: "execve(\"/bin/sh\", rbp-0x50, r12)")
+OneGadget::Gadget.add(build_id, 978788,
+ constraints: ["writable: rbp-0x48", "rbx == NULL || {\"/bin/sh\", rbx, NULL} is a valid argv", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL || [rbp-0x70] is a valid envp"],
+ effect: "execve(\"/bin/sh\", rbp-0x50, [rbp-0x70])")
+OneGadget::Gadget.add(build_id, 978795,
+ constraints: ["writable: rbp-0x48", "rax == NULL || {rax, rbx, NULL} is a valid argv", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL || [rbp-0x70] is a valid envp"],
+ effect: "execve(\"/bin/sh\", rbp-0x50, [rbp-0x70])")
+OneGadget::Gadget.add(build_id, 978802,
+ constraints: ["writable: rbp-0x50", "rax == NULL || {rax, [rbp-0x48], NULL} is a valid argv", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL || [rbp-0x70] is a valid envp"],
+ effect: "execve(\"/bin/sh\", rbp-0x50, [rbp-0x70])")
+OneGadget::Gadget.add(build_id, 978806,
+ constraints: ["writable: r10+0x10", "writable: rbp-0x50", "[r10] == NULL || r10 == NULL || r10 is a valid argv", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL || [rbp-0x70] is a valid envp"],
+ effect: "execve(\"/bin/sh\", r10, [rbp-0x70])")
OneGadget::Gadget.add(build_id, 1117482,
- constraints: ["[rsp+0x70] == NULL", "[[rsp+0xf0]] == NULL || [rsp+0xf0] == NULL", "[rsp+0x38] == NULL || (s32)[[rsp+0x38]+0x4] <= 0"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv", "[[rsp+0xf0]] == NULL || [rsp+0xf0] == NULL || [rsp+0xf0] is a valid envp", "[rsp+0x38] == NULL || (s32)[[rsp+0x38]+0x4] <= 0"],
effect: "posix_spawn(rsp+0x64, \"/bin/sh\", [rsp+0x38], 0, rsp+0x70, [rsp+0xf0])")
OneGadget::Gadget.add(build_id, 1117490,
- constraints: ["[rsp+0x70] == NULL", "[r9] == NULL || r9 == NULL", "[rsp+0x38] == NULL || (s32)[[rsp+0x38]+0x4] <= 0"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv", "[r9] == NULL || r9 == NULL || r9 is a valid envp", "[rsp+0x38] == NULL || (s32)[[rsp+0x38]+0x4] <= 0"],
effect: "posix_spawn(rsp+0x64, \"/bin/sh\", [rsp+0x38], 0, rsp+0x70, r9)")
OneGadget::Gadget.add(build_id, 1117495,
- constraints: ["[rsp+0x70] == NULL", "[r9] == NULL || r9 == NULL", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv", "[r9] == NULL || r9 == NULL || r9 is a valid envp", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
effect: "posix_spawn(rsp+0x64, \"/bin/sh\", rdx, 0, rsp+0x70, r9)")
OneGadget::Gadget.add(build_id, 1117505,
- constraints: ["[r8] == NULL", "[r9] == NULL || r9 == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
+ constraints: ["[r8] == NULL || r8 is a valid argv", "[r9] == NULL || r9 == NULL || r9 is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
effect: "posix_spawn(rdi, \"/bin/sh\", rdx, 0, r8, r9)")
diff --git a/lib/one_gadget/builds/libc-2.34-ba4777827fe1fb729ca35acd99c8013936172a0d.rb b/lib/one_gadget/builds/libc-2.34-ba4777827fe1fb729ca35acd99c8013936172a0d.rb
index a04b4c3..ee989c7 100644
--- a/lib/one_gadget/builds/libc-2.34-ba4777827fe1fb729ca35acd99c8013936172a0d.rb
+++ b/lib/one_gadget/builds/libc-2.34-ba4777827fe1fb729ca35acd99c8013936172a0d.rb
@@ -14,37 +14,70 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 324297,
+ constraints: ["writable: rsp+0x60", "{\"sh\", \"-c\", rbx, NULL} is a valid argv", "rbp == NULL || (u16)[rbp] == NULL"],
+ effect: "posix_spawn(rsp+0xc, \"/bin/sh\", 0, rbp, rsp+0x50, environ)")
+OneGadget::Gadget.add(build_id, 324307,
+ constraints: ["writable: rsp+0x60", "{\"sh\", \"-c\", rbx, NULL} is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, rsp+0x50, environ)")
OneGadget::Gadget.add(build_id, 324314,
- constraints: ["rax == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ constraints: ["writable: rsp+0x60", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, rsp+0x50, environ)")
+OneGadget::Gadget.add(build_id, 324319,
+ constraints: ["writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)")
+OneGadget::Gadget.add(build_id, 324324,
+ constraints: ["writable: rsp+0x50", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)")
OneGadget::Gadget.add(build_id, 324336,
- constraints: ["[r8] == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ constraints: ["writable: rsp+0x58", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)")
+OneGadget::Gadget.add(build_id, 506709,
+ constraints: ["writable: rsp+0x70", "{\"sh\", \"-c\", rbp, NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"],
+ effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", r12, 0, rsp+0x60, environ)")
OneGadget::Gadget.add(build_id, 506716,
- constraints: ["[r8] == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ constraints: ["writable: rsp+0x70", "[r8] == NULL || r8 is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", r12, rcx, r8, environ)")
+OneGadget::Gadget.add(build_id, 506719,
+ constraints: ["writable: rsp+0x70", "[r8] == NULL || r8 is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, rcx, r8, environ)")
OneGadget::Gadget.add(build_id, 506731,
- constraints: ["[r8] == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ constraints: ["writable: rsp+0x78", "[r8] == NULL || r8 is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, rcx, r8, environ)")
+OneGadget::Gadget.add(build_id, 506738,
+ constraints: ["writable: rsp+0x78", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)")
+OneGadget::Gadget.add(build_id, 506759,
+ constraints: ["writable: rsp+0x68", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)")
OneGadget::Gadget.add(build_id, 909902,
- constraints: ["[r13] == NULL || r13 == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[r13] == NULL || r13 == NULL || r13 is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", r13, r12)")
OneGadget::Gadget.add(build_id, 909905,
- constraints: ["[r13] == NULL || r13 == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[r13] == NULL || r13 == NULL || r13 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", r13, rdx)")
OneGadget::Gadget.add(build_id, 909908,
- constraints: ["[rsi] == NULL || rsi == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, rdx)")
+OneGadget::Gadget.add(build_id, 909991,
+ constraints: ["writable: rbp-0x38", "rdi == NULL || {\"/bin/sh\", rdi, NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
+ effect: "execve(\"/bin/sh\", rbp-0x40, r12)")
+OneGadget::Gadget.add(build_id, 909998,
+ constraints: ["writable: rbp-0x38", "rax == NULL || {rax, rdi, NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
+ effect: "execve(\"/bin/sh\", rbp-0x40, r12)")
+OneGadget::Gadget.add(build_id, 910005,
+ constraints: ["writable: rbp-0x40", "rax == NULL || {rax, [rbp-0x38], NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
+ effect: "execve(\"/bin/sh\", rbp-0x40, r12)")
OneGadget::Gadget.add(build_id, 1031210,
- constraints: ["[rsp+0x70] == NULL", "[[rsp+0xf0]] == NULL || [rsp+0xf0] == NULL", "[rsp+0x40] == NULL || (s32)[[rsp+0x40]+0x4] <= 0"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv", "[[rsp+0xf0]] == NULL || [rsp+0xf0] == NULL || [rsp+0xf0] is a valid envp", "[rsp+0x40] == NULL || (s32)[[rsp+0x40]+0x4] <= 0"],
effect: "posix_spawn(rsp+0x64, \"/bin/sh\", [rsp+0x40], 0, rsp+0x70, [rsp+0xf0])")
OneGadget::Gadget.add(build_id, 1031218,
- constraints: ["[rsp+0x70] == NULL", "[r9] == NULL || r9 == NULL", "[rsp+0x40] == NULL || (s32)[[rsp+0x40]+0x4] <= 0"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv", "[r9] == NULL || r9 == NULL || r9 is a valid envp", "[rsp+0x40] == NULL || (s32)[[rsp+0x40]+0x4] <= 0"],
effect: "posix_spawn(rsp+0x64, \"/bin/sh\", [rsp+0x40], 0, rsp+0x70, r9)")
OneGadget::Gadget.add(build_id, 1031223,
- constraints: ["[rsp+0x70] == NULL", "[r9] == NULL || r9 == NULL", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv", "[r9] == NULL || r9 == NULL || r9 is a valid envp", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
effect: "posix_spawn(rsp+0x64, \"/bin/sh\", rdx, 0, rsp+0x70, r9)")
OneGadget::Gadget.add(build_id, 1031233,
- constraints: ["[r8] == NULL", "[r9] == NULL || r9 == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
+ constraints: ["[r8] == NULL || r8 is a valid argv", "[r9] == NULL || r9 == NULL || r9 is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
effect: "posix_spawn(rdi, \"/bin/sh\", rdx, 0, r8, r9)")
diff --git a/lib/one_gadget/builds/libc-2.34-f0fc29165cbe6088c0e1adf03b0048fbecbc003a.rb b/lib/one_gadget/builds/libc-2.34-f0fc29165cbe6088c0e1adf03b0048fbecbc003a.rb
index 38bb700..59094c8 100644
--- a/lib/one_gadget/builds/libc-2.34-f0fc29165cbe6088c0e1adf03b0048fbecbc003a.rb
+++ b/lib/one_gadget/builds/libc-2.34-f0fc29165cbe6088c0e1adf03b0048fbecbc003a.rb
@@ -14,55 +14,106 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 329602,
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x60", "{\"sh\", \"-c\", rbx, NULL} is a valid argv", "rbp == NULL || (u16)[rbp] == NULL"],
+ effect: "posix_spawn(rsp+0xc, \"/bin/sh\", 0, rbp, rsp+0x50, environ)")
+OneGadget::Gadget.add(build_id, 329609,
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x60", "rax == NULL || {\"sh\", rax, rbx, NULL} is a valid argv", "rbp == NULL || (u16)[rbp] == NULL"],
+ effect: "posix_spawn(rsp+0xc, \"/bin/sh\", 0, rbp, rsp+0x50, environ)")
OneGadget::Gadget.add(build_id, 329616,
- constraints: ["rsp & 0xf == 0", "rcx == NULL", "rbp == NULL || (u16)[rbp] == NULL"],
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x60", "rcx == NULL || {rcx, rax, rbx, NULL} is a valid argv", "rbp == NULL || (u16)[rbp] == NULL"],
effect: "posix_spawn(rsp+0xc, \"/bin/sh\", 0, rbp, rsp+0x50, environ)")
+OneGadget::Gadget.add(build_id, 329623,
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x60", "rcx == NULL || {rcx, (u64)xmm1, rbx, NULL} is a valid argv", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rbp == NULL || (u16)[rbp] == NULL"],
+ effect: "posix_spawn(rsp+0xc, \"/bin/sh\", rdx, rbp, rsp+0x50, environ)")
OneGadget::Gadget.add(build_id, 329628,
- constraints: ["rsp & 0xf == 0", "(u64)xmm0 == NULL", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rbp == NULL || (u16)[rbp] == NULL"],
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x60", "(u64)xmm0 == NULL || {(u64)xmm0, (u64)xmm1, rbx, NULL} is a valid argv", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rbp == NULL || (u16)[rbp] == NULL"],
effect: "posix_spawn(rsp+0xc, \"/bin/sh\", rdx, rbp, rsp+0x50, environ)")
+OneGadget::Gadget.add(build_id, 329644,
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x60", "(u64)xmm0 == NULL || {(u64)xmm0, (u64)(xmm0 >> 64), rbx, NULL} is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rbp == NULL || (u16)[rbp] == NULL"],
+ effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rbp, rsp+0x50, [rax])")
OneGadget::Gadget.add(build_id, 329649,
- constraints: ["rsp & 0xf == 0", "[r8] == NULL", "[[rax]] == NULL || [rax] == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rbp == NULL || (u16)[rbp] == NULL"],
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rbp == NULL || (u16)[rbp] == NULL"],
effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rbp, r8, [rax])")
+OneGadget::Gadget.add(build_id, 329652,
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, [rax])")
OneGadget::Gadget.add(build_id, 329657,
- constraints: ["rsp & 0xf == 0", "[r8] == NULL", "[[rax]] == NULL || [rax] == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x68", "[r8] == NULL || r8 is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, [rax])")
+OneGadget::Gadget.add(build_id, 527445,
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x70", "{\"sh\", \"-c\", rbp, NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"],
+ effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", r12, 0, rsp+0x60, environ)")
+OneGadget::Gadget.add(build_id, 527452,
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x70", "rax == NULL || {\"sh\", rax, rbp, NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"],
+ effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", r12, 0, rsp+0x60, environ)")
OneGadget::Gadget.add(build_id, 527459,
- constraints: ["rsp & 0xf == 0", "rcx == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"],
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x70", "rcx == NULL || {rcx, rax, rbp, NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"],
effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", r12, 0, rsp+0x60, environ)")
+OneGadget::Gadget.add(build_id, 527462,
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x70", "rcx == NULL || {rcx, rax, rbp, NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
+ effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, 0, rsp+0x60, environ)")
+OneGadget::Gadget.add(build_id, 527467,
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x78", "rcx == NULL || {rcx, rax, [rsp+0x70], NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
+ effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, 0, rsp+0x60, environ)")
OneGadget::Gadget.add(build_id, 527472,
- constraints: ["rsp & 0xf == 0", "rcx == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x78", "rcx == NULL || {rcx, (u64)xmm1, [rsp+0x70], NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, 0, rsp+0x60, environ)")
OneGadget::Gadget.add(build_id, 527477,
- constraints: ["rsp & 0xf == 0", "(u64)xmm0 == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x78", "(u64)xmm0 == NULL || {(u64)xmm0, (u64)xmm1, [rsp+0x70], NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, 0, rsp+0x60, environ)")
OneGadget::Gadget.add(build_id, 527482,
- constraints: ["rsp & 0xf == 0", "[r8] == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x78", "[r8] == NULL || r8 is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, 0, r8, environ)")
+OneGadget::Gadget.add(build_id, 527502,
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x78", "[r8] == NULL || r8 is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, [rax])")
OneGadget::Gadget.add(build_id, 961772,
- constraints: ["[r15] == NULL || r15 == NULL", "[r12] == NULL || r12 == NULL"],
+ constraints: ["[r15] == NULL || r15 == NULL || r15 is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
effect: "execve(\"/bin/sh\", r15, r12)")
OneGadget::Gadget.add(build_id, 961775,
- constraints: ["[r15] == NULL || r15 == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[r15] == NULL || r15 == NULL || r15 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", r15, rdx)")
OneGadget::Gadget.add(build_id, 961778,
- constraints: ["[rsi] == NULL || rsi == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, rdx)")
OneGadget::Gadget.add(build_id, 962261,
- constraints: ["writable: rbp-0x78", "[r10] == NULL || r10 == NULL", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL"],
+ constraints: ["writable: rbp-0x78", "[r10] == NULL || r10 == NULL || r10 is a valid argv", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL || [rbp-0x70] is a valid envp"],
effect: "execve(\"/bin/sh\", r10, [rbp-0x70])")
OneGadget::Gadget.add(build_id, 962265,
- constraints: ["writable: rbp-0x78", "[r10] == NULL || r10 == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["writable: rbp-0x78", "[r10] == NULL || r10 == NULL || r10 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", r10, rdx)")
+OneGadget::Gadget.add(build_id, 962367,
+ constraints: ["writable: rbp-0x48", "rbx == NULL || {\"/bin/sh\", rbx, NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
+ effect: "execve(\"/bin/sh\", rbp-0x50, r12)")
+OneGadget::Gadget.add(build_id, 962374,
+ constraints: ["writable: rbp-0x48", "rax == NULL || {rax, rbx, NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
+ effect: "execve(\"/bin/sh\", rbp-0x50, r12)")
+OneGadget::Gadget.add(build_id, 962381,
+ constraints: ["writable: rbp-0x50", "rax == NULL || {rax, [rbp-0x48], NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
+ effect: "execve(\"/bin/sh\", rbp-0x50, r12)")
+OneGadget::Gadget.add(build_id, 962436,
+ constraints: ["writable: rbp-0x48", "rbx == NULL || {\"/bin/sh\", rbx, NULL} is a valid argv", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL || [rbp-0x70] is a valid envp"],
+ effect: "execve(\"/bin/sh\", rbp-0x50, [rbp-0x70])")
+OneGadget::Gadget.add(build_id, 962443,
+ constraints: ["writable: rbp-0x48", "rax == NULL || {rax, rbx, NULL} is a valid argv", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL || [rbp-0x70] is a valid envp"],
+ effect: "execve(\"/bin/sh\", rbp-0x50, [rbp-0x70])")
+OneGadget::Gadget.add(build_id, 962450,
+ constraints: ["writable: rbp-0x50", "rax == NULL || {rax, [rbp-0x48], NULL} is a valid argv", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL || [rbp-0x70] is a valid envp"],
+ effect: "execve(\"/bin/sh\", rbp-0x50, [rbp-0x70])")
+OneGadget::Gadget.add(build_id, 962454,
+ constraints: ["writable: r10+0x10", "writable: rbp-0x50", "[r10] == NULL || r10 == NULL || r10 is a valid argv", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL || [rbp-0x70] is a valid envp"],
+ effect: "execve(\"/bin/sh\", r10, [rbp-0x70])")
OneGadget::Gadget.add(build_id, 1101130,
- constraints: ["[rsp+0x70] == NULL", "[[rsp+0xf0]] == NULL || [rsp+0xf0] == NULL", "[rsp+0x38] == NULL || (s32)[[rsp+0x38]+0x4] <= 0"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv", "[[rsp+0xf0]] == NULL || [rsp+0xf0] == NULL || [rsp+0xf0] is a valid envp", "[rsp+0x38] == NULL || (s32)[[rsp+0x38]+0x4] <= 0"],
effect: "posix_spawn(rsp+0x64, \"/bin/sh\", [rsp+0x38], 0, rsp+0x70, [rsp+0xf0])")
OneGadget::Gadget.add(build_id, 1101138,
- constraints: ["[rsp+0x70] == NULL", "[r9] == NULL || r9 == NULL", "[rsp+0x38] == NULL || (s32)[[rsp+0x38]+0x4] <= 0"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv", "[r9] == NULL || r9 == NULL || r9 is a valid envp", "[rsp+0x38] == NULL || (s32)[[rsp+0x38]+0x4] <= 0"],
effect: "posix_spawn(rsp+0x64, \"/bin/sh\", [rsp+0x38], 0, rsp+0x70, r9)")
OneGadget::Gadget.add(build_id, 1101143,
- constraints: ["[rsp+0x70] == NULL", "[r9] == NULL || r9 == NULL", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv", "[r9] == NULL || r9 == NULL || r9 is a valid envp", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
effect: "posix_spawn(rsp+0x64, \"/bin/sh\", rdx, 0, rsp+0x70, r9)")
OneGadget::Gadget.add(build_id, 1101153,
- constraints: ["[r8] == NULL", "[r9] == NULL || r9 == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
+ constraints: ["[r8] == NULL || r8 is a valid argv", "[r9] == NULL || r9 == NULL || r9 is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
effect: "posix_spawn(rdi, \"/bin/sh\", rdx, 0, r8, r9)")
diff --git a/lib/one_gadget/builds/libc-2.35-89c3cb85f9e55046776471fed05ec441581d1969.rb b/lib/one_gadget/builds/libc-2.35-89c3cb85f9e55046776471fed05ec441581d1969.rb
index f16aeb7..eb96838 100644
--- a/lib/one_gadget/builds/libc-2.35-89c3cb85f9e55046776471fed05ec441581d1969.rb
+++ b/lib/one_gadget/builds/libc-2.35-89c3cb85f9e55046776471fed05ec441581d1969.rb
@@ -14,49 +14,91 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 330281,
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x70", "{\"sh\", \"-c\", rbx, NULL} is a valid argv", "rbp == NULL || (u16)[rbp] == NULL"],
+ effect: "posix_spawn(rsp+0x1c, \"/bin/sh\", 0, rbp, rsp+0x60, environ)")
+OneGadget::Gadget.add(build_id, 330288,
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x70", "rax == NULL || {\"sh\", rax, rbx, NULL} is a valid argv", "rbp == NULL || (u16)[rbp] == NULL"],
+ effect: "posix_spawn(rsp+0x1c, \"/bin/sh\", 0, rbp, rsp+0x60, environ)")
OneGadget::Gadget.add(build_id, 330295,
- constraints: ["rsp & 0xf == 0", "rcx == NULL", "rbp == NULL || (u16)[rbp] == NULL"],
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x70", "rcx == NULL || {rcx, rax, rbx, NULL} is a valid argv", "rbp == NULL || (u16)[rbp] == NULL"],
effect: "posix_spawn(rsp+0x1c, \"/bin/sh\", 0, rbp, rsp+0x60, environ)")
+OneGadget::Gadget.add(build_id, 330302,
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x70", "rcx == NULL || {rcx, (u64)xmm3, rbx, NULL} is a valid argv", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rbp == NULL || (u16)[rbp] == NULL"],
+ effect: "posix_spawn(rsp+0x1c, \"/bin/sh\", rdx, rbp, rsp+0x60, environ)")
OneGadget::Gadget.add(build_id, 330307,
- constraints: ["rsp & 0xf == 0", "(u64)xmm0 == NULL", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rbp == NULL || (u16)[rbp] == NULL"],
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x70", "(u64)xmm0 == NULL || {(u64)xmm0, (u64)xmm3, rbx, NULL} is a valid argv", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rbp == NULL || (u16)[rbp] == NULL"],
effect: "posix_spawn(rsp+0x1c, \"/bin/sh\", rdx, rbp, rsp+0x60, environ)")
+OneGadget::Gadget.add(build_id, 330323,
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x70", "(u64)xmm0 == NULL || {(u64)xmm0, (u64)(xmm0 >> 64), rbx, NULL} is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rbp == NULL || (u16)[rbp] == NULL"],
+ effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rbp, rsp+0x60, [rax])")
OneGadget::Gadget.add(build_id, 330328,
- constraints: ["rsp & 0xf == 0", "[r8] == NULL", "[[rax]] == NULL || [rax] == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rbp == NULL || (u16)[rbp] == NULL"],
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x70", "[r8] == NULL || r8 is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rbp == NULL || (u16)[rbp] == NULL"],
effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rbp, r8, [rax])")
+OneGadget::Gadget.add(build_id, 330331,
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x70", "[r8] == NULL || r8 is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, [rax])")
OneGadget::Gadget.add(build_id, 330336,
- constraints: ["rsp & 0xf == 0", "[r8] == NULL", "[[rax]] == NULL || [rax] == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x78", "[r8] == NULL || r8 is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, [rax])")
+OneGadget::Gadget.add(build_id, 527413,
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x70", "{\"sh\", \"-c\", rbp, NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"],
+ effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", r12, 0, rsp+0x60, environ)")
+OneGadget::Gadget.add(build_id, 527420,
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x70", "rax == NULL || {\"sh\", rax, rbp, NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"],
+ effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", r12, 0, rsp+0x60, environ)")
OneGadget::Gadget.add(build_id, 527427,
- constraints: ["rsp & 0xf == 0", "rcx == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"],
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x70", "rcx == NULL || {rcx, rax, rbp, NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"],
effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", r12, 0, rsp+0x60, environ)")
+OneGadget::Gadget.add(build_id, 527430,
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x70", "rcx == NULL || {rcx, rax, rbp, NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
+ effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, 0, rsp+0x60, environ)")
+OneGadget::Gadget.add(build_id, 527435,
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x78", "rcx == NULL || {rcx, rax, [rsp+0x70], NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
+ effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, 0, rsp+0x60, environ)")
OneGadget::Gadget.add(build_id, 527440,
- constraints: ["rsp & 0xf == 0", "rcx == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x78", "rcx == NULL || {rcx, (u64)xmm1, [rsp+0x70], NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, 0, rsp+0x60, environ)")
OneGadget::Gadget.add(build_id, 527445,
- constraints: ["rsp & 0xf == 0", "(u64)xmm0 == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x78", "(u64)xmm0 == NULL || {(u64)xmm0, (u64)xmm1, [rsp+0x70], NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, 0, rsp+0x60, environ)")
OneGadget::Gadget.add(build_id, 527450,
- constraints: ["rsp & 0xf == 0", "[r8] == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
+ constraints: ["rsp & 0xf == 0", "writable: rsp+0x78", "[r8] == NULL || r8 is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, 0, r8, environ)")
OneGadget::Gadget.add(build_id, 965873,
- constraints: ["writable: rbp-0x78", "[r10] == NULL || r10 == NULL", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL"],
+ constraints: ["writable: rbp-0x78", "[r10] == NULL || r10 == NULL || r10 is a valid argv", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL || [rbp-0x70] is a valid envp"],
effect: "execve(\"/bin/sh\", r10, [rbp-0x70])")
OneGadget::Gadget.add(build_id, 965877,
- constraints: ["writable: rbp-0x78", "[r10] == NULL || r10 == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["writable: rbp-0x78", "[r10] == NULL || r10 == NULL || r10 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", r10, rdx)")
OneGadget::Gadget.add(build_id, 965880,
- constraints: ["writable: rbp-0x78", "[rsi] == NULL || rsi == NULL", "[rdx] == NULL || rdx == NULL"],
+ constraints: ["writable: rbp-0x78", "[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"],
effect: "execve(\"/bin/sh\", rsi, rdx)")
+OneGadget::Gadget.add(build_id, 965970,
+ constraints: ["writable: rbp-0x48", "r13 == NULL || {\"/bin/sh\", r13, NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"],
+ effect: "execve(\"/bin/sh\", rbp-0x50, r12)")
+OneGadget::Gadget.add(build_id, 966056,
+ constraints: ["writable: rbp-0x48", "r12 == NULL || {\"/bin/sh\", r12, NULL} is a valid argv", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL || [rbp-0x70] is a valid envp"],
+ effect: "execve(\"/bin/sh\", rbp-0x50, [rbp-0x70])")
+OneGadget::Gadget.add(build_id, 966063,
+ constraints: ["writable: rbp-0x48", "rax == NULL || {rax, r12, NULL} is a valid argv", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL || [rbp-0x70] is a valid envp"],
+ effect: "execve(\"/bin/sh\", rbp-0x50, [rbp-0x70])")
+OneGadget::Gadget.add(build_id, 966067,
+ constraints: ["writable: rbp-0x50", "rax == NULL || {rax, [rbp-0x48], NULL} is a valid argv", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL || [rbp-0x70] is a valid envp"],
+ effect: "execve(\"/bin/sh\", rbp-0x50, [rbp-0x70])")
+OneGadget::Gadget.add(build_id, 966071,
+ constraints: ["writable: r10+0x10", "writable: rbp-0x50", "[r10] == NULL || r10 == NULL || r10 is a valid argv", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL || [rbp-0x70] is a valid envp"],
+ effect: "execve(\"/bin/sh\", r10, [rbp-0x70])")
OneGadget::Gadget.add(build_id, 1104834,
- constraints: ["[rsp+0x70] == NULL", "[[rsp+0xf0]] == NULL || [rsp+0xf0] == NULL", "[rsp+0x40] == NULL || (s32)[[rsp+0x40]+0x4] <= 0"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv", "[[rsp+0xf0]] == NULL || [rsp+0xf0] == NULL || [rsp+0xf0] is a valid envp", "[rsp+0x40] == NULL || (s32)[[rsp+0x40]+0x4] <= 0"],
effect: "posix_spawn(rsp+0x64, \"/bin/sh\", [rsp+0x40], 0, rsp+0x70, [rsp+0xf0])")
OneGadget::Gadget.add(build_id, 1104842,
- constraints: ["[rsp+0x70] == NULL", "[r9] == NULL || r9 == NULL", "[rsp+0x40] == NULL || (s32)[[rsp+0x40]+0x4] <= 0"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv", "[r9] == NULL || r9 == NULL || r9 is a valid envp", "[rsp+0x40] == NULL || (s32)[[rsp+0x40]+0x4] <= 0"],
effect: "posix_spawn(rsp+0x64, \"/bin/sh\", [rsp+0x40], 0, rsp+0x70, r9)")
OneGadget::Gadget.add(build_id, 1104847,
- constraints: ["[rsp+0x70] == NULL", "[r9] == NULL || r9 == NULL", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv", "[r9] == NULL || r9 == NULL || r9 is a valid envp", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
effect: "posix_spawn(rsp+0x64, \"/bin/sh\", rdx, 0, rsp+0x70, r9)")
OneGadget::Gadget.add(build_id, 1104857,
- constraints: ["[r8] == NULL", "[r9] == NULL || r9 == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
+ constraints: ["[r8] == NULL || r8 is a valid argv", "[r9] == NULL || r9 == NULL || r9 is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
effect: "posix_spawn(rdi, \"/bin/sh\", rdx, 0, r8, r9)")
diff --git a/lib/one_gadget/builds/libc-2.35-ab265082cac9486923c709d48ee5dde080e243ff.rb b/lib/one_gadget/builds/libc-2.35-ab265082cac9486923c709d48ee5dde080e243ff.rb
index 5b0926f..3880d13 100644
--- a/lib/one_gadget/builds/libc-2.35-ab265082cac9486923c709d48ee5dde080e243ff.rb
+++ b/lib/one_gadget/builds/libc-2.35-ab265082cac9486923c709d48ee5dde080e243ff.rb
@@ -14,28 +14,55 @@
# .
build_id = File.basename(__FILE__, '.rb').split('-').last
+OneGadget::Gadget.add(build_id, 307410,
+ constraints: ["writable: rsp+0x60", "{\"sh\", \"-c\", rbx, NULL} is a valid argv", "rbp == NULL || (u16)[rbp] == NULL"],
+ effect: "posix_spawn(rsp+0xc, \"/bin/sh\", 0, rbp, rsp+0x50, environ)")
+OneGadget::Gadget.add(build_id, 307420,
+ constraints: ["writable: rsp+0x60", "{\"sh\", \"-c\", rbx, NULL} is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, rsp+0x50, environ)")
OneGadget::Gadget.add(build_id, 307427,
- constraints: ["rax == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ constraints: ["writable: rsp+0x60", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, rsp+0x50, environ)")
+OneGadget::Gadget.add(build_id, 307432,
+ constraints: ["writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)")
+OneGadget::Gadget.add(build_id, 307437,
+ constraints: ["writable: rsp+0x50", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)")
OneGadget::Gadget.add(build_id, 307449,
- constraints: ["[r8] == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ constraints: ["writable: rsp+0x58", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)")
+OneGadget::Gadget.add(build_id, 489349,
+ constraints: ["writable: rsp+0x70", "{\"sh\", \"-c\", rbp, NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"],
+ effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", r12, 0, rsp+0x60, environ)")
OneGadget::Gadget.add(build_id, 489356,
- constraints: ["[r8] == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ constraints: ["writable: rsp+0x70", "[r8] == NULL || r8 is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", r12, rcx, r8, environ)")
+OneGadget::Gadget.add(build_id, 489359,
+ constraints: ["writable: rsp+0x70", "[r8] == NULL || r8 is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, rcx, r8, environ)")
OneGadget::Gadget.add(build_id, 489371,
- constraints: ["[r8] == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ constraints: ["writable: rsp+0x78", "[r8] == NULL || r8 is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, rcx, r8, environ)")
+OneGadget::Gadget.add(build_id, 489378,
+ constraints: ["writable: rsp+0x78", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)")
+OneGadget::Gadget.add(build_id, 489399,
+ constraints: ["writable: rsp+0x68", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"],
+ effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)")
+OneGadget::Gadget.add(build_id, 895287,
+ constraints: ["writable: rbp-0x38", "rdi == NULL || {\"/bin/sh\", rdi, NULL} is a valid argv", "[r13] == NULL || r13 == NULL || r13 is a valid envp"],
+ effect: "execve(\"/bin/sh\", rbp-0x40, r13)")
OneGadget::Gadget.add(build_id, 1016778,
- constraints: ["[rsp+0x70] == NULL", "[[rsp+0xf0]] == NULL || [rsp+0xf0] == NULL", "[rsp+0x38] == NULL || (s32)[[rsp+0x38]+0x4] <= 0"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv", "[[rsp+0xf0]] == NULL || [rsp+0xf0] == NULL || [rsp+0xf0] is a valid envp", "[rsp+0x38] == NULL || (s32)[[rsp+0x38]+0x4] <= 0"],
effect: "posix_spawn(rsp+0x64, \"/bin/sh\", [rsp+0x38], 0, rsp+0x70, [rsp+0xf0])")
OneGadget::Gadget.add(build_id, 1016786,
- constraints: ["[rsp+0x70] == NULL", "[r9] == NULL || r9 == NULL", "[rsp+0x38] == NULL || (s32)[[rsp+0x38]+0x4] <= 0"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv", "[r9] == NULL || r9 == NULL || r9 is a valid envp", "[rsp+0x38] == NULL || (s32)[[rsp+0x38]+0x4] <= 0"],
effect: "posix_spawn(rsp+0x64, \"/bin/sh\", [rsp+0x38], 0, rsp+0x70, r9)")
OneGadget::Gadget.add(build_id, 1016791,
- constraints: ["[rsp+0x70] == NULL", "[r9] == NULL || r9 == NULL", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
+ constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv", "[r9] == NULL || r9 == NULL || r9 is a valid envp", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
effect: "posix_spawn(rsp+0x64, \"/bin/sh\", rdx, 0, rsp+0x70, r9)")
OneGadget::Gadget.add(build_id, 1016801,
- constraints: ["[r8] == NULL", "[r9] == NULL || r9 == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
+ constraints: ["[r8] == NULL || r8 is a valid argv", "[r9] == NULL || r9 == NULL || r9 is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0"],
effect: "posix_spawn(rdi, \"/bin/sh\", rdx, 0, r8, r9)")
diff --git a/lib/one_gadget/builds/libc-2.35-c376d41cff4473142a97ac1ff1eab433859dc3d4.rb b/lib/one_gadget/builds/libc-2.35-c376d41cff4473142a97ac1ff1eab433859dc3d4.rb
index c87de49..f05aa53 100644
--- a/lib/one_gadget/builds/libc-2.35-c376d41cff4473142a97ac1ff1eab433859dc3d4.rb
+++ b/lib/one_gadget/builds/libc-2.35-c376d41cff4473142a97ac1ff1eab433859dc3d4.rb
@@ -15,7 +15,7 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 912899,
- constraints: ["ebx is the GOT address of libc", "writable: ebp-0x20", "[[ebp-0x30]] == NULL || [ebp-0x30] == NULL", "[[ebp-0x2c]] == NULL || [ebp-0x2c] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: ebp-0x20", "[[ebp-0x30]] == NULL || [ebp-0x30] == NULL || [ebp-0x30] is a valid argv", "[[ebp-0x2c]] == NULL || [ebp-0x2c] == NULL || [ebp-0x2c] is a valid envp"],
effect: "execve(\"/bin/sh\", [ebp-0x30], [ebp-0x2c])")
OneGadget::Gadget.add(build_id, 1517633,
constraints: ["esi is the GOT address of libc", "eax == NULL"],
diff --git a/lib/one_gadget/builds/libc-2.35-dfca8b65dd2d2ca67f70dc7a556a6cfa8ba96ed8.rb b/lib/one_gadget/builds/libc-2.35-dfca8b65dd2d2ca67f70dc7a556a6cfa8ba96ed8.rb
index 51de680..ef26a40 100644
--- a/lib/one_gadget/builds/libc-2.35-dfca8b65dd2d2ca67f70dc7a556a6cfa8ba96ed8.rb
+++ b/lib/one_gadget/builds/libc-2.35-dfca8b65dd2d2ca67f70dc7a556a6cfa8ba96ed8.rb
@@ -15,7 +15,7 @@
build_id = File.basename(__FILE__, '.rb').split('-').last
OneGadget::Gadget.add(build_id, 907139,
- constraints: ["ebx is the GOT address of libc", "writable: ebp-0x20", "[[ebp-0x30]] == NULL || [ebp-0x30] == NULL", "[[ebp-0x2c]] == NULL || [ebp-0x2c] == NULL"],
+ constraints: ["ebx is the GOT address of libc", "writable: ebp-0x20", "[[ebp-0x30]] == NULL || [ebp-0x30] == NULL || [ebp-0x30] is a valid argv", "[[ebp-0x2c]] == NULL || [ebp-0x2c] == NULL || [ebp-0x2c] is a valid envp"],
effect: "execve(\"/bin/sh\", [ebp-0x30], [ebp-0x2c])")
OneGadget::Gadget.add(build_id, 1502977,
constraints: ["esi is the GOT address of libc", "eax == NULL"],